Austin (TX) – The security software engineer who discovered the presence of stealth technology derived from rootkits to hide the presence of digital rights management drivers in Sony BMG audio CDs, has announced on his Web log this morning that he has discovered similar stealth mechanisms being used by two popular programs – one freeware, the other commercial. The stated purpose of these programs is, ironically, to serve as CD emulators that help individuals copy data CDs, such as games, to their hard drives for faster execution.
In this morning’s post to the Sysinternals blog, Mark Russinovich shows and describes screen shots from Alcohol, a leading commercial CD emulator program, and Daemon Tools, a freeware alternative, which appear to clearly indicate the use of stealth techniques.
A CD emulator is a program that enables a user to set up a cache on his hard drive that pretends, for the sake of the operating system, to be an active CD-ROM drive. An image of a disc can be copied there, and accessed and run more quickly than from the optical disc itself. While many publishers scoff at the very notion of copying a copy-protected disc, an image used for a CD emulator such as Alcohol generally qualifies as a backup copy, which has often been considered “fair use” under most statutes.
In one test, Russinovich demonstrated that a reference to one of the program elements installed by Alcohol, in the Windows System Registry, actually points to a different location than where the program appears to reside. When using Windows’ Registry Editor (regedit) to scout the entry for the element’s actual location, Russinovich turned up a blank product name. In other words, the Registry entries that point to Alcohol’s central location are inaccurate, and the identifying information for that central location is blank.
Such a split should normally disable an installed program from appearing in the “Add/Remove Programs” list of the Windows Control Panel. However, Russinovich noted, Alcohol does appear there; so whatever stealth Alcohol is employing does not appear to be intended, he believes, to hide any part of the application from the user. Instead, he theorizes, the stealth technique may be intended to mask Alcohol’s presence from other programs, especially games, whose own DRM routines scout for the presence of CD emulators in order to bypass them. Publishers’ DRM schemes, he reasons, may be searching for CD emulators such as Alcohol and Daemon Tools by name, through the “Add/Remove Programs” list, using an API call which, Russinovich’s test shows, Alcohol clearly circumvents.
While it can be argued that Alcohol’s method is not intended to pull the wool specifically over the user’s eyes, as last year’s unraveling of the Sony BMG debacle made clear, once clever malicious users discover the presence of stealth techniques installed by others, they can leverage those same techniques to hide their own malicious code. Russinovich’s test points to the presence of a driver that CD emulators may be using to help thwart API calls from DRM software, while tying the loose ends together for the user. As the Sony BMG fracas also made evident, the presence of undisclosed or undetectable drivers in a Windows system can lead to significant performance degradation across the board.
Alcohol Software, incidentally, received a “100% Clean” seal of certification from Softpedia, which the company posts on its Web site.
Similar tests run on Daemon Tools, the freeware CD emulator, revealed that this program could successfully conceal the location and contents of its own binary Registry keys from even Russinovich’s own “RootkitRevealer” program, using a method which he speculated involved perhaps less stealth but more cunning.
Writes Russinovich in his post this morning, “There’s no proof that Alcohol and Daemon Tools use rootkits to evade DRM, but the evidence is compelling. If they do their usage is clearly unethical and even potentially runs afoul of the US Digital Millennium Copyright Act (DMCA). In any case, there’s no reason for these products, or any product as I’ve stated previously, to employ rootkit techniques.”