Microsoft: piracy is getting virusy

Filed Under: Featured, Malware, Microsoft, Security threats

Jolly Rodger, courtesy of ShutterstockThe underweb grows ever more slimy, Microsoft says, as downloads of pirated movies, music, software and other media increasingly come bearing malware.

In the latest edition of the Microsoft Security Intelligence Report [PDF], released on Monday, the company tackles unsafe supply chains, which it describes as "the websites, protocols, and other channels by which software and media files are informally distributed, both legally and illegally."

The definition covers underground sites where pirated software and media are openly exchanged, as well as legitimate websites that make shareware or free music files available for public download.

In fact, unsafe supply chains encompass even computers sold at retail.

Last month Microsoft put out a white paper [PDF] in which it revealed that four of 20 brand-new computers bought in China contained malware right out of the box.

For these regularly issued reports, Microsoft crunches data reported by PCs running its anti-malware products that have opted to send data to the company.

Part of what the company is seeing on those reporting PCs boils down to malware samples that share the same names as files known to be distributed on file-sharing networks. Microsoft calls this attackers' "time-honored tactic" of hiding malware behind the supposedly safe name of a trusted product.

Virus detected, courtesy of Shutterstock

Microsoft also says malware families strongly associated with file-sharing distribution, such as Win32/Keygen, Win32/Pameseg, and Win32/Gendows, were found on 16.8% of computers reporting detections in the first quarter of 2012.

That number increased to 17.2 percent of reporting computers in the second quarter.

From the security report:

Installing pirated software bears significant risks. In many cases, the distributed packages contain malware alongside (or instead of) the pirated software, which takes advantage of the download and install process to infect the computers of users who download the bundles. More than 76 percent of computers reporting Keygen detections [during the first half of 2012] also reported detections of other threat families, which is 10 percent higher than the average co-infection rate for other families.

The most commonly reported threat family - showing up on 98% of the 105 countries or regions covered by Microsoft's report - was Win32/Keygen, a marker for tools that generate product keys that allow software to be used illegally.

MicrosoftMicrosoft says that Keygen is strongly associated with unsecure file distribution.

In fact, the presence of Keygen is something of a red flag pointing to file distribution and the malware that so often piggybacks onto the files being distributed.

Microsoft also found Keygen tagging along with this list of wildly popular software downloads, including games, Photoshop and AutoCAD:

  • Windows Loader.exe
  • mini-KMS_Activator_v1.1_Office.2010.VL.ENG.exe
  • AutoCAD-2008-keygen.exe
  • SonyVegasPro Patch.exe
  • Nero Multimedia Suite 10 - Keygen.exe
  • Adobe.Photoshop.CS5.Extended.v12.0.Keymaker-EMBRACE.exe
  • Call.of.Duty.4.Modern.Warfare.Full-Rip.Skullptura.7z
  • Guitar Pro v6.0.7+Soundbanks+Keygen(Registered) [ kk ].rar
  • Half Life CDkeygen.exe

Of course, downloading illegal media in itself doesn't mean a PC will be infected. Nor is the presence of Keygen proof positive that a PC has been attacked.

And Microsoft, obviously, being a software vendor, has reasons to scare the pants off any pirates who want free versions of its products.

But Microsoft does seem to have data on its side, given the high correlation rate it cites between Keygen, for example, and other threats.

Beyond that, attackers are targeting more than pirated material. They're also hitching a ride with freely distributed software, as well.

For example, Microsoft's Malware Protection Center has recently seen 35 separate threat families being distributed with the filename install_adobeflash.exe, purporting to be an installation package for the freely distributed Adobe Flash Player.

Beyond attaching themselves to popular software, threat families are also crawling onto downloads of top movies and songs.

Computer, courtesy of Shutterstock

Getting nailed with malware glued onto either pirated media or legal shareware is nothing new, of course.

But whether you're picking up a Mac Trojan in pirated Adobe Photoshop (circa 2009) or getting your pirated mobile Android and Apple apps hacked (circa 2012), the lesson is the same every time.

In a nutshell, be careful.

Getting something for nothing can lead you to getting something you didn't count on.

Take a look at Microsoft's report for a host of tips on staying safe.

Jolly Rodger, computer and virus detected images courtesy of Shutterstock

, , ,

You might like

9 Responses to Microsoft: piracy is getting virusy

  1. Machin Shin · 1092 days ago

    Is it just me that finds their report worthless after reading this? When you count "keygens" as malware then well of course almost all pirated stuff has malware. Then they say that 76% of those with keygens also have other infections. Well I wonder how many of those other "infections" were things like jack the ripper, airhog, and other "hacking tools".

    You just make yourself look stupid when you say "piracy has malware, just look at all the keygens". Piracy is indeed a risky option and you very likely will pick up a real virus or malware. So stop inflating the numbers by pointing to "hacking tools".

    • Andrew Covarrubias · 1092 days ago

      Agreed. If the only thing the software is doing is something the user wants it to do, and in fact the reason the user has it, it's hardly fair to call it malware. It may be bad for the companies selling this software commercially, but unless it includes a keylogger or something, it's not really bad for the user. Except his conscience. It's bad for that.

      What I wonder is how many of these infections are heuristic false positives. Keyloggers installed by companies on work computers, productivity software that hovers over the top of other software in a way MSE doesn't like... I'm sure they're counting these so they can inflate their numbers just a bit higher. Heck, they may even be counting their own lab tests where they install malware on purpose.

      • Machin Shin · 1091 days ago

        Well also false positives in the form of intentional malware in Zip files. I have had a few fun little key loggers and things that I kept penned up. Every now and then it is fun to mess with your friends... (yes, I know, I'm a bit cruel at times) Point is a lot of file sharers are also "script kiddies" and intentionally have a few things on their machine.

    • Some guy. · 1092 days ago

      Some keygens have malware packed into them as well. The keygen serves it's function - but also infects the machine with malware. It is an effective delivery method for malware since users of keygens are used to running odd software.

    • Scotty Smalls · 1092 days ago

      I think he meant "keygen" binaries are a common distribution platform for various forms of malware?

  2. Richard Steven Hack · 1092 days ago

    So file-sharing includes viruses...

    All I can say is: Duh!

    I once had a home user client who called me about a ridiculously slow machine. I spent hours trying to clean this thing. Then I found that at some point they had used Limewire, a P2P system noted for distributing viruses. They had literally gigabytes of files on their machine which were being distributed over the Limewire client. All of the files had the names of current popular movies, music, etc. and all of them were loaded with viruses and spyware.

    This is not news. It's been true for years.

    That said, the main way to avoid the problem is to download via Bittorrent and look at the reviews of the download. If it's a virus or a fake file, someone will find out and bitch.

    What would be a more interesting statistic is what percentage of P2P files online are actually infected with viruses. My guess is it would be a very large percentage - but not a majority.

  3. jnihil · 1089 days ago

    So run the keygen in a VM, generate the key, then rollback the VM after the infection.

  4. miss_Rarity · 1085 days ago

    Granted it might be true as they wouldn't say that malware is on computers straight out of the box for a profit, That may push users over to mac out of fear of viruses

  5. HXoRGrrrL · 55 days ago

    Well, it is August 2015 now, 3 years after the last comment was written and Windows 10 was rolled out on July 29 as a free upgrade to existing windows 7, 8 and 8.1 users, with the latter two of course being complete Windows, that is, Microsoft flops.
    No sooner does one commit to the upgrade or Microsoft takes over, hides half the directories you formerly had access to with an obnoxious "access denied" message and proceeds to weed out all your keygen files. The AutoKMS activator gets a new name, HackTool:MSIL/Gendows and despite the fact that Microsoft says that it CAN contain malware meaning that this is basically NOT the case, it gives you no opportunity to stop its removal. Obviously, it doesn't want people to install free copies of 64-bit Windows, but to be so surreptitious about it puts them on about the same standard of ethics as the pirates.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.