! Conspicious Behavior From CloneCD (and possibly other SlySoft apps)

Hi,

I recently tried out the latest versions of SlySoft’s apps and have noticed some unusual behavior. Could someone please verify my findings?


(1) Orphaned Registry Entries

There are now some new registry entries that do not follow standard practices: HKCU\CloneCD and HKCU\SlySoft. Both are empty, and I have yet to see them recreated since I deleted them (possibly created by the installer rather than the apps themselves).


(2) Constantly Accessed Temp File

There is a new file in \Windows which seems to be given a random filename in the format S%8.8.tmp where %8.8 is an eight digit hexadecimal number. In fact you can even see the string in ElbyCDIO.dll at 0x0000078C: \SystemRoot %s\S%8.8X.tmp. The ElbyCDIO service creates then accesses it every ten seconds in a seemingly infinite loop! I don’t know if the registry entry HKLM\Software\Microsoft\Windows NT\CurrentVersion\elbyTemp\TempFile has anything to do with it, but that reg entry is peculiar in and of itself.


I am not sure which app is responsible, but I suspect CloneCD is the center since ElbyCDIO was started with it and CCD is the only one with a weird reg entry. I installed and tested all of SlySoft’s apps (latest versions) today and found that CloneCD, AnyDVD, CloneDVD, and Virtual CloneDrive use ElbyCDIO while CloneDVDMobile and GameJackal do not.


So can anyone confirm these observations? Thanks.

that temp file is referenced by a registry entry at \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ElbyTemp

it is in fact checked 10 seconds by the ElbyCDIO driver and is part of the trial period enforcement. Rootkit behavior, basically.

I’m familiar with the registry entry and while I cannot check it now because I have deleted it since I found this behavior and it has not been recreated, I am fairly sure it was not the same.

I am also fairly sure that it did not do this before, and only started with the latest version of everything (I am not certain of the exact versions).

Well they’ll need to find something less intrusive. Checking a file every ten seconds for eternity is unacceptable. It may not have a huge performance hit for everyone, but it can certainly add up, especially for those of us who have older systems. Besides, doing something the wrong way is still wrong no matter how little the its effects. Microsoft would never be able to get away with doing something like this (and they haven’t, people nagged and complained from day one of WGA), neither did Sony, so why should any other company?

I agree. The dilemma is such; There are two ways to enforce a trials and registration keys: Require people to register for trials and use time-limited product activation, or hide things and hide them well.

Key activation is the high ground, as the software is checking the trial period on the publisher's computer, which is their property, and the user knows of the activity.

If you enforce the trial locally, you have to keep track of it somewhere. A time stamp saved in the program's registry key or install directory isn't really bad, because it's just another saved setting. Unfortunately, it's also easy to crack.

Hiding registry keys, files, drivers, etc.. is questionable. You don't have to go to the expense of trial keys and activation servers, but you are playing games with your customer's machines behind their backs.

That being said, the reason for this is obvious: SlySoft products, until recently, used non-invasive but very easy to reset trial checking. I guess they got tired of trusting their customers. Well, they lost one here.

That is your prerogative but if they have a right to protect their software they also have the right to check to see who is a registered user if their software is on your machine. Software piracy must be stopped in order for these companys to survive, I would do the same. Just another opinion. and by the way it stops checking after your key has been verified after the trial period has ended.

Technically, it’s not a matter of survival, it’s a matter of profit. Like many, all of my software is free.

I’m not sure what you mean; are you saying that it stops if you enter a key after the trial ends? What if you enter it before? Does it delete the file?

During my testing, I tried creating a dummy file of the same name and locking it, and the ElbyCDIO service still seemed to work.

I'm not saying they don't have a right to protect their software, I just don't like them leaving stuff all over my PC. They can phone home with my activation key as much as they want and they can blacklist it if I share it. They can generate a hash from my hardware IDs, register it with an activation server, and re-check it periodically to enforce an evaluation period. All of that can be revealed in the EULA without compromising its effectiveness. None of that has to hide anything on my system, and circumventing it (in the US, under the DMCA) is illegal. If you hadn't already guessed, that is exactly how Microsoft does WPA and WGA. All well documented and all aboveboard.

Now, SlySoft does validate registration keys, and that's fine, but putting an undocumented function in a driver to hide stuff well outside the application's realm? There's just no need for it and it's ultimately useless. If I uninstall trialware and clean up ALL of the crap it leaves behind, then reinstall it, I get a new trial. I didn't crack anything, I just cleaned up my computer. As a matter of fact, what SlySoft ( and countless others) are doing might be illegal, depending on your local laws. EULAs normally state that I have uninstall software if I don't agree with how the software enforces the license. However, the EULA does not give it the right to leave stuff behind unless the EULA specifically says what it leaves, which defeats the purpose of hiding it.

Really, it's all about whatever you're comfortable with. I found this thread after discovering this behavior myself and posted to confirm this behavior was expected.

Actually, it’s not hidden at all, it’s just sloppy. I don’t like the idea of having random temp files in my Windows directory, and I especially don’t like it being polled EVERY 10 SECONDS.

They are good at reversing encryptions and protections quickly, so why can’t they figure out a better system? They of all people should know that it is pointless to try to waste time and resources on coming up with “more effective” protection systems.

CloneCD is not free, it is shareware, there are many free apps that are great, even better than alot of pay for apps, but CloneCD is worth every dime.

I don’t know about that. It used to be the defacto for ripping game CDs, but these days AnyDVD is the more valuable SlySoft app.

Actually it is more for music cd and movie dvd duplicating that CloneCD works excellent at...as it isn't not made for game CD/DVD....Anydvd by itself can on rip but for full use is to use it with CloneCD or CloneDVD to get the softwares full potential....one by itself does nothing but combining will improve the lot....but remember Anydvd is a decrypt/ripping software by itself can't make a duplicate or compress a DVD movie only rip the movie to HDD as a file but will not create a DVD to play in standalone or computer. Also I think every program now days make a temp file that it is working or creating so to say it's just Slysoft creating temp file is misleading....even Windows creates temp files with you use it....as well as browser you use to surf the net...don't you think they would phone home as well????

---

Last edited by coolcolors; 05-01-2008 at 06:38. Reason: revision

Yes but there are plenty of cd creating/burning programs available, so you don’t need CloneCD/ CloneDVD because you can just use one of the many, many others. In fact, I use freeware to create and burn discs that I make myself (backups of drive images, offloading files I don’t need to disc, etc). Unlike CloneCD/CloneDVD, There are not many other programs that do what AnyDVD, which is why it is the most valuable SlySoft app.

You do not understand what this one is; it is not a temp file like most apps use. What is happening here is that ElbyCDIO is creating a tempfile IN \WINDOWS and then reading it EVERY 10 SECONDS. That is sloppy overkill at best. First of all, create a TEMP file in the TEMP directory, second check it once a day, week, month, whatever. In fact, you CAN erase it and ElbyCDIO just recreates it, so its purpose seems pointless. In fact, you can create a dummy file (or a real file with that name by chance) and lock it, and ElbyCDIO will still work correctly, so again, its purpose seems pointless. (Oh, and it seems to create the same filename even if you wipe it out and reinstall, so the filename may be some sort of system hash.)

AnyDVD has a different purpose, and again, its not free, but worth every dime.

I know they do different things. I said that CloneCD is no longer a valueable SlySoft app since there are plenty of other programs that provide similar functionality. AnyDVD is the most SlySoft app because there are only a few that do what it does.

It may be worth every dime of its cost and that’s great, but it still does not excuse the rootkit-like behavior. Sony and Microsoft cannot get away with doing things like that, so what makes SlySoft an exception?

Temp files belong in the temp directory, and there’s no excuse to poll a file every ten seconds (which it does right from boot because ElbyCDIO is set to system startup—I’m having trouble finding more than a small handful services set to system).

Did you try the Slysoft forum: http://forum.slysoft.com/ and ask them the why's and wherefore's. Maybe they have an explanation, everything discussed here is just speculation and very redundant at that. Go to the source and come back here to post any response. Maybe even direct them to this thread. That sounds like a reasonable approach to me.

It is reasonable, unfortunately I am not a registered member of their forum and don’t really want to because I do not like registring whole new accounts on single-use forums. For example, for years I was (and still am) merely a lurker on the DreamCatcher forums instead of registering even though I love the game Painkiller, no matter how much I wanted to discuss something. I posted here because this forum is more general and covers multiple topics.

I suppose I could use the contact/email option; Mark emailed Sony when he discovered XCP.

OK, I did it for you: http://forum.slysoft.com/showthread....8244#post78244

Why would you post in the Slysoft forum, they are just resellers of the CloneDVD abd CD products, Elby ( Elaborate Bytes ) are the developers. For eveyones information AnyDVD prevents rootkits so the whole theory is flawed.

Despite what SlyFox1 said, that’s not what AnyDVD does, that’s just a side-effect of what AnyDVD does (in fact it can be done with any free tool or even by hand). Plus, I never said that it was a rootkit or even hidden, just rootkit (well, actually malware)-like in that it creates a file in a place that it doesn’t belong and continuously accesses it. When malware does this sort of thing people freak out whether or not it gives a performance hit. Just because it’s a useful program and the company is in good standing doesn’t mean you should tolerate or worse, ignore bad behavior, just that you can be polite and patient while waiting for them to fix it.

You’re right about Elby though, AnyDVD just uses the ElbyCDIO api; it’s right in the name: ElbyCDIO. In fact, you just exposed it as NOT being a license-enforcement technique since it is part of the driver and not the app itself.


Thanks, but they either misunderstand the problem or do not see it as a problem—sadly I am not yet fluent enough in German to tell them am Deutsch. Luckily Sony and Microsoft’s forays into this field did were not tolerated like this one is.

What would it take to get you guys riled up? If the file was polled ever five seconds? every second? 10 times per second? every millisecond? for it to connect to the Internet and send check your key ever time? for it to use 50MB of RAM? Just curious since I have seen people freak out over much smaller issues, so it is fascinating that you guys are so tolerant here. I would love to determine what factor causes the major disparity in attitude.

Synetech is just wrong and has no idea what he is talking about, there are no rootkits or malware installed by any Slysoft product. This is so absurd that anyone even repsonded to it. CloneCD nor CloneDVD or any other product Slysoft sell put anything on your computer but the file, if you dont know how do a clean uninstall then that your lack of knowledge not Slysofts doing something you made up. Dont you think this issue would have been brought up in the past 4 years, it just foolishness.
This is not true.

---

Last edited by alan1476; 06-01-2008 at 05:03.

Your testing is flawed and wrong,
Why would you want to start trouble? I suspect another motive here.

Did you read the posts in this thread from the top, because you certainly sound like you did not. First of all, I never said it installed a rootkit, I pointed out that it puts a temp file in \WINDOWS, then accesses it every ten seconds from the time Windows boots until it is shut down. ArcCoyote was the first to use the term rootkit, and even then only to describe the behavior: Rootkit behavior, basically. This is not a rootkit since it is not hidden which is a big part of the definition of rootkit.


I do not even understand this statement, but I get the feeling that it is utter nonsense whatever it is supposed to mean. Open a command prompt (Run->cmd), then use the following command:You should see a temp file that was created by ElbyCDIO. If you are advanced enough in computers to know what you’re doing, you could use Sysinternal’s FileMon and ProcMon/ProcExp to see that ElbyCDIO access the file EVERY 10 SECONDS.

Later on in the thread, it was confirmed that it has started with a recent version, and so NO, it would not have been brought up in the “past 4 years”.

What’s not true? The question? The fact that people have gotten upset over less? The fact that you guys seem to be so accepting of this? The fact that I would like to understand this difference?


Look, if you guys don’t mind this behavior no matter how incorrect it is, then fine, go ahead don’t complain. Maybe SlySoft won’t get emboldened by getting away with it and won’t do more intrusive actions later. I just thought I would let you know that it exists; report what I noticed, that’s all.

Uh, no it’s not. Do what I said in the previous post and you will see it for yourself (assuming you have a recent enough version of ElbyCDIO.dll).

Why would you want to let it slide? I suspect you work for SlySoft/Elby. And yes, I have (another?) motive: I don’t like people putting crap in my \WINDOWS folder—especially not TEMP FILES—and I certainly don’t like people polling my disk in an INFINITE LOOP.

Noone can verify your finding because they do not exist.
Could it be that you have something to do with this application? You are wrong. Making false statements and insisting that they are true does not make them correct. You are wrong. This is the end of this thread.

Synetech this is a 21 day trial app (Slysoft products that is) so you can uninstall in and never use it again if needed.