Extended Copy Protection - Security Research

Security Research

In the period that XCP has been publicly known, security researchers have been quick to analyze it and publish their findings. Many of these findings have been highly critical of Sony and First 4 Internet. Specifically, the software has been found to conceal its activity in the manner of a rootkit (a common computer criminal's toolkit for hiding their malicious activities); and moreover has been found to expose users to follow-on harm from viruses and trojans.

XCP's cloaking technique, which makes all processes with names starting with $sys$ invisible, can be used by other malware "piggybacking" on it to ensure that it, too, is hidden from the user's view. The first malicious trojan to hide via XCP was discovered on 10 November 2005 according to a report by the BitDefender antivirus company.

Follow-up research by Edward Felten and J. Alex Halderman has shown that the Web-based uninstaller Sony later offered for the software contains its own critical security problems. The software installs an ActiveX component which allows any Web site to run software on the user's computer without restriction. This component is used by First 4 Internet's Web site to download and run the uninstaller, but it remains active afterward allowing any Web site the user visits to take over the computer.

Since it is specific to Microsoft Windows, XCP has no effect on all other operating systems such as Linux, BSD, OS/2, Solaris, or Mac OS X, meaning that users of those systems do not suffer the potential harm of this software, and they also are not impeded from "ripping" (or copying) the normal music tracks on the CD. (Some discs involved in the Sony scandal contained a competing technology, MediaMax from SunnComm, which attempts to install a kernel extension on Mac OS X. However, due to the permissions of Mac OS X, there were no widespread infections among Mac users.)