A security researcher has released a proof-of-concept application demonstrating how attackers could manipulate a copy-protection mechanism in Windows Vista to hide malicious code.
Separately, security firms warned that attackers have launched a fresh attack exploiting the widespread animated cursor (.ani) vulnerability in Windows to spread a trojan horse. The attack lures users in by promising pornographic images of Paris Hilton.
Security hacker Alex Ionescu has publicly released a program called D-Pin Purr that he says allows anyone to add or remove protections from processes within Vista. The technique could be used to hide malware from security scanners, Ionescu said.
Vista introduced a technology called "protected processes," part of a copy-protection mechanism designed to protect content such as audio and video files from unauthorised copying. Protected processes can't be viewed or manipulated by other processes, including anti-virus programs.
Security researchers have warned for months that such security mechanisms are likely to be hacked, and Ionescu said he has now done so.
He didn't reveal the source code or detailed workings of the program, but said his program uses a driver to protect or unprotect processes.
"Yes, the method uses a driver. It’s based on the Microsoft documentation which says 'Please don’t use a driver to bypass this', which led me to believe that it would be possible to do this (which wouldn’t work on 64-bit Vista, of course)," Ionescu said in a blog post.
He said the program, released only in binary form, is mostly made up of obfuscations designed to prevent others from reverse-engineering the technique and using it to their own ends.
"I don’t want to encourage people to start adding this kind of code into their own malware programs, nor to encourage the Symantec folks to start unprotecting every process on the system," he wrote.
Ionescu said protected processes are dangerous because they're given a special status outside of Windows' normal permissions system.
"All applications such as virus scanners, malware protectors, and any other kind of application that hooks all system processes, injects threads into them or even discretely reads their memory doesn’t work on Vista when it hits a protected process," he wrote.
"Unfortunately, it is trivial to make a process protected or unprotected by bypassing all the Code Integrity checks and sandbox in which protected processes are supposed to run."
Separately, security firm Sophos said a new attack is using a lure of images of celebrity heiress Paris Hilton in a state of undress in order to invade users' systems.
Spammed email messages with subject lines such as "Hot pictures of Paris Hilton nude," and containing images of porn star Jenna Jameson, have begun circulating this week, Sophos said.
The emails link to a website containing the Troj/Iffy-B trojan horse, which links to more malicious code exploiting the animated cursor bug patched by Microsoft this week.
The attack appears to have been carried out by the same group who exploited the cursor issue earlier this month with Britney Spears images as a lure, Sophos said.
Security firm Websense has said it has seen attacks achieve a success rate of up to 15 percent six months after a particular problem has been patched.