Sony BMG's DRM provider does not rule out future use of stealth

 

Oxfordshire (UK) - The CEO of the company which provides digital rights management tools and software to global music publisher Sony BMG, and which developed the XCP system that was the subject of controversy this week, told TG Daily in an exclusive interview that, despite what some security software engineers, news sources, and bloggers have suggested, XCP is not, and was never designed to be, a rootkit.

"We believe there are some comments that have been misunderstood in the media," said Matthew Gilliat-Smith, chief executive officer of First 4 Internet, the manufacturers of XCP. "Our view is that this is a 'storm in a teacup,' as we say over here in the UK ... I want to confirm that this is not malware. It's not spyware. There's nothing other than pure content protection, which is benign."

As we reported yesterday, security software engineer Mark Russinovich discovered, through the use of a program he wrote called RootkitRevealer, that drivers deposited on his system from a Sony BMG audio CD he purchased were using stealth techniques to hide their appearance not only from the user, but also from portions of the Windows operating system. These drivers had been installed in such a way that they were run perpetually, loaded automatically - even in safe mode - and were referenced in the Windows System Registry using a method that could not be deleted without extensive reworking of the Registry, to enable the operating system to recognize the CD-ROM drive again. In his investigation, he identified these drivers as part of the XCP copy protection system.

Russinovich's story, posted to his company's Web site, was widely read and generated enormous response from bloggers, some of whom believed either that Russinovich was suggesting, or that his evidence had substantiated, that XCP constituted a rootkit. Under the more technical definition of that term, it would have to open up an unmonitored Internet connection with a remote host, probably with the intention of delivering a malicious payload in a very undetectable manner. No such allegations were made of such behavior by Russinovich, yet the characterization hung in the air.

"There's areas of misinformation which I'd be very happy to set straight," Gilliat-Smith told us. "The first is [the allegation that XCP is some form of] rootkit technology, in the form that would be used to spread malware. What it is, it's using cloaking techniques that are similar to a rootkit, for the purpose of making speed bumps on the content protection, to make it more difficult to circumvent the protection."

Gilliat-Smith said his software does not open up any connection between the stealth driver and its host. "Ours does not do that," he said. "All we're doing is using a hook and a redirect, so when you look for a file, it is hidden. It is very widely used...since way back in 1994, by many shareware companies and anti-virus companies."

A paper describing what appears to be the "hook and redirect" method to which Gilliat-Smith refers, published by the online hacker magazine Phrack.org, defines rootkit as "a program designed to control the behavior of a given machine. This is often used to hide the illegitimate presence of a backdoor and other such tools. It acts by denying the listing of certain elements when requested by the user, affecting thereby the confidence that the machine has not been compromised." By "backdoor," the paper can be presumed to mean a method by which a remote party can take control of the system undetected. Gilliat-Smith denies any such methods are, or have ever been, used by XCP.

Furthermore, Gilliat-Smith stated, the version of XCP which utilized this "hook and redirect" method to hide the presence of the persistent driver, is no longer being used in new audio CDs. At the time these concerns arose, he said, "we had already created the new version of the software, which provides a range of additional features for the consumer. We have moved away from the cloaking technology that gives rise to these concerns."

First 4 Internet (F4i) has made available to Sony BMG a removal tool, which users can download from Sony BMG's Web site, that removes the XCP driver from users' systems and cleans up the mess left in the Registry. In addition, F4i's Gilliat-Smith told TG Daily, the company has offered anti-virus companies tools with which they can bypass the "hook and redirect" API method, and scan files in XCP's stealth directory. One of the anti-virus companies to which F4i has been talking, he said, has been F-Secure, which recently claimed that malicious users could conceivably craft methods that take advantage of XCP having opened up, in effect, a "stealth channel" to the operating system, enabling them to fill in the gaps and make XCP into a true rootkit. No material evidence of these claims has been presented, though last Tuesday, F-Secure officially listed the XCP DRM software as a virus. No method of propagation or payload distribution was reported.

Gilliat-Smith cited F-Secure's development of a rootkit removal tool, called Blacklight, "so it seems that they have a vested interest in the subject," he said. F-Secure officials have informed XCP of its opinions and stand on F4i's software, he added. But the potential for leveraging XCP as the backdoor for a real rootkit, as well as any vulnerabilities alleged by Russinovich, he said, should all be treated as theoretical, adding, "Vulnerabilities can occur in any software application that a user puts on his computer.