June 20, 2011

I often get emails from people asking if it’s safe to download executable programs from peer-to-peer filesharing networks. I always answer with an emphatic “NO!,” and the warning that pirated software and cracks — programs designed to generate product keys or serial numbers for popular software and games — are almost always bundled with some kind of malware. But I seldom come across more than anecdotal data that backs this up.

Recently, I heard from Alfred Huger, vice president of engineering at Immunet, an anti-virus company recently purchased by Sourcefire. Huger was reaching out to offer feedback on my 3 Rules for Online Safety post. He told me that the rules should have included this warning: Do not download pirated software and cracks from filesharing networks and cracks sites because they are a major source of malware infections.

I replied that people who knowingly engage in this type of risky behavior probably don’t care much about my three rules, and that the advice was meant for people who were interested in learning how to stay safe online. But I was curious about his comment, and asked if he had data to support it. Huger said these types of infections were closely correlated with cases in which Immunet users opted to dispute its malware detection for specific files. Files that are “convicted” by anti-virus programs are considered malicious and are placed in a quarantine area on the user’s system. But if users still want to access the file, or they don’t believe or care that it’s malicious, they can reverse or “roll back” that conviction.

“A roll back to us is a file which we convicted but people disagreed with the conviction and rolled it out of quarantine,” Huger said. “About 90% of the false positive roll backs I see which result in more than 10 convictions  — meaning more than 10 people rolled it back, turn out to be real malware. In almost every case when I can actually track down the user and ask why they rolled it back I am told it was a crack or pirated material of some type. They went looking for it and installed it.

As an example, Huger said that in the previous week, more than 100 Immunet users had rolled back infected files that install copies of the Conficker worm, among other malware.

“I am doing false positive management again this morning,” Huger told me last week. “In the last 7 days 484 people in my community rolled this out from quarantine. It’s frustrating to see because I know once they get infected it’s going to be pure misery for them.”

I hope it’s clear from reading this post that downloading pirated software and software cracks is among the fastest and likeliest ways to infect your computer with something that ultimately hands control over of your PC to someone else.

Please add these to the  growing list of KrebsonSecurity Rules for Online Safety:

It is almost never safe to download executable programs from peer-to-peer file sharing networks because they are a major source of malware infections.

 


49 thoughts on “Software Cracks: A Great Way to Infect Your PC

  1. wiredog

    Sad that, in this day and age, people have to be told this.

    OTOH I know a guy with several years of training and experience in law enforcement who accidentally shot himself in the hand while being stupid with a pistol. “I thought I’d unloaded it…”

    So anyone can be stupid. Even people who know better.

  2. packets

    Hmm…Stupid or ignorant? Social engineering is so easy and works everytime it’s tried! D’oh!

  3. ALLEN

    would love to know the other “KrebsonSecurity Rules for Online Safety”. I suspect they are based mostly on common sense, but hey – that should make ’em easier to remember.
    Brian – please re post those rules,
    and many thanks for all your work

    1. qka

      Not to mention the link in the second paragraph of this posting.

  4. Jason

    I don’t disagree that pirated software downloads are a major source for infection. However, does that mean the majority of such downloads are infected? I’ll tell you why I ask this:

    I have a friend who was quite involved in the community that cracks software and packages the software and cracks together and uploads them to torrent networks. I’ve had stuff I downloaded that was flagged (yes, I live dangerously sometimes), usually just the crack. And when I asked him about if, he said that most cracks show up as malware, but they’re really not. It’s the heuristic detection kicking in because cracks do malware-like behaviour (changing executable files).

    Now I realize in individual cases, it’s probably impossible to know the difference but I’ve wondered if anybody has studied just how much of the pirated programs really is malware. And I don’t mean the obvious stuff. Like when you download a program that you know is supposed to be several hundred megabytes and yet the download link says 12 MB (just to toss a number out there).

    1. Cherry

      Agreed. Torrented files that are cleared, checked and and rechecked on sites with excellent reputations are unlikely to be malware.

      Malware deliberately propagates itself via P2P, and idiots who shouldn’t use P2P download it and spread it around.

      Furthermore, many of the more dubious anti-virus software constantly detects cracks as malware, while the bigger and more popular ones don’t. Coincidence? No, it’s because the smaller ones have lousier heuristics.

    2. KFritz

      Russian roulette is played with all but one of the revolver’s chambers EMPTY. * The majority of the downloads don’t have to be infected for the propagators’ strategy to succeed. It’s better for them if most are safe. It persuades the unwary to take risks and download their toxics

      *Fer you youngins, revolvers are the odd looking handguns the cowboys carry in Westerns. Modern weaponry has made Russian roulette obsolete.

    3. Gene

      Cherry’s argument seems to be a sort of logical fallacy. “So when its my P2P network – (torrents), its “checked and rechecked” (by who? When was the last time The Pirate Bay removed a torrent?) and is perfectly safe. When its other people’s P2P network (i assume you mean lower tech options like Ares, Frostwire, etc) those people are “idiots” that are obviously going to get a virus.

      1. Cherry

        No, talking about The Pirate Bay. I do not contradict myself. SOME torrents are safe. Most p2p is not.

  5. Jason

    On top of that, I recently installed a Game which I purchased legally called Commander-In-Chief. There was an update for it so I downloaded the update. When I tried to apply the update, it was immediately flagged as a virus and quarantined.

  6. Lefty McGee

    There’s definitely a cry-wolf factor at work. When AV software flags pretty much all software cracks as malware even when they are not then people start ignoring those warnings.

    1. Al Huger

      There might be something to that but the data I referred to for this blog was Conficker. Typically I see Mazben, Conficker, Sality and a handfull of others. They come in spates as someone is likely successfully seeding networks with them. We certainly convict cracks etc. as other vendors do but they are not what caused me to send the note to Krebs on Security.

      Best,
      al

      1. george

        @Alfre Huger
        Thank you for sharing your insight, Al.
        I suspect the statistics might be even worse with a more general sample (not only users of Immunet). For a start, there are plenty not even having a (functional) antivirus installed, expired licenses, outdated versions, etc.
        I was wondering what are the reasons Immunet and most antivirus vendors convict software cracks even there is no indication of being malware.
        Is it because there are agreements with other vendors in the industry ? A heuristic engine too aggressive ? A decision based on the observation is more likely a (known) software crack to be tainted by infection ? A combination of the above ? A completely different reason ?
        I hope you can let us know.

        1. Al Huger

          George,

          That question is likely to be answered different from vendor to vendor. In general I think software cracks are convicted for two reasons:

          1. Definitions/Engines are often tuned for Enterprise & Consumer users. In the Enterprise software cracks are a serious issue which could result in the company being sued, therefore they are aggressively removed.

          2. The pedigree of so many software cracks is so deeply suspect that it often pays to simply convict them out of hand.

          Best,
          al

          1. TJ

            Al – If Immunet and other vendors convict cracks just for the sake of being a cracks – even when there is no proof that a specific crack is malicious – how do you describe the conviction to the end-user? Are all cracks tagged as malicious?

            1. Al Huger

              TJ,

              I am not sure, I cannot speak for how everyone else treats them. We only have two determinations – Malicious and not known to be malicious. So if we convict them then we consider it malware. If users disagree they can roll it back, we review roll backs every 6 hours.

              al

              1. JCitizen

                I’ve suspected for some time that the original vendor seeds these sites with infected cracks; just to purposely mess with anyone using them. I’m also not so sure the malware criminals simply infect the P2P server just like they do a lot of other legit sites, because they know neither the site administrator or the victim will do anything about it.

    2. Al Mac

      A risk always exists that a legitimate provider of game software gets itself infected or compromised.

      Look at the PR nightmare Sony is currently embroiled in. Who would trust any game software from Sony until they get that cleaned up?

      The very first malware that infected me was after I did a review of some software that I thought was great, and I said so, an employee with that software company sent me the “I love you” virus, before I saw any warnings about it.

  7. andy1

    Interesting post. That confirms what I’ve suspected about software cracks. When I was in grad school a decade ago, I was pretty indiscriminate about downloading cracks. I still had a few of those files hanging around on various backups. I was looking for some files recently and when I opened the folders on my current machine, there were a handful of virus/ malware files detected. My suspicion is that when I downloaded those, they were ahead of the antivirus signature files, but now they are found by regular scans. I guess one takeaway from this is that even if the crack you download now seems clean in a virus scan, it may just be that the virus in it is not yet detected…

    1. kosh

      This is BS. I have done what you describe several times. It always comes out clean.
      AV detects the compression used in the EXE file and flags it as a virus. Just for the sake of argument. Try downloading a PC demo from http://www.pouet.net (pick one from the 4K category) and it will be flagged as a virus, simply due to the EXE packer used ( called crinkler ) Then try submitting one or several of the detected files to review and I guarantee you it will come back with a clean bill of health. The funny thing is, that even if you submit hundreds of EXE files packed with crinkler and they all comes back clean. the AV will still detect crinkler packed EXE files as a virus. Makes you wonder how effective AV really is.

      I have had the most part of 7 years of carefully collected demos, destroyed by a well known AV, simply because it detected the crinkler packed EXE files as a virus.

      1. JCitizen

        @kosh;

        It would seem that simply setting the configuration to always quarantine threats, would make it less likely that the PC would get hosed. My AV always quarantines suspect files anyway. I leave them there until a definitive description comes down the pike.

  8. Ted

    I don’t see the issue here. Most people have rogue anti-virus already installed so they are not burdened with manually moving items out of quarantine 🙂 … it does that automagically for them 🙂

  9. Martijn Grooten

    I guess most users know that they’re doing something “not quite right” when downloading executables through p2p, so they may indeed be more likely to ignore any kind of warning they get.

  10. John Thompson

    Downloading warez and cracks is like having sex without a condom sooner or later your going to get something you wished you hadn’t.

    1. Cherry

      I disagree, it’s more like trying to creep into the back of a movie theatre, sometimes you’ll get caught out, it depends on how careful you are.

  11. Abram

    Just need to download all stuff from 0day scene, not from crappy sites or p2p.

  12. ALLEN

    To flipp & qka: glad to receive your help. Thanks.

  13. george

    This is good advice, Brian, and is true that most executables found on P2P networks, Binary news servers and alike are in fact trojans or tainted with viruses. But I would note that in my opinion many of the cracks begin by being “genuine”, released by various groups or “scenes” purely to brag their “skillz” and dis rival groups. However, for every genuine crack miscreants of the lowest kind will soon post/spread thousands of copies of trojans/downloaders (with the same name/charcteristics as the original crack). Since MD5 checksums are not that popular in such circles, is hard even for experienced “downloaders” to separate wheat from worse than chaff.
    The bottom line is it doesn’t really “pay” to use pirated software anymore, not only because of the risks involved and the effort/time spent to find a non-infected crack, but mostly because you can find now (with some notable exceptions and excluding most games) surprisingly good, functional, free opensource software for almost any function.

  14. prairie_sailor

    I would add expand on this advice just a little. I would say that any download of something “free” that would normally be paid for is very risky for malware. While some of the “cracking” groups MIGHT not be loading their cracks with malware, malware these days generates a lot of money. It would certanly be very tempting for alot of those groups no matter what they say publicly. Does altruism really exist amongs theves? I doubt it.

  15. David

    It’s unfortunate that so many legally owned games won’t run on Wine on Linux without a no-cd crack. Though most malware doesn’t seem to support Wine very well yet, it’d be pretty easy if they wanted to.

  16. PaPaCensored

    Slightly disappointed, I was hoping we are getting some proofs or news that certain well-known cracker group are in fact bot net controllers (core, zwt, skidrow, younameit). Rather than a quote from a proprietary software producer who hates keygens and crack due to their conflict of interest.

  17. Alan

    There was a game called BioShock was released back in 2007 if I still remembered correctly. The developer put a rootkit while installing the game just to keep fight against piracy. I can see that software developers are using some black hat method to fight against piracy and it kinda show that nothing much can be done from the white hat side. Even non pirated stuff might consist of malicious item for self defense.

  18. Fred

    Well, torrents and warez stuff are no doubt a great way to infect our system with Trojan/malware. Still, a good number of regular internet users don’t hesitate to use cracked/pirated versions of known software’s for the sake of saving a few bucks.

  19. BC Malware Guy

    I did a blog post a couple of years back that looked at the prevalence of different “fake warez” malware. (Warez, in this case, being any sort of big download a user might be looking for.)

    Note that this was not based on heuristic data, so it has no bearing on the argument that maybe AV heuristics were throwing a False Positive based on the crack’s behavior. This was based on a known malware network that was simply *pretending* to be something else to serve its malicious downloads. (The payloads didn’t change, only the filename, which is what I based my stats on.)

    To sum up, about 2/3 of the malware downloads were impersonating Porn movies, and about 1/3 were purported “cracks”.

    http://www.bluecoat.com/blog/what-are-most-dangerous-warez-search

    –Chris

    1. Jason

      I find the results interesting and I don’t dispute them. What I really wonder though, and surely somebody must’ve collected this data is how much of all these downloads are malware, not how much of malware came from downloads, two very different questions.

      I see a lot of people saying that if you play with pirated downloads then you’re likely to get stung. But that also goes for visiting websites, accepting email attachments and really, downloading anything. If you do any of those things you have a chance of getting a piece of malware if you don’t know what you’re doing. But how much of these downloads, not just pirated software, btw, but tv shows and movies are infected or are packaged with malware? The shows often include a “codecs” install which is, in fact, malware.

      I suspect that nobody studies this because no software company wants to know the answer since if the amount is very small, people may pirate more. Or perhaps they’ve studied it and already come to these conclusions and aren’t publishing them for the same reason.

  20. Razor

    I have been wondering for some time while the “Scene” hasn’t yet created a PKI for warez validation. Those guys already use sfv files for verification. They could replace the CRC by Sha-1 and sign the files.

    Some groups (e.g. CORE I think) already sign their releases but not to many people know how to verify them.

  21. Amelia @ Ethical Hacking

    I believe this situation is an example of cost versus convenience or the other way around. Cracking software programs is a way to defer cost. People may find it convenient to be able to crack software after downloading it for it to put to use at no cost as they initially think. However, the infection of malware may become a cost in the long term, prompting users to spend or even resort to ends that eventually put them to inconvenience.

    Even if acquiring a software program legally, is it 100% safe? Although there is the statistics showing the less likelihood for “warez” infection from legal downloads, there is still a room where users may find themselves doubtful if the software program if it integrates malware in a cloak. Maybe, it is the matter of choosing wisely and heeding credible reviews.

    Online users should be vigilant before making downloads. Piracy can really kill and this extends to PC.

  22. kooberfacer

    ive known a few friends who is the past swore by software cracks for their programs.I ran into a few issues of said software not working properly and bought the retail version.Well what do you know it worked properly the way i expected it.

    For the last 10 years ive used purchased software and they all still work as expected.Too bad i cant say the same for cracked software.The cracks eventually get patched and stop working for most software ,not all though.

    As for those friends?They buy their software now, :P!

    1. William

      I’ve never had that problem with the crack software, nor have my friends. Guess its luck.

  23. Christian

    I think we all would fare much better, without an virusscanner.
    I dont use a virusscanner at my home machine and i got 1 infection in 10 years.
    Virusscanners are just SnakeOil and therefor a danger itself.
    the detectionrates are very bad and its purely based on luck if your installed Version will detect the virus you just downloaded.
    Most of them are bloatware too and install a bunch of software you never need.

    Basicly there 2 methods for detection:
    Pattern and Heuristic
    which are both flawed….
    Pattern are easy to circumvent
    Heuristic is cpu intensive and prone to falsepositive

    i check files from untrusted sources on virustotal, this is at least some useful implementation of virusscanners.

    So lets take a look from the “normal user” POV.

    – I’m save because i’ve got an virusscanner and firewall
    – when i download stuff the software will protect me, no need to worry
    – When the Scanner warns me, its most likely a falsepositive, because that happend the last 20 times

    so instead of selling their halfbaked scanners to customers, the industry should really work on:
    – better mechanisms für detection
    – centralised pattern databases

    just my 5 cent 😉

    1. JCitizen

      If you are using an NT6 or better MS OS; and restricted accounts, I would agree with with you. However, you wouldn’t want to do any online shopping or banking. You would still need to update all applications and operating system, to keep from being completely pwned.

      You’re just lucky or just don’t go anywhere on the web if you’ve gotten away with it this long. Of course using Linux or OSX will greatly improve the odds, and make it even more unlikely.

  24. John Browne

    Code verification is important on many fronts; not just illegal copies of software. And free software isn’t the only cracked versions–a number of significant, criminal enterprises are selling counterfeit versions of legitimate products at steep discounts. The public needs to be aware of the idea that if it looks to good to be true, it probably is and the executable might very well contain a surprise, but not a welcome one.

  25. William

    Well, until software prices are regulated and affordable for teens and those in lower financial brackets, many crack softwares will be used since it’s the only way that some people are cabable of using it. Many times, the work i’ve seen completed by youths with cracked software is amazing, and many of these youths would have never had the chance to express themselves and learn of their talent and skills if they waited to purchase softwares ranging from 600 to 2500 dollars. Illegal, risky but well worth it for many youths, who would never have such a chance without cracked software.

Comments are closed.