Malware and Unsecure Software Distribution
The most commonly reported threat family in 1H12 was Win32/Keygen, a detection for tools that generate keys for various software products. Software pirates often bundle a key-generator utility with a well-known application and then distribute the package using a torrent client or by uploading the package to a file distribution site. A user who downloads the package runs the key-generator utility to create a product key that will supposedly allow the software to be used illegally. Its widespread impactâ€”of the 105 countries or regions covered in this report, 98 percent listed Keygen as one of the top 10 families detected in 1H12â€”and its strong association with unsecure file distribution activity make it a good indicator family to use to examine how attackers exploit such activity to distribute malware.
An examination of Keygen reports shows a diverse list of popular software products being targeted, as indicated by some of the file names used by the Keygen executable:
- Windows Loader.exe
- SonyVegasPro Patch.exe
- Nero Multimedia Suite 10 - Keygen.exe
- Guitar Pro v6.0.7+Soundbanks+Keygen(Registered) [ kk ].rar
- Half Life CDkeygen.exe
Installing pirated software bears significant risks. In many cases, the distributed packages contain malware alongside (or instead of) the pirated software which takes advantage of the download and install process to infect the computers of users who download the bundles. More than 76 percent of computers reporting Keygen detections in 1H12 also reported detections of other threat families, which is 10 percent higher than the average co-infection rate for other families. (See â€œMalware statisticsâ€ on page 7 for additional information.)
The tactic of bundling malware with software on unsecure file distribution sites and networks is not limited to pirated commercial softwareâ€”attackers sometimes take advantage of traffic in freely distributed software as well. In 1H12, the MMPC observed 35 different threat families being distributed using the file name install_adobeflash.exe, which suggests an installation package for the freely distributed Adobe Flash Player. Threats that make use of this technique in 1H12 included notable families such as Win32/Sirefef, Win32/Bancos, and Win32/FakeRean. (See â€œThreat familiesâ€ beginning on page 42 for more information about these and other threats.)
Similar tactics are used by attackers who engage in so-called paid archive schemes, in which users are convinced or tricked into paying for software that might otherwise be available for free. The most commonly detected threat family in 1H12 in Russia, Ukraine, and several other countries and regions in eastern Europe and western Asia was Win32/Pameseg, a family of programs that claim to install various popular software packages. A user who launches a Pameseg installer is instructed to send an SMS text message to a premium number (typically at a cost of between 5 and 20 US dollars, although the installer usually claims that it will be free of charge) to successfully install the program. Among the top file names used by Pameseg installers in 1H12 were several that resembled the names of programs that can be legally downloaded and installed for free, in addition to paid commercial programs:
- Adobe Photoshop CS5 key-rus.exe
For more information about Pameseg and paid archive schemes, see the following entries in the MMPC blog (blogs.technet.com/mmpc):
- Easy Money: Program:Win32/Pameseg (part one) (November 14, 2011)
- Easy Money: Program:Win32/Pameseg (part two) (November 21, 2011)
Other hacking tools that are frequently used to distribute malware with shared or pirated software include:
- Win32/Gendows. A tool that attempts to activate Windows 7 and Windows Vista operating system installations.
- Win32/Patch. A family of tools intended to modify, or â€œpatch,â€ programs that may be evaluation copies or unregistered versions with limited features, for the purpose of removing the limitations.
- Win32/Wpakill. A family of tools that attempt to disable or bypass WPA (Windows Product Activation), WGA (Windows Genuine Advantage) checks, or WAT (Windows Activation Technologies) by altering Windows operating system files, terminating processes, or stopping services.