Page 20

called

NTCRASH2

[30]. This utility makes repeated system calls with randomly generated invalid parame-

ters. The original Windows kernel functions handle invalid inputs correctly and the system remains stable,
but with the XCP rootkit installed, certain invalid inputs result in a system crash.

We investigated the specific circumstances when these crashes occur. The rootkit's implementation of

NtCreateFile

can cause a crash if it is passed an invalid pointer as its

ObjectAttributes

argument,

or if it is passed a valid

ObjectAttributes

structure that points to a

ObjectName

structure with

an invalid

Buffer

pointer. We do not believe that an attacker could exploit these flaw to execute code;

however, they do allow an unprivileged user to bring the system to a halt. As Russinovich and others have
pointed out, these problem illustrates the security danger of installing software in secret. Users experiencing
system instability due to these rootkit bugs would have great difficulty diagnosing the problem, since they
likely would be unaware of the rootkit's presence.

7.3

Deactivating XCP

XCP's active protection is more complicated to deactivate than MediaMax's, because it comprises several

processes that are more deeply entangled in the system configuration and are hidden by the XCP rootkit.
Deactivation requires a three-step procedure, which we describe here in detail so that affected users can
decontaminate their systems.

1. The first step is to remove the rootkit. From the command prompt, run

sc delete $sys$aries

Delete the rootkit's program file

%windir%

system32

$sys$filesystem

aries.sys

, and

reboot the system. Disabling the rootkit exposes the previously hidden files, registry entries, and
processes.

2. Next, edit the system registry to remove references to XCP's filter drivers and CoDeviceInstallers.

XCP uses the Windows filter driver facility to intercept commands to the CD drives and IDE bus.

If these filter drivers are not removed, the CD and IDE device drivers will fail to initialize after the
program files for the filter drivers are deleted. This can cause the CD drives to malfunction, or, worse,
cause the system to fail to boot because the IDE device driver is disabled.

First remove references to the

$sys$cor

filter driver, which intercepts commands sent to the IDE

device. Use the Windows Registry Editor to search for occurences of

$sys$cor

in registry entries

named

UpperFilters

. Edit each list of filters to remove the reference to

$sys$cor

. (You will

need to temporarily change the security permissions on the enclosing registry key to grant yourself
permission to edit the filters list.) References to this filter driver may occur in multiple registry keys;
be sure to remove them all.

Repeat this step to remove references to the

$sys$crater

filter driver, which intercepts commands

sent to the CD drive. This filter driver appears in devices'

LowerFilters

lists. Be sure to remove

all occurences.

Search the registry once again for

$sys$caj.dll

. This file is configured as a CoDeviceInstaller

for the CD-ROM and IDE devices. It installs the filter drivers when any new CD drive or IDE bus
device is configured. Remove the lines from any list of CoDeviceInstallers in which they appear:

$sys$caj.dll,CoInstallCdrom

$sys$caj.dll,CoInstallPC

3. The next step is to delete the XCP services and remove the XCP program files. Open a command

prompt and issue these commands:

sc delete $sys$crater

sc delete $sys$lim

sc delete $sys$oct