CD Emulators May Use Rootkits To Defeat Copy Protection Schemes
Mark Russinovich, a security software engineer, announced Monday on his blog that he has discovered that stealth mechanisms deriverd from rootkits is being used by two popular CD emulator programs Alcohol and Daemon Tools.
Russinovich had previously discovered the presence of stealth technology derived from rootkits to hide the presence of digital rights management drivers in Sony BMG audio CDs.
A CD emulator or virtual drive, is a program that allows its user to set up a cache on his hard drive that pretends to be an active CD-ROM drive for the operating system. CD emulators help individuals copy data CDs, such as games, to their hard drives for faster execution than obtained when running from the optical disc.
Alcohol, is a leading commercial CD emulator and Daemon Tools is a freeware alternative.
While many criticize the act of copying a copy-protected disc, an image used for a CD emulator such as Alcohol generally qualifies as a backup copy, which has often been considered "legal" under most statutes.
According to Russinovich, both programs appeared to indicate the use of stealth techniques.
In one test, Russinovich demonstrated that a reference to one of the program elements installed by Alcohol, in the Windows System Registry, actually points to a different location than where the program appears to reside.
When using Windows'Registry Editor to search the entry for the element's actual location, Russinovich turned up a blank product name. In other words, the Registry entries that point to Alcohol's central location are inaccurate, and the identifying information for that central location is blank.
Normally, such a split should disable an installed program from appearing in the "Add/Remove Programs" list of the Windows Control Panel. However, Russinovich noted, Alcohol does appear there; so he thinks that whatever stealth Alcohol is employing does not appear to be intended to hide any part of the application from the user.
According to Russinovich, the stealth technique may be intended to hide Alcohol's presence from other programs, especially games, whose own DRM routines always try to discover the presence of CD emulators in order to bypass them. For more information visit Russinovich's blog.
Update: DaemonTools Member Admits Rootkits
The administrator of the DaemonTools online community has posted his comments on the DaemonTools forum, admitting that the software uses "rootkits". Read his reactions to the Russinovich's aspects here. The DaemonTools/Alcohol developing team has not commented the news story.
A CD emulator or virtual drive, is a program that allows its user to set up a cache on his hard drive that pretends to be an active CD-ROM drive for the operating system. CD emulators help individuals copy data CDs, such as games, to their hard drives for faster execution than obtained when running from the optical disc.
Alcohol, is a leading commercial CD emulator and Daemon Tools is a freeware alternative.
While many criticize the act of copying a copy-protected disc, an image used for a CD emulator such as Alcohol generally qualifies as a backup copy, which has often been considered "legal" under most statutes.
According to Russinovich, both programs appeared to indicate the use of stealth techniques.
In one test, Russinovich demonstrated that a reference to one of the program elements installed by Alcohol, in the Windows System Registry, actually points to a different location than where the program appears to reside.
When using Windows'Registry Editor to search the entry for the element's actual location, Russinovich turned up a blank product name. In other words, the Registry entries that point to Alcohol's central location are inaccurate, and the identifying information for that central location is blank.
Normally, such a split should disable an installed program from appearing in the "Add/Remove Programs" list of the Windows Control Panel. However, Russinovich noted, Alcohol does appear there; so he thinks that whatever stealth Alcohol is employing does not appear to be intended to hide any part of the application from the user.
According to Russinovich, the stealth technique may be intended to hide Alcohol's presence from other programs, especially games, whose own DRM routines always try to discover the presence of CD emulators in order to bypass them. For more information visit Russinovich's blog.
Update: DaemonTools Member Admits Rootkits
The administrator of the DaemonTools online community has posted his comments on the DaemonTools forum, admitting that the software uses "rootkits". Read his reactions to the Russinovich's aspects here. The DaemonTools/Alcohol developing team has not commented the news story.