Up until recently, DRM-protected multimedia files have been used in Windows primarily to spread malware.
Though in use since 2005, security researchers from HackerHouse have recently discovered a whole new facet of DRM attacks – one that poses a great risk to users of Tor browser.
Tor users can give away their real IP addresses when they download and attempt to open DRM-protected multimedia files in Windows, according to the HackerHouse security researchers. Using a VPN with Tor can increase privacy.
And while the risk of exposure for users is high when DRM-protected files come into play, few of them are aware of how DRM-protected files can aid in their arrest and identification despite the use of Tor.
DRM-Protected Files Have Been Used as Malware Carriers
In past scenarios, the DRM-protected files lured users to an unknown URL purportedly to validate the software’s license before it could be used.
The files would open via Windows Media Player by default before a popup would redirect the user to the required URL.
This authorization URL is what hackers are banking on to expose Tor users. Predominantly, they can be modified to redirect the users to files with hidden malware or even exploit kits, giving the authors of these links full control over what type of malware or damage they want to inflict on the unsuspecting DRM-protected file downloaders.
Unsigned DRM Files Used to Spread Malware and Decloak Tor Browser Users
According to the security researchers from HackerHouse, the redirecting popup would only prompt the user to visit the authorization URL if the DRM file(s) is not signed using the proper tools.
Alternatively, the attacker can opt to sign the DRM-protected file with certified Microsoft SDKs such as the likes of Microsoft Expression Encoder.
In this scenario, instead of a popup, Windows Media Player will covertly open the browser and access the authorization URL whether the Tor user approves of the action or not.
This Method of Decloaking Tor Users is Expensive
To properly sign DRM-protected multimedia files, one would have to part with about $10,000, a sum of money that most malware authors will not be able to easily raise given the low-end nature of their attacks.
Furthermore, DRM attacks are too specialized to be fully accepted by malware authors unanimously, despite the fact that they can be used to easily reveal the true IP addresses of Tor users.
Nevertheless, state-sponsored malware authors will not be particularly bothered with the huge sum that goes into identifying anonymous users.
Law enforcement agencies will no doubt adopt this new method of catching criminals hiding under the cloak of Tor, specifically in the ongoing war against the deep web drug trade.
And since state and various government agencies have the resources needed to create the infrastructure necessary to conduct expensive attacks such as these, it will not be surprising if this kind of malware infrastructure becomes exclusively associated with the state and the federal government.
Possible Ways DRM-Protected Files will Reveal Tor Users
Perhaps the most wanted deep web browsers are those who dabble in child exploitation. By setting up fake child pornographic sites with properly signed DRM-protected multimedia files, law enforcement will be able to track down this particular breed of Tor users when they access the sites.
ISIS militants and other homegrown and foreign terrorists hiding behind Tor can also be caught up with using this approach, in addition to the usual drug and weapons traders who make up the bulk of illicit Tor users.
DRM-protected files will have numerous applications especially for catching criminals, dissidents, and terrorists who utilize the Tor network.