Extended Copy Protection

Extended Copy Protection (XCP) is a copy protection scheme for compact discs developed by the British company First 4 Internet, which, as of 2005, is used on some CDs distributed by Sony.

One version of this is marketed as "XCP-Aurora". It has come under much criticism for installing software that alters the functionality of the Microsoft Windows operating system, and hides itself so that it is difficult to find or remove; this software has been termed a root kit by technical experts, and some consider it to be similar to trojan horses or other malware.

There are also concerns that its cloaking technique, which makes all files with names starting with $sys$ invisible, could be used by other malware "piggybacking" on it to ensure that it, too, is hidden from the user's view. The first malicious trojan to use this technique was discovered in the wild on November 10, 2005 according to a report by the bitdefender antivirus company.

According to Computer Associates, XCP-Aurora qualifies as both a trojan horse and a root kit:

XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.

Furthermore, XCP.Sony.Rootkit installs a device driver, specifically a CD-ROM filter driver, which intercepts calls to the CD-ROM drive. If any process other than the included Music Player (player.exe) attempts to read the audio section of the CD, the filter driver inserts seemingly random noise into the returned data making the music unlistenable.

XCP.Sony.Rootkit loads a system filter driver which intercepts all calls for process, directory or registry listings, even those unrelated to the Sony BMG application. This rootkit driver modifies what information is visible to the operating system in order to cloak the Sony BMG software. This is commonly referred to as rootkit technology. Furthermore, the rootkit does not only affect XCP.Sony.Rootkit's files. This rootkit hides every file, process, or registry key beginning with $sys$. This represents a vulnerability, which has already been exploited to hide World of Warcraft RING0 hacks as of the time of this writing, and could potentially hide an attacker's files and processes once access to an infected system had been gained.

Since it is specific to Windows, XCP has no effect at all on other operating systems such as Linux or MacOS, meaning that users of those systems not only do not suffer the potential harm of this software, but they also are not impeded from "ripping" (or copying) the normal music tracks on the CD.

There is much speculation about whether the actions taken by this software are a violation of various laws against unauthorized tampering with computers, and can subject Sony and First 4 Internet to legal liability.

However, the mere act of attempting to view or remove this software in order to determine or prevent its alteration of Windows may itself be a civil or criminal offense under anti-circumvention legislation such as the USA's Digital Millennium Copyright Act.

A patch to remove the cloaking of the software has already been released; this patch does not completely remove XCP, but disables its technique of hiding itself from view.

First 4 Internet reports that upcoming versions of XCP will not use the same techniques.

An uninstaller for XCP-Aurora is now available from the Sony-BMG web site [1]. An analysis of this uninstaller has been published by Mark Russinovich - who intially uncovered XCP - entitled "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home" [2]

• Get Right With the Man -- Van Zant
• Northing is Sound -- Switchfoot
• Vivian -- Vivian Green
• Suspicious Activity -- The Bad Plus
• 12 Songs -- Neil Diamond
• Shine -- Trey Anastasio
• On ne Change Pas -- Celine Dion
• Healthy in Paranoid Times -- Our Lady Peace
• To Love Again -- Chris Botti
• The Invisible Invasion -- The Coral
• Phantoms -- Acceptance
• Susie Suh -- Susie Suh
• Touch -- Amerie
• Broken Valley -- Life of Agony
• Silver's Blue -- Horace Silver Quintet
• Jeru -- Gerry Mulligan
• Manhattan Symphonie -- Dexter Gordon
• The Dead 60s -- The Dead 60s
• The Essential Dion -- Dion
• Unwritten -- Natasha Bedingfield

EFF has a longer list of discs affected [3]

• First 4 Internet
• XCP-Aurora
• Analysis of XCP as a rootkit
• F-Secure report
• Online and downloadable patch available from Sony
• Security Now! Podcast #12 which discusses XCP-Aurora in detail
• Computer Associates on XCP.Sony.Rootkit
• List of known infected CDs from the Electronic Frontier Foundation
• Virus Writers Exploit Sony Anti-Piracy Software