Is malware distributed with pirated software actually common?

Question

An often-repeated piece of conventional wisdom goes like the following.

Don't download pirated software, they often contain malware.

I'm curious to know if there are any hard facts to backup this claim.

I've seen plenty of software vendors making this claim over the years, but they have a vested interest in having people believe pirating their software is risky.

There are many anecdotal claims out there on the internet, such as Software Cracks: A Great Way to Infect Your PC, but even the provided stats are vague.

For the sake of this question, only pirated software distributed with malware counts, not completely fake software which are actually just malware in disguise trying to trick people to run it.

---

Are there hard statistics to backup the claim that actual pirated software commonly contains malware?

If so what is the risk factor?

I realize the risk is non-zero, which many would consider good enough to steer clear of P2P networks (I only install software from trusted sources myself), but I'm curious to know how much of this is actually true and how much is just propaganda.

UPDATE: For the sake or narrowing down software, we can exclude operating systems like Windows.

Answer 1

Finding statistics for this is rather difficult, but here are some sources that are close (I say close, because most look at platforms that are often used to distribute pirated software, but also to distribute legal software).

The percentage of malware seems to vary greatly based on distribution - eg P2P like Kazaa and Limewire contain more malware than torrents - and type of pirated software.

---

Moshchuk et al performed a study were they crawled the web and looked for spyware. They classified the websites, and in the category "pirate", 7.1% of the domains contained some malware. Other categories were "adult" (7.5% contained malware), "celebrity" (7.6% contained malware), "games" (20% contained malware), or "news" (0% contained malware). _{Moshchuk et al, 2006. A Crawler-based Study of Spyware on the Web.}

---

From a paper looking at torrent sites:

18.5% of all downloads contained malware _{Berns & Jung, 2008. Searching for Malware in BitTorrent.}

Applications like key generation apps seem to be more likely to be infected (which makes sense, as they are smaller, and there is no need to first crack a legitimate program).

---

I wasn't able to find the original paper, but Bruce Hughes seems to have done research regarding malware in Kazaa:

Bruce Hughes [...] found that about 45% out of 4,778 files he downloaded with Kazaa contained malicious code _{Dowland & Furnell, 2006. Advances in Networks, Computing and Communications 3.}

---

Here is a study analyzing Limewire:

Our results from over a month of data show that 68% of all downloadable responses in Limewire containing archives and executables contain malware. [...] [I]n Limewire, the top three most prevalent malware account for 99% of all the malicious responses._{Kalafut et al, 2006. A Study of Malware in Peer-to-Peer Networks.}

---

From a 2006 study sponsored by Microsoft:

11% of the key generators and crack tools downloaded from Web sites and 59% of the key generators and crack tools downloaded from peer-to-peer networks contained either malicious or potentially unwanted software._{Gantz et al, 2006. The Risks of Obtaining and Using Pirated Software}

Note the phrasing of "potentially unwanted software", which includes toolbars, which are often bundled with non-pirated software as well.

---

This report by Microsoft states that 14% of Web or P2P downloads contained viruses, trojans, or keyloggers.

---

The warez scene sees things a bit differently of course. Here for example is an article which describes how the scene reacted to a group that distributed malware.

It should also be noted that legitimate software may not be free of spyware, especially DRM software may act as a rootkit and may contain backdoors or otherwise make a system vulnerable to outside attacks (see eg Sony BMG or UPlay).

Answer 2

Downloading pirated software is a crime in many countries and visiting websites involved with pirating puts you at risk of getting viruses not only from the software itself, but also from rogue advertising since criminal gangs are involved.

Regardless the fact that many people download and run the pirated software and movies, nearly all of them contain some kind of malware. And moreover, these trojans hide themselves from detection pretty well as nobody cares about chasing malware in pirated content. Even if antivirus grabs one, users normally put it into exception and don't care, based on an assumption that "antiviruses don't like cracked software", while in fact, cracked software and free movies do contain malware.

The file does not need to be executable to infect your PC. Normally it contains only a minimal payload in any type of file which then exploits a vulnerability in your PC so it can run and then it downloads the rest from the internet.

Also, extremely bad things happen sometimes. The best example was a pirated version of XCode for MacOS which was backdoored and went undetected for long time in China. It wasn't classical piracy, it was just an unauthorized download, so if you have a chance to download authorized software, do so.

See this: Chinas Awful Internet Speed Has Spread Malware to Millions of Smartphones and this: Novel Malware XcodeGhost Modifies Xcode Infects Apple iOS Apps and Hits App Store

Note that it wasn't typical malware, but it was modified development stack which basically hid malware in numerous applications built with it and then spread onto mobile devices via the AppStore. So it was a free application, but unauthorized - that's why it's best to get only valid content.

Regarding legal software and malware, such as Windows 10, there have been rumors that Microsoft can read any data from your hard drive, which isn't true. The quoted text from the EULA which was published on many websites was modified by removing important words, so that the whole sentence has an incorrect meaning. The point is, that when you are using online services like Outlook365 or Google Drive, you send that data to the provider. However, this data is encrypted during transfer and at-rest in cloud and the key is derived from your password. For criminals it's easier to break into your PC than into the cloud.

Finally, the answer to your question based on statistical data from BitTorrent would be "Yes". I can't publish in which torrents I have found it - just how I found it. For example, I got one WMV file which wasn't detected by Panda, but then it downloaded another payload which was detected by Panda but not by Avast. In another instance, there was a program downloaded which had remote control built-in and it was contacting a host on the internet, which was was detected by the IDS. In another instance, the downloaded key logger software had a backdoor which was neutralized by Kaspersky AV.

I'd suggest trying trials and free games. There's more of them every year and these are very often full fledged products. You can also obtain free games during promotions and competitions. Very often there are lowered prices some time after the product is released (e.g. on Amazon). There are also many promotions in many online stores during certain periods during the year. Note that this is the case for the most well known and reputable sources. Any unknown website selling cheap software is very likely selling pirated copies and very likely with embedded Trojans. Try to pay less for the hardware, it's a lot cheaper today, you can buy very good business laptops and desktops for a third of the price.

Answer 3

Let's talk about a hypothetical man named Jim. Jim is a good friend of mine, and Jim has downloaded hundreds of files illegally from major piracy sites on the internet. Jim has always been cautious, and only used the highly rated and downloaded files from these major websites. In Jim's entire life, he has gotten only a couple viruses from anywhere, let alone these files.

Certainly, if you merely go by the amount of malware you are likely to find anywhere on the internet there is an incredible amount. But the idea that every illegal file is very likely to have malware is downright ridiculous. This is a huge market driven by fairly honest if morally questionable people, and just like everything on the internet you're pretty safe if you use common sense.

I absolutely believe that programmers should be paid for their hard work, being one myself. That being said I will never agree with the scare campaigns that companies use to drive their bottom line. This is no different than telling people ad blocker will give them a virus. I think people should buy software because it's the best option available, not that they should be forced to because it's seen as the only option.

Answer 4

Absolutely.

Many of the techniques pirates use to circumvent DRM are the sorts of techniques that also run afoul of virus scanners. It's no coincidence most pirated software tells you to disable your antivirus when installing.

The Sims had a big problem with hackers dropping RATs in pirated content of the game so they could spy on teenage girls' webcams.

Who ever knows what else they're packaging in there, but botnets don't build themselves. They could be mining bitcoins with your spare CPU cycles, or your PC could now be part of a distributed LOIC. Games are an easy vector for spreading malware since they're usually installed by kids who won't think twice about installing any- and every-thing with admin privileges.

Nobody has the time or inclination to reverse engineer every distributed copy of every crack on the market, which is part of the reason why you're told "piracy == malware" in the first place. There are enough bad actors in there for it to be a concern. You just never know what you're getting unless you're trained in malware reversal, in which case you're probably paid enough to purchase your entertainment like a responsible adult.

Answer 5

The cracks could contain viruses but probability of this is overrated.

To understand why the antivirus catches some cracks and marks them as malware (viruses, worms, etc.), you should know some things:

• the way of working of cracks;
• the way of working of antivirus software (when trying to detect unknown viruses)

Antivirus software detection approach

It uses few methods of detecting viruses. The simplest one is detection with matching parts of malware body (signature-base detection). It is powerless for advanced malware.

Other approach is emulation of executable file and looking for virus/malware behavior. What is virus/malware behavior:

• Changing executable files.
• Injecting code into program threads.
• Monitoring user’s behavior: recording keystrokes, etc…

Crack - techniques of avoiding genuine checks

Now I will mention two kinds of implementing cracks and I will tell some words for each of them.

Patching an executable file

The crack opens a executable file (.exe, .dll, …) and make corrections inside it to avoid checks for legality. Changing executable files is specific action for viruses and the antivirus could create false positive result.

Injecting code into program threads

This is some kind of in-memory hack to cheat checks for legality. It is typical again for viruses and the crack could be detected as a virus.

Conclusion

So two of the most common approaches of implementing cracks are highly suspicious actions, which could make the AV software think the crack is a virus.

P.S. Compilers for example do some of this virus specific features. But compilers are signed with private keys of producing company (e.g. Microsoft), which guarantees (but not absolute) what this behavior is safe.

P.S.2. From time to time some AVs mark regular software as virus. In this case the producer company contact the AV and the case is investigated. When it is sure that that is a false positive, the AV is fixed. This procedure is not done for cracks, for many reasons.

P.S.3. I am almost sure that some corporations pays AVs to mark the cracks as malware. This is some kind of measure against software piracy.

Answer 6

I think it's worth mentioning that, in some targeted cases, it is a very real threat.

For instance, consider what happened to one of the Panic developers. As a result of the recent Handbrake incident, source code was potentially leaked to a malicious party, whose modus operandi would likely lead to cracked versions of the stolen software with malware embedded in it.

Although, as has been mentioned on here many times already, it's hard to find solid statistics on the matter for the general case. I think it's fair to say that you're more likely to run into trouble with pirated material than non-pirated material.

Answer 7

Yes. These games can appear to work, but they might actually have a virus in them. And some can just infect your computer without even starting the game! Like a "Continue download" icon or just putting a self activating virus there! tl;dr Yes it can.