I'd like to start by saying I really appreciate the work that you do; and I, and many others, would indeed tremendously appreciate it if you would indeed add f4i XCP as a Malware detection.
Contrary to bitman's position above, I am personally of the opinion that Sony should not be held to a lower ethical standard merely because they are big. I think this should be added to the definitions. Covert malware like this is unacceptable, no matter who makes or distributes it; and I would hope that any reputable antispyware solution would also feel the same way (lest, god forbid, people start assuming that this kind of behaviour is normal and acceptable).
(Sideline: Given the stated "casual-copying-prevention" target of this DRM, and that of course the autoplay can be disabled by many methods and of course isn't active on unsupported systems like Macs, I wonder
why it goes to such lengths to keep its claws in? There's no need to hide itself, and no need for it to stay persistent after the CD is ejected, to perform its stated copy-protection function.)
I'm sure Mark is keenly aware of the legal issues; he is an experienced white-hat, and decided that public disclosure was important. Early variants of this XCP software apparently install before the EULA is displayed (I'm trying to procure a sample, someone I know bought one).
I've actually been tracking this one myself for a while already. The SBCPHID driver performed a similar ripping-scrambling purpose in the MediaMax DRM system (and was also covertly installed in some cases, and as hazardous to remove), but when they switched to f4i's XCP I was surprised myself to see that even actively tried to hide itself using the (dirty) syscall hooks mentioned, which is definitely a step beyond the pale.
It is, of course, in the wild and widespread, being included on more or less every recent Sony Music release; and I have received reports of people already using the $sys$ hiding provided by aries.sys to cloak other software (notably WoW botting programs:
http://www.wowsharp.net/forums/viewtopic.php?t=7251 - and one WoW password stealer, so I hear; probably related) as a sort of easy ride to a simple kernel-mode-stealth.
It has malicious intent; it scrambles sectors ripped on any CD that has a similar (but not necessarily identical) TOC to the protected disc. (Indeed, it can scramble
all subsequent CD ripping - I've seen Mediamax do this - or fail installation, causing a broken link in the lower filter chain, causing the CD-ROM drive to apparently vanish.)
It's badly written; I've seen it cause bluescreens on a test VMWare image during an insert of some CDs (the author is an amateur at kernel-mode code; even as I write this, I am wondering if there are any locally-exploitable privilege escalation vulnerabilities in it).
A component examines the process list and files continually (that might be a little mild to qualify as spying in and of itself, it doesn't send it anywhere).
Most importantly: It has no uninstall option. It is difficult to remove manually. It tries - very hard - to actively hide its existence. That alone qualifies it as malware, in my humble opinion. (I'd personally class it under the "Malware" detection, as "rootkit" is more traditionally used for covert remote access applications, not covert malware in general, but of course rootkits is where this hiding technique gained ground.)
"XCP Red" from the same company is a CDS-200 spinoff, apparently, and tries to make the CD unreadable to any with scrambled session techniques; it's not supposed to be readable in a PC at all (or suitable for public use, because of that, it's used internally, apparently on some radio promo CDs, I'm trying to procure a sample out of sheer interest), so there isn't any data track, and so no malware on it.
Detection wouldn't tie up much time, because it's fairly trivial. I can see two obvious ways. One, look for the files and registry keys, they show up when directly accessed, just not in listings (probably the easiest). Or two, create a tempfile with a name like $sys$f4itest.dat, and see if it vanishes (before deleting it).
Removal is trickier; you need to remember to remove it from the list of Lowerfilters in all the CD-ROM keys, but that's pretty much the only catch.
