Revulytics Blog

Software piracy as a way of spreading malware

December 17, 2008


I am both a software engineer and a security researcher. I have over 15 years working on different areas of the information security spectrum, such as software engineering, researching reverse engineering proof of concepts, network security, software and hardware hacking, information security research, computer forensics, cyberterrorism and industrial espionage countermeasures.

I wanted to add a little bit of salt to the topic of software piracy.

People crack software for several reasons. The most obvious and often published are:

1- To be able to use a piece of software for free.
2- To make a profit from selling stolen software.
3- To learn how the software works and steal ideas for the competition.

The reasons behind points 1) and 2) are very clear. People want access to software and don't want to pay for it; or at least they don't want to pay the full amount. Pirated software is often available for free on any of the P2P networks or it can be bought for next to nothing in certain "specialized stores".
Point 3) is a bit more complex. Rival companies go through a lot of trouble trying to find the other company's new technology. When speaking about software this usually translates into reverse engineering and other forms of software cracking. The basic idea behind it is to unravel the competition's technology and copy their ideas.

But, we are overlooking the darker side of software cracking.

Crackers working for their own gains or other's (being a rival company, crime organizations or governments) will crack the software protection or licensing technology to use them as a carrier for malware. Malware - or malicious software - can take any form: from a simple annoyance - a nag screen telling you to buy the latest anti-virus - to backdoors that provide malicious hackers working for different "agencies" a simple way to hijack the system and use it for subversive activities - like part of a massive DDOS (Distributed Denial Of Service) attack or to penetrate government sensitive systems.

Take for example the huge industrial espionage case in 2005 in Israel ( and .

"the industrial espionage was perpetrated using a Trojan horse attached to e-mails and to hacked software, which were then subsequently installed by company employees. With the application in place, they said, information taken from corporate hard drives was sent to FTP servers located around the world. A partial list of the companies that the Trojan horse infiltrated includes the HOT cable TV company, which competes with Yes; Partner, which competes with Pelephone and Cellcom; a competitor of Hamafil in document copying — Tsilumaatik; Hewlett Packard; the Shalmor-Avnon-Amichay and Reuveni-Pridan ad agencies; and the PR agency of Rani Rahav."

The trojan was installed into the systems using two vectors; the first vector was the email, with a little bit of good old fashioned Social Engineering the attackers were able to fool the victims into installing the trojan. The second vector was an embedded version of the trojan. The copy was stealthily added to a cracked version of a music player and a file sharing program.

Even anti-virus companies are warning their users about this:
"Trend Micro warns that, for example, key generator programs designed to unlawfully activate Nero CD burning software from a trial mode into a paid mode are often packaged with a range of malware.
Nero cracker packages downloaded using P2P networks or via websites hosting illegal software expose users to risks such as the theft of personal or financial information."

These backdoors into the system are very hard to detect; they use stealth technologies such as rootkits (software running at the OS kernel level and thus will full control of the system) for hiding their presence and activities from the OS and the user, and masquerades to appear as a trusted process (either by altering the process binary or by injecting code into the running process) and thus gaining full access to that process' resources.

The backdoors can provide keyboard sniffing services (a keyboard sniffer is a special kind of malware that records the keys as they are being typed by the user, including usernames and passwords), where the data collected is then sent via the internet to a random server waiting for it. The backdoors can use the current system as a way to cover the attacker's real IP address (a technique used when the attacker wants to remain anonymous while hacking another target) while he is stealing the million dollar from the No So Secure Online Bank, Inc., backdoors can also provide the ultimate weapon when trying to steal your enemy's plans for the next war.

Protecting your software against piracy is imperative not only to prevent financial loss but also to prevent all kind of malicious activity that might, at the end of the day, be connected to your name.

Activate Your Data-Driven Compliance Program

Add new license revenue by detecting, identifying and converting unpaid users into paying customers.

Michael Goff

Post written by Michael Goff

Marketing Director at Revulytics
Michael is Marketing Director at Revulytics where he is responsible for corporate marketing, content, and social media. He has helped to educate the industry on the benefits of software usage analytics for compliance and product management through the company's blog and contributed articles in trade publications. Michael was previously a marketing programs manager at The MathWorks and principal at Goff Communications. Michael earned a J.D. from Boston University School of Law and a B.A. from Colgate University.