F-Secure Rootkit Information : XCP DRM Software
[Summary] | [Detailed Description] | [Detection]
|
|
|
| NAME: | XCP DRM Software |
| ALIAS: | Trojan.Rootkit.XCP, Rootkit.XCP, XCP |
Extended Copy Protection (XCP) is a CD/DVD copy protection
technology created by First 4 Internet Ltd. XCP has been used to
protect some audio CDs released by Sony BMG Music Entertainment.
The XCP protected disks contain digital rights management (DRM)
software that allow the user to make a limited number of copies
of the disk and also rip the music into a digital format to be
used on a computer or portable music player.
Once installed, the DRM software will hide:
Files
Processes
Registry keys and values
No means of uninstalling the DRM software is given. The software
supports Windows 98SE, Windows ME, Windows 2000 SP4 and Windows
XP.
This analysis was conducted on Windows XP in October 2005. The
music CD that contained the DRM software was Van Zant: Get Right
with the Man (Sony BMG Music Entertainment).
Installation
The DRM software requires administrative privileges to be
installed successfully. When a user inserts an XCP protected CD
into a computer that has the Windows Autoplay feature enabled, an
EULA is automatically presented and if the user accepts it, the
DRM software is installed.
The software installs two services that will start automatically
during system startup:
HKLM\SYSTEM\CurrentControlSet\Services\CD_Proxy
HKLM\SYSTEM\CurrentControlSet\Services\$sys$DRMServer
The first on is named 'XCP CD Proxy' and the latter one is named
'Plug and Play Device Manager'. Both services are listed and can
be seen by the service control manager.
In addition, it installs five drivers:
HKLM\SYSTEM\CurrentControlSet\Services\$sys$aries
HKLM\SYSTEM\CurrentControlSet\Services\$sys$cor
HKLM\SYSTEM\CurrentControlSet\Services\$sys$crater
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM
The first driver hides the presence of the DRM software and the
latter drivers act as filter drivers and apparently monitor the
CD drives in order to enforce any digital rights.
The files for the software will be installed into the directory
'C:\Windows\System32\$sys$filesystem' that will be hidden but
still accessible (a directory listing does not show it, but you
can access it if you know the name). Contained in that directory
will be the files:
$sys$DRMServer.exe
$sys$parking
aries.sys
crater.sys
DbgHelp.dll
lim.sys
oct.sys
Unicows.dll
Additional installed files are:
C:\windows\CDProxyServ.exe
C:\windows\DbgHelp.dll
C:\windows\system32\$sys$caj.dll
C:\windows\system32\$sys$upgtool.exe
C:\windows\system32\AXPSupport.dll
C:\windows\system32\ECDPlayerControl.ocx
C:\windows\system32\InstallContinue.exe
C:\windows\system32\driver\$sys$cor.sys
C:\windows\system32\TMPX\APIX.vxd
C:\windows\system32\TMPX\ASPIENUM.vxd
C:\windows\system32\TMPX\WNASPI.dll
C:\windows\system32\TMPX\WNASPI32.dll
C:\windows\system32\Unicows.dll
Microsoft C/C++ runtime and XML libraries are also updated, if
they have not already been installed by some other application.
It should be noted that if the DRM software is active, the
registry keys that start with the string '$sys$' will not be
shown by most of the available registry editing tools. Also all
files and directories that start with the string '$sys$' will not
be visible. In Safe Mode these hiding techniques are not active
and all the entries are visible.
Hiding Technique
The DRM software hides it information by modifying the execution
path of several Native API functions. Specifically, the aries.sys
driver hooks the System Service Table (SST). The following API
functions are hooked:
Ntoskrnl.exe:
NtCreateFile
NtEnumerateKey
NtOpenKey
NtQueryDirectoryFile
NtQuerySystemInformation
These hooks are generally used to hide files, folders, registry
keys, registry values and processes.
Removing
Uninstallation of the DRM software can currently only be done by
sending an uninstallation request to Sony through their customer
support. The form can be found here:
http://cp.sonybmg.com/xcp/english/form14.html
Sony has also released an update the disables the hiding
features. The updates can be found here:
http://cp.sonybmg.com/xcp/english/updates.html
Please note that the uninstallation of the software will require
using Internet Explorer and accepting an ActiveX component that
might pose additional security problems. The uncloaking update is
also available as a standalone executable. This update will not
uninstall the whole DRM software but the software will no longer
be hidden.
Conclusion
The DRM software does not self-replicate and doesn't contain
malicious features and thus should not be considered a virus.
According to current guidelines the software can still be
considered malware since it hides from the user and doesn't offer
a way to uninstall itself.
Although the software isn't directly malicious, the used rootkit
hiding techniques are exactly the same used by malicious software
to hide themselves. The DRM software will cause many similar
false alarms with all AV software that detect rootkits.
The hiding techniques used by the DRM software can be abused by
less technical malware authors to hide their backdoors and other
tools. If a malware names its files beginning with the prefix
"$sys$", the files will also be hidden by the DRM software. Thus
it is very inappropriate for commercial software to use these
techniques.
Links
First 4 Internet Ltd:
http://www.first4internet.co.uk/
XCP technology:
http://www.xcp-aurora.com/
Sony BMG XCP site:
http://cp.sonybmg.com/xcp/
F-Secure Anti-Virus detects rootkit components of XCP DRM
software starting from the following update:
[FSAV_Database_Version]
Version=2005-11-29_05
Technical details:
Samuli Larvala, Nov 1st, 2005;
Description Updated:
Alexey Podrezov, November 30th, 2005;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
