XCP DRM Software

Classification

Category :

Malware

Type :

Rootkit

Aliases :

XCP, Rootkit.XCP, Trojan.Rootkit.XCP

Summary

Extended Copy Protection (XCP) is a CD/DVD copy protection technology created by First 4 Internet Ltd.

Removal

Manual action

Uninstallation of the DRM software can currently only be done by sending an uninstallation request to Sony through their customer support.

The form can be found here:

  • https://cp.sonybmg.com/xcp/english/form14.html

Sony has also released an update the disabes he hiding features. The updates can be found here:

  • https://cp.sonybmg.com/xcp/english/updates.html

Please note that the uninstallation of the software will require using Internet Explorer and accepting an ActiveX component that might pose additional security problems. The uncloaking update is also available as a standalone executable.

This update will not uninstall the whole DRM software but the software will no longer be hidden.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

XCP first came to prominence when it was used to protect audio CDs released by Sony BMG Music Entertainment. The XCP protected disks contain digital rights management (DRM) software that allow the user to make a limited number of copies of the disk and also rip the music into a digital format to be used on a computer or portable music player.

Once installed, the DRM software will hide:

  • Files
  • Processes
  • Registry keys and values

No means of uninstalling the DRM software is given. The software supports Windows 98SE, Windows ME, Windows 2000 SP4 and Windows XP. This analysis was conducted on Windows XP in October 2005. The music CD that contained the DRM software was Van Zant: Get Right with the Man (Sony BMG Music Entertainment).

Installation

The DRM software requires administrative privileges to be installed successfully. When a user inserts an XCP protected CD into a computer that has the Windows Autoplay feature enabled, an EULA is automatically presented and if the user accepts it, the DRM software is installed. The software installs two services that will start automatically during system startup:

  • HKLM\SYSTEM\CurrentControlSet\Services\CD_Proxy
  • HKLM\SYSTEM\CurrentControlSet\Services\$sys$DRMServer

The first one is named 'XCP CD Proxy' and the latter one is named 'Plug and Play Device Manager'. Both services are listed and can be seen by the service control manager. In addition, it installs five drivers:

  • HKLM\SYSTEM\CurrentControlSet\Services\$sys$aries
  • HKLM\SYSTEM\CurrentControlSet\Services\$sys$cor
  • HKLM\SYSTEM\CurrentControlSet\Services\$sys$crater
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM

The first driver hides the presence of the DRM software and the latter drivers act as filter drivers and apparently monitor the CD drives in order to enforce any digital rights.

The files for the software will be installed into the directory 'C:\Windows\System32\$sys$filesystem' that will be hidden but still accessible (a directory listing does not show it, but you can access it if you know the name).

This directory contains all the files:

  • $sys$DRM
  • Server.exe
  • $sys$parking
  • aries.sys
  • crater.sys
  • DbgHelp.dll
  • lim.sys
  • oct.sys
  • Unicows.dll

Additional installed files are stated below:

  • C:\windows\CDProxyServ.exe
  • C:\windows\DbgHelp.dll
  • C:\windows\system32\$sys$caj.dll
  • C:\windows\system32\$sys$upgtool.exe
  • C:\windows\system32\AXPSupport.dll
  • C:\windows\system32\ECDPlayerControl.ocx
  • C:\windows\system32\InstallContinue.exe
  • C:\windows\system32\driver\$sys$cor.sys
  • C:\windows\system32\TMPX\APIX.vxd
  • C:\windows\system32\TMPX\ASPIENUM.vxd
  • C:\windows\system32\TMPX\WNASPI.dll
  • C:\windows\system32\TMPX\WNASPI32.dll
  • C:\windows\system32\Unicows.dll

Microsoft C/C++ runtime and XML libraries are also updated, if they have not already been installed by some other application.

It should be noted that if the DRM software is active, the registry keys that start with the string '$sys$' will not be shown by most of the available registry editing tools. Also all files and directories that start with the string '$sys$' will not be visible. In Safe Mode, these hiding techniques are not active and all the entries are visible.

Hiding Technique

The DRM software hides its information by modifying the execution path of several Native API functions. Specifically, the aries.sys driver hooks the System Service Table (SST). The following API functions are hooked:

  • Ntoskrnl.exe
  • NtCreateFile
  • NtEnumerateKey
  • NtOpenKey
  • NtQueryDirectoryFile
  • NtQuerySystemInformation

These hooks are generally used to hide files, folders, registry keys, registry values and processes.

Conclusion

The DRM software does not self-replicate and does not contain malicious features and thus should not be considered a virus. According to current guidelines, the software can still be considered malware since it hides from the user and does not offer a way to uninstall itself.

Although the software is not directly malicious, the techniques used to hide the software are exactly the same used by malicious software to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits. The hiding techniques used by the DRM software can be abused by less technical malware authors to hide their backdoors and other tools.

If a malware names its files beginning with the prefix "$sys$", the files will also be hidden by the DRM software. Thus, it is very inappropriate for commercial software to use these techniques.

Links

  • XCP technology: http://www.xcp-aurora.com/
  • Sony BMG XCP site: http://cp.sonybmg.com/xcp/