2

There are many big torrent uploaders, some marked as 'VIP' or 'Trusted' and whatnot with many seeders and good reviews. How likely is it that their software is malicious with some kind of evasive rootkit? They are reverse engineers after all.

What else could these uploaders gain from cracking software and releasing it for free to thousands of users? Why bother with it at all and risk getting caught? Do they do it merely for the fame and reputation?

forest
  • 64,616
  • 20
  • 206
  • 257
user201668
  • 21
  • 2
  • 2
    Would you trust something of unknown origin just because it says *trusted*? – ThoriumBR Mar 12 '19 at 02:52
  • 2
    A torrent website with a lively community will usually have people in the comments flagging an infected torrent. That being said the chances are much higher than other places, especially with keygens, patchers and other .exe files. If you have some malware analysis knowledge and run everything through an interactive dynamic analysis service like any.run you can be relatively safe, but it'll never be as safe as legit sources. – J.A.K. Mar 12 '19 at 03:36
  • 1
    Please remember that, even on trusted sites, there may be misleading ads with those big "download now" buttons that try to trick you into clicking the ad instead of the actual download. Those may download programs bundled with adware or worse. It can sometimes take a little mental effort to distinguish the actual torrent download from the ads (this is made a little less problematic with the popularity of magnet links). – forest Mar 12 '19 at 07:57
  • `A torrent website with a lively community will usually have people in the comments flagging an infected torrent.` Not if the malware has been packed / crypted to be FUD against all AV. https://en.wikipedia.org/wiki/Fully_undetectable – Nomad Mar 12 '19 at 11:56
  • FUD only lasts as long as large numbers of AV providers haven't got a hold of it. A file which has been available for some months with tens of thousands of downloads has likely been seen already by a number of AV providers – William Dunne Mar 12 '19 at 17:13

2 Answers2

3

In most cases no.

The largest torrent communities do not allow any type malicious activities and uploaders are most of the time very trusted members of the community. Any attempts to spread anything are countered very fast.

Of course, a smaller site can have the objective to trap and infect users, but it will be fast to spot and the community will know.

As for the actual cracked software, the main groups that are now mostly veterans in the industry do not add any type of spyware in their releases. The exceptions to this are so few that you can count them by fingers compared to the thousands of releases done by each group.

Note that anti-viruses can detect a group release as dangerous, but that is normal behavior.

Why do the groups do it ? Well, because they can and because it teaches a lesson to the developers. Developers since many years ago focus on anti-piracy instead of the quality of the product. They end up making DRMs so bad that not even legit buyers can properly use the product (see examples like securom). Contrary to that, the ones that invested in product quality instead of copy protection and did not even use a copy protection had larger sales than the over-protected ones. So the DRM-supporting developers defeated themselves because they had no desire to make a good product and they wanted only massive sales instead. The situation is becoming even worse today with the all games going MMO and software going sub-based system. Developers scam the clients out of their money with pre-release packs and then the client ends up with a disaster of a product (see the recent example - Fallout 76 aka Failout 76).

Yes, there is a reputation system between the big groups and practically who releases something first has the biggest rep, but sometimes they can hurry to much and have a bugged result, in which case another group makes a 'proper' release and bashes a little the initial group. Such cases are relatively rare though.

As for the clients, in many cases (and since many years back) it is more convenient to use such a software because it's actually cleaner than the original. All the crapware that could interfere with the functionality of other things is removed and you get what you would actually want: a working game or program that does not break anything else in order to work. Many preferred years back to actually get (buy) the original games but use a cracked version because it actually worked better and did not break anything in the system.

Note GOG (Good Old Games) managed to make deals with the big companies and what they actually sell is copy-protection free. This is a big thing, very helpful for users overall.

So form a security perspective, as example, I can hands down say that a release from a group (or an official GOG one) is safer to use than the original, even today. Today copy protections are less system-damaging overall, but you still usually have to install various game clients or other programs just to make your original games work and in many cases you need constant internet connection which is another inconvenient. Each big company has its game client so you'll end up pretty much with about 10 useless things running in background only for your favorite games to work.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 1
    at the time, I've been an active member (cracker/keygenner) in two of the most notorious cracking teams for several years, and I can guarantee you that there was no such a thing as "teaches a lesson to the developers" ! It was all about fun, sharing knowledge and sometimes gaining some rep on the community. – Soufiane Tahiri Mar 12 '19 at 08:36
  • Well it's an indirect effect at least. And some did focus on exposing bad things devs did that were affecting their product's performance on all clients just to favor a specific segment of them. I can give you what happened in Doom 3's case if you want (but via a chat since this is not the proper place for such a talk). – Overmind Mar 12 '19 at 08:41
  • Some do it for fun and some are just [pissed off](https://darknetdiaries.com/episode/16/) when DRM prevents them from using legal products. – Esa Jokinen Mar 13 '19 at 04:01
1

Your first assumption is not necessarily (and probably not at all) true.

Torrent uploaders have nothing to do with reverse engineering in most of cases. The trustees of a torrent / warez community come from the community itself. The most "notorious" a community is (I think about demonoid, learnflakes..) the less likely they share or let someone else share malicious stuff but as J.A.K said it will never be as safe as getting your "binary" from a legit source.

What else could these uploaders gain from cracking software and releasing it for free to thousands of users?

There are teams of reverse engineers (cracker,keygenners..) who do nothing but releasing patches (cracks, keygens, loaders..) and they have usually nothing to do with torrent communities.

Why bother with it at all and risk getting caught? Do they do it merely for the fame and reputation?

Because it's fun ! and sometimes YES for some reputation (inside the RE community)

Soufiane Tahiri
  • 2,667
  • 12
  • 27