Solved

Cactus Data Shield (CDS200) - spyware?

Posted on 2006-06-13
21
1,335 Views
Last Modified: 2007-12-19
Hi,

I recently found some unknown files at the drive-root of a Windows XP PC I look after.  The files are UNWISE.EXE and INSTALL.LOG - here are the contents of INSTALL.LOG:

***  Installation Started 09/30/2005 16:53  ***
Title:  Installation
Source: E:\player\SKIN.EXE | 01-31-2002 | 11:58:02 | 725005
File Copy: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Copy: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 | 398ca304
File Copy: C:\WINDOWS\system32\ActiveSkin.ocx | 09-30-2001 | 19:10:44 | 3.65.0.0 | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 | 97e6a077
File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | | 166160 | 7eec9854
File Overwrite: C:\WINDOWS\system32\wininet.dll | | | | 291600 | f0f51099
Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll
***  Installation Started 09/30/2005 16:53  ***
Title:  Installation
Source: E:\player\SKIN.EXE | 01-31-2002 | 11:58:02 | 725005
File Overwrite: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
RegDB Old: C:\UNWISE.EXE C:\INSTALL.LOG
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Overwrite: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 | 398ca304
File Overwrite: C:\WINDOWS\system32\ActiveSkin.ocx | | | | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 | 97e6a077
File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | | 166160 | 7eec9854
File Overwrite: C:\WINDOWS\system32\wininet.dll | | | | 291600 | f0f51099
Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll
***  Installation Started 09/30/2005 16:53  ***
Title:  Installation
Source: E:\player\SKIN.EXE | 01-31-2002 | 11:58:02 | 725005
File Overwrite: C:\UNWISE.EXE | 05-24-2001 | 12:59:30 | | 162304 | 432c52a3
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val:
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\
RegDB Val: C:\UNWISE.EXE C:\INSTALL.LOG
RegDB Name: UninstallString
RegDB Root: 2
RegDB Old: C:\UNWISE.EXE C:\INSTALL.LOG
Shared DLL counter ignored:
File Overwrite: C:\WINDOWS\system32\atl.dll | | | | 58938 | 2d1835a8
File Overwrite: C:\WINDOWS\ActiveSkin.INI | 01-18-2002 | 18:12:32 | | 112 | 398ca304
File Overwrite: C:\WINDOWS\system32\ActiveSkin.ocx | | | | 246784 | 73c606a4
File Overwrite: C:\WINDOWS\system32\shlwapi.dll | | | | 131856 | 97e6a077
File Overwrite: C:\WINDOWS\system32\urlmon.dll | | | | 166160 | 7eec9854
File Overwrite: C:\WINDOWS\system32\wininet.dll | | | | 291600 | f0f51099
Self-Register: C:\WINDOWS\system32\atl.dll
Self-Register: C:\WINDOWS\system32\ActiveSkin.ocx
Self-Register: C:\WINDOWS\system32\urlmon.dll


From what I've been able to discover, these appear to be connected with the Cactus Data Shield (aka CDS200) copy-protection on some audio CDs.  Besides preventing the computer from reading the audio, this system installs its own software player to play low-bitrate WMA versions of the audio tracks.  The player itself is supposedly only loaded into RAM, but (reading between the lines) it appears the ActiveSkin.ocx, a third-party skinning control used to render the player's GUI, has to be installed to disk.

Now, that's as much as I've been able to learn.  That, and the fact that UNWISE.EXE does not actually uninstall a damn thing.  What concerns me most is that system DLLs (specifically network-related ones) were overwritten.  I should add that, to the best of my knowledge, this would have taken place under a Limited User account, so I'm not too sure how it was possible for a CD to do this.  As soon as I discovered this I performed sfc /scannow but the scan ended without any alerts.  Were the files really overwritten, or did WFP prevent this?

Essentially, I would like to know (a) whether there is any known or suspected spyware/other malware component in CDS200, (b) how can I thoroughly remove it, and (c) how can I mitigate the chances of a repeat?

Points high in hopes of a factual and backed-up response.
0
Comment
Question by:Havin_it
  • 10
  • 9
  • 2
21 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 16895770
I have not found any references to spyware, but many users are not happy with CDS. As far as I can make out, it creates the files you found - install.log and unwise.exe in the Root Directory, plus the following in the Windows directory:
activeskin.ini
activeskin.ocx (windows/system)

Apparently there are registry changes as well. A search for "activeskin" reveals several, according to the forums.

The best advice I have found so far is to system restore back to a point before this thing appeared, and then avoid playing any CDS protected CDs in your pc!
0
 
LVL 10

Author Comment

by:Havin_it
ID: 16903088
Say it ain't so!  I'd sooner reinstall Windows than use System Restore; Slightly more predictable results :(  Anyway, if you check the date of the install, it's kinda moot at this point.

I'm open to the possibility that parts of the logfile are spurious; I mean, is it even possible for a program executed from a CD by a Limited User to overwrite system files?  It certainly seems that it shouldn't be, but this is Windows...  Can anyone answer that?
0
 
LVL 23

Expert Comment

by:phototropic
ID: 16905362
CDS website contains no technical information:

http://www.macrovision.com/products/activereach_cd/cds100/index.shtml

Only source is the forums. If you Google CDS 200 you get a lot of hits.

I can't find any further information about what this thing does to your op/system.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16924268
This seems to be in fact cactus data shield 200.

A restricted user cannot install software to the windows directory. But maybe the computer user bugged the owner, to get a chance to listen to the music on a such protected CD, and the damage was done.

I suggest you reinstall XP servicepack 2, this should get rid of all modified dlls...

Tolomir
0
 
LVL 10

Author Comment

by:Havin_it
ID: 16929067
Hmm, I must say googling "cds 200" yields a lot more info than "cds200" - guess that's where I was going wrong.  Most discussions/articles are still a bit low on hard data of the kind I'm after though.

@Tolomir: not likely, there is only one person with Administrator access besides myself, and trust me - such a request would get short shrift.  So far, nobody I've spoken to (including Mme. Admin) has any recollection of an audio-CD launching its own player.

I know there *shouldn't* be any way for system dirs to be writable by a LU account, but I tend not to rule it out when dealing with Windows.  I realise this isn't entirely analogous, but drivers can be installed there when new hardware is added, whatever the account.  Does any similar escalation capability exist with CD autoruns?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16929094
You cannot install anything driver / windows/system related without administrator rights.

Also cd-autoruns can just start(!) an setup program that will fail if proper permissions aren't available.

As said, reinstall the XP service pack 2 this should overwrite all "manipulated" files.

You might want to check the create/last accessed/modified date of these particular files: right mouse click on it, open properties.
This might give you an idea of that date/time of the installation.

Tolomir

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16929096
Hmm I see, some time in the past:

***  Installation Started 09/30/2005 16:53  ***

Really no Audio-CD used/ bought around that date?
0
 
LVL 10

Author Comment

by:Havin_it
ID: 16929408
On your first point, my experience disagrees - I've been able to install drivers for new hardware via the "Add new hardware wizard" which pops up for Plug'n'Play devices.  I'm sure I have...or am I going mad?  I'm just conjecturing that a CD autorun might have this type of power, as I haven't yet found a reputable source to confirm or deny it.  Also the other Admin here is a bit more astute than the other staff, I just struggle to believe she'd have done this without noticing.

Yeah, the ActiveSkin.ocx and .ini files match the last date/time in the logfile.  I'm not saying nobody did this - obviously someone did - and they are playing CDs all the time on this PC.  It's possible they didn't realise the player wasn't actually Windows Media Player, or maybe they thought it was just WMP in skin-mode.  They can be a bit unobservant, to put it nicely.  (Then again, I'm the genius that didn't notice these rogue files for like 9 months...)

I did sfc /scannow so all the Windows files should be kosher now.  I'd still like to find some sources on the CD/privileges matter, but I should probably close this shortly otherwise, as it appears the main result is just a quantity of cruft, not anything more sinister.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16929432
As user with administrator rights, you are of cause able to install anything. The art of war^W window-using is to use it without administrator rights, as restricted user.

The musicindustry tried (remember the sony case) anything to disable cd-buring features on normal computers, but also them had to rely on users having the proper permissions.

So I woudn't wonder too much, if there were no big notices that some kind of software was installed. Or even it was camouflages as leet <the bandname-fits-here>screensaver.

Please check http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html for more details.

Tolomir
0
 
LVL 10

Author Comment

by:Havin_it
ID: 16929608
Heh, I was just reading that very page, as it happens.  There was one comment confirming that LU accounts wouldn't have higher rights on the autorun program.  In fact, if the disc used an autorun.inf file, there'd be a security dialog appearing.  I found a further reference to this on Microsoft's site:

http://support.microsoft.com/?kbid=314855

I actually want to go and verify this on my XP now.  If true, it means the culprit *had* to be the boss.  Man, that'll be a conversation I won't enjoy.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 10

Author Comment

by:Havin_it
ID: 16929770
Blinkin' flip.  My own box is not nearly as locked-down as I'd thought.

At home I've been running XP under a LU account for some time, and had disabled Autorun using TweakUI.  At least, I'd unchecked the autoplay boxes for the CDROM and DVD services.  Now, I was aware that Windows' specialised Autoplay for doing things with CDs depending what files it detected was still active, so I wasn't surprised that my audio and picture CDs were still opening in the respective handler apps.

However, that should have protected me adequately against autorun.inf launches, right?  WRONG!!  I just fired-up my beloved Studio MX installer disc, and sure enough the installer front-end appeared in moments.  So forget about the Microsoft KB link above.  There was no "Install as another user" dialog, it just ran.

So I logged-in as Administrator, opened TweakUI, and unticked all 26 drive letters for Autoplay.  While there, confirmed that this had disabled the autoplay for Admin... it had.  Logged back in as my LUser, and... damn thing still auto-plays!

Right... back to Admin, regedit, and did what folks used to do before TweakUI was around.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom

Key: AutoRun
Value: 0

Rebooted, for good measure ;)

Now, finally, the drive won't autoplay the installer on insertion.  HOWEVER, 'Autoplay' is still the default action on the drive, so double-clicking it has the same result.

This is a scary revelation for four reasons.
1) TweakUI doesn't do what it says on the tin;
2) You need reg-hacking to prevent autorun.inf launching;
3) It's actually *harder* to disable autorun for Limited Users.
4) No, it's actually *impossible* to completely disable it for Limited Users, who (for the very reason that makes them Limited Users) will, when Autoplay doesn't happen, will of course double-click on the drive to 'open' it.

Am I alone here?  I've read so many pages about Windows autorun since this saga began, but I've never heard of it requiring this much work.  And how the hell can I disable it fully?
0
 
LVL 10

Author Comment

by:Havin_it
ID: 16929774
Oh, and another interesting discovery.  I've now taken out the CD, closed the drive, refreshed the view several times, and the (empty) CD drive still thinks it's called Studio MX Plus.  I am in Hell.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16929806
hehe
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16929810
no your not.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16929813
If you disable autoruns, windows will no longer detect a media change, so it still thinks the already removed drom in inserted.
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 500 total points
ID: 16929845
Please take a look at: http://support.microsoft.com/?kbid=155217

And more into detail:

http://www.ashzfall.com/products/autorun/autorunfloppy.html

Open regedit (be aware you are adjusting now autorun on per user basis, this is NO global setting)

HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->Policies->Explorer

The area on the right of the Registry Editor will show a list of the various registry values for the 'Explorer' key. The only one you are interested in is 'NoDriveTypeAutoRun'.

The entry for this value varies by operating system and according to which drives currently have autoplay enabled.

5) To change the 'NoDriveTypeAutoRun' setting, you will need to understand a bit about binary and hex values.

To understand this topic clearly, you will need to use the calculator that comes with Windows. From the start button menu, select 'run' and type in calc and hit enter. This will launch the Calculator application.

5a) From the Calculator 'View' menu, select 'Scientific' so that you have the option of displaying a value in both binary (bin) and hexadecimal (hex). Other numerical conversions are available, but these will not be needed.

5b) Set the Calculator to hex and enter 95 (the default setting for 'NoDriveTypeAutoRun' with the cd set to autoplay). Now, switch the Calculator to bin mode. It should display 10010101.

To explore what this number means, you will need to look at it backwards. In other words, the bit order for this number is 7,6,5,4,3,2,1,0.

95 (hexadecimal)
10010101 (binary)
76543210 (bit order)

The chart from Microsoft gives us the following details:
Drive Type = Bit Number
DRIVE_UNKNOWN = 0
DRIVE_NO_ROOT_DIR = 1
DRIVE_REMOVABLE = 2
DRIVE_FIXED = 3
DRIVE_REMOTE = 4
DRIVE_CDROM = 5
DRIVE_RAMDISK = 6
Unspecified Reserved Type = 7

Using the standard boolean (true/false) system, a value of 1 for a bit means the value is true and a value of 0 means it is false.

But, since the registry value is called 'NoDriveTypeAutoRun', you must regard your settings as being:
1 = true = yes, I do not want that drive to autorun.
0 = false = no, I do want that drive to autorun.
Again, this is sort of backwards.

Now, looking at the chart and the binary 10010101 (hex 95) value, you can see that autorun is enabled (0) on bits 6, 5, 3, and 1. This means that drives of type DRIVE_RAMDISK, DRIVE_CDROM, DRIVE_FIXED, and DRIVE_NO_ROOT_DIR will autorun.

Autorun is disabled (1) on bits 7,4,2, and 0. This means that drives of type Unspecified Reserved Type, DRIVE_REMOTE, DRIVE_REMOVABLE, and DRIVE_UNKNOWN will not autorun.

Note: the drive type I am referring to as 'Unspecified Reserved Type' is not actually a type of drive. This is a place holder Microsoft has reserved for future development. It is specified that the 7th bit must always be set to 1.

---
In total these settings are mandatory:

DRIVE_UNKNOWN = 0           (1)
DRIVE_NO_ROOT_DIR = 1     (0)
Unspecified Reserved Type = 7 (1)

So if you want everything properly disabled: take hex FD or: binary 11111101

Repeat this for each account. And simply don't care about the medium still in drive "message"
It's gone after a reboot.

Tolomir
0
 
LVL 10

Author Comment

by:Havin_it
ID: 16930199
Wow, that is a lot more info all right :)

I looked at my LUser's key, and the value was 91 = 10010001 so you were nearly right, except I had autorun enabled for removable drives (that can't be good?)

Bizarrely, after doing another reboot, I actually had no Autoplay, though I hadn't changed anything else.  I'll implement the above as suggested, but are there any further downsides to this?  Is there any way I can have the Autoplay functions available, just not as a default?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16930242
Well at least windows has to find out that a new medium is inserted, after that right click on the drive icon in exploer - autoplay should be the last entry in the upper selections.

But while using windows with admin right, you know you are playing with fire, aren't you?

So you should consider using a restricted user account for the "daily" tasks.

If you want to master windows filemon and regmon (www.sysinternals.com) comes in play, run these, start any application via "runas restricted user" that might be moaning about your insufficiant rights and check the filemon/regmon logs for permision denied entries.

Now step by step allow those entries for restricted users, you can doubleclick on them in filmon/regmon, it will open the exploer, registry respectively.

Of cause there are applications you will never get to run, but e.g. icq just needed the "create subkey" permission on a certain branch in the registry, so this is possible.

There is even a better way, you can download the free vmware server, install windows xp in a virtual host, make a snapshot of the fresh virtual system. Now you can install anything with full permissions in the virtual session. If something wants "way too much" restore the clean snapshot, "bestest" spyware removal tool ever: undo all changes - within minutes.

But we are getting off-topic ;-)

Tolomir

 
0
 
LVL 10

Author Comment

by:Havin_it
ID: 16930363
Someone hasn't been listening... as I already explained (twice, I think) both the home and office systems are running day-to-day under Limited User accounts.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 16930393
What me? - ok, fair enough.

It's just too "normal" running windows with too many rights. And the only way, files / drivers can be installed ( in the windows / system32 folders) is via installations done as administrator.

So with autoruns disabled, you should be quite safe on that matter. No popup will appear one might accidently confirm.

Anything else?
0
 
LVL 10

Author Comment

by:Havin_it
ID: 16933353
Heh, sorry to get crabby.  This issue has just turned into a rampaging monster to the point of playing on my nerves a bit.

No, nothing else I think.  Now we've gotten the drives beaten into submission, that mitigates further problems of this sort.  Now all I have to do is gently inform my employer about the perils of scumware-laden music CDs.  Hm, is there an 'Industrial Diplomacy' topic area here?

You're right to fly the flag for Non-Admin policy;  I do so myself whenever possible (see my profile ;) ) and so far, I've found the horror-stories largely unfounded.  The problematic apps I have encountered are generally the older ones, like Office 97 (nearly got that tamed, after about a dozen reg hacks) and some ActiveX apps.

TY for all the info, anyway.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now