Is malware distributed with pirated software actually common?
An often-repeated piece of conventional wisdom goes like the following.
Don't download pirated software, they often contain malware.
I'm curious to know if there are any hard facts to backup this claim.
I've seen plenty of software vendors making this claim over the years, but they have a vested interest in having people believe pirating their software is risky.
There are many anecdotal claims out there on the internet, such as Software Cracks: A Great Way to Infect Your PC, but even the provided stats are vague.
For the sake of this question, only pirated software distributed with malware counts, not completely fake software which are actually just malware in disguise trying to trick people to run it.
Are there hard statistics to backup the claim that actual pirated software commonly contains malware?
If so what is the risk factor?
I realize the risk is non-zero, which many would consider good enough to steer clear of P2P networks (I only install software from trusted sources myself), but I'm curious to know how much of this is actually true and how much is just propaganda.
UPDATE: For the sake or narrowing down software, we can exclude operating systems like Windows.
What type of software are you referring to? This may be different from the point of view of an Operating System (i.e. Windows), mainstream application (i.e. MS Office or Photoshop), or a less-prominent software application.
Seein how the vast majority of people here makes a living from *selling* software, one would have to reply: _"Yeah, definitely. You're going to die."_ That being said: related to / near dupe of: http://security.stackexchange.com/questions/124356/is-there-now-an-increased-risk-of-ransomware-in-pirated-software ... no wait, that is the wrong dupe... there is an almost identical one from not long ago though...
From the experience of acquaintances who're into living free, just often enough that you should get real familiar with doing good, fully recoverable system backups and be willing to lose intermediate stuff.
@GeorgeBailey Good point. I wasn't considering operating systems. Tough to draw a line on mainstream vs non though.
Just considering a large company with >1m customers may have secured their software quite differently from an up and coming company with 1k users. It could also affect the percentage-share of malware-injected piracy.
Anecdotally I know it to be true, thanks to my kids. For an actual study with hard numbers and statistics, there are some in here: https://news.microsoft.com/download/presskits/antipiracy/docs/IDC030513.pdf (mainly in the footnotes.)
Finding statistics for this is rather difficult, but here are some sources that are close (I say close, because most look at platforms that are often used to distribute pirated software, but also to distribute legal software).
The percentage of malware seems to vary greatly based on distribution - eg P2P like Kazaa and Limewire contain more malware than torrents - and type of pirated software.
Moshchuk et al performed a study were they crawled the web and looked for spyware. They classified the websites, and in the category "pirate", 7.1% of the domains contained some malware. Other categories were "adult" (7.5% contained malware), "celebrity" (7.6% contained malware), "games" (20% contained malware), or "news" (0% contained malware). Moshchuk et al, 2006. A Crawler-based Study of Spyware on the Web.
From a paper looking at torrent sites:
18.5% of all downloads contained malware Berns & Jung, 2008. Searching for Malware in BitTorrent.
Applications like key generation apps seem to be more likely to be infected (which makes sense, as they are smaller, and there is no need to first crack a legitimate program).
I wasn't able to find the original paper, but Bruce Hughes seems to have done research regarding malware in Kazaa:
Bruce Hughes [...] found that about 45% out of 4,778 files he downloaded with Kazaa contained malicious code Dowland & Furnell, 2006. Advances in Networks, Computing and Communications 3.
Here is a study analyzing Limewire:
Our results from over a month of data show that 68% of all downloadable responses in Limewire containing archives and executables contain malware. [...] [I]n Limewire, the top three most prevalent malware account for 99% of all the malicious responses.Kalafut et al, 2006. A Study of Malware in Peer-to-Peer Networks.
From a 2006 study sponsored by Microsoft:
11% of the key generators and crack tools downloaded from Web sites and 59% of the key generators and crack tools downloaded from peer-to-peer networks contained either malicious or potentially unwanted software.Gantz et al, 2006. The Risks of Obtaining and Using Pirated Software
Note the phrasing of "potentially unwanted software", which includes toolbars, which are often bundled with non-pirated software as well.
This report by Microsoft states that 14% of Web or P2P downloads contained viruses, trojans, or keyloggers.
The warez scene sees things a bit differently of course. Here for example is an article which describes how the scene reacted to a group that distributed malware.
It should also be noted that legitimate software may not be free of spyware, especially DRM software may act as a rootkit and may contain backdoors or otherwise make a system vulnerable to outside attacks (see eg Sony BMG or UPlay).
Those stats are larger than I expected, I wonder if they are still roughly accurate today. I totally agree on the legit software having malware. Loads or legit software in the Windows world comes with a friendly little installer offering malware of some form or another.
Downloading pirated software is a crime in many countries and visiting websites involved with pirating puts you at risk of getting viruses not only from the software itself, but also from rogue advertising since criminal gangs are involved.
Regardless the fact that many people download and run the pirated software and movies, nearly all of them contain some kind of malware. And moreover, these trojans hide themselves from detection pretty well as nobody cares about chasing malware in pirated content. Even if antivirus grabs one, users normally put it into exception and don't care, based on an assumption that "antiviruses don't like cracked software", while in fact, cracked software and free movies do contain malware.
The file does not need to be executable to infect your PC. Normally it contains only a minimal payload in any type of file which then exploits a vulnerability in your PC so it can run and then it downloads the rest from the internet.
Also, extremely bad things happen sometimes. The best example was a pirated version of XCode for MacOS which was backdoored and went undetected for long time in China. It wasn't classical piracy, it was just an unauthorized download, so if you have a chance to download authorized software, do so.
Note that it wasn't typical malware, but it was modified development stack which basically hid malware in numerous applications built with it and then spread onto mobile devices via the AppStore. So it was a free application, but unauthorized - that's why it's best to get only valid content.
Regarding legal software and malware, such as Windows 10, there have been rumors that Microsoft can read any data from your hard drive, which isn't true. The quoted text from the EULA which was published on many websites was modified by removing important words, so that the whole sentence has an incorrect meaning. The point is, that when you are using online services like Outlook365 or Google Drive, you send that data to the provider. However, this data is encrypted during transfer and at-rest in cloud and the key is derived from your password. For criminals it's easier to break into your PC than into the cloud.
Finally, the answer to your question based on statistical data from BitTorrent would be "Yes". I can't publish in which torrents I have found it - just how I found it. For example, I got one WMV file which wasn't detected by Panda, but then it downloaded another payload which was detected by Panda but not by Avast. In another instance, there was a program downloaded which had remote control built-in and it was contacting a host on the internet, which was was detected by the IDS. In another instance, the downloaded key logger software had a backdoor which was neutralized by Kaspersky AV.
I'd suggest trying trials and free games. There's more of them every year and these are very often full fledged products. You can also obtain free games during promotions and competitions. Very often there are lowered prices some time after the product is released (e.g. on Amazon). There are also many promotions in many online stores during certain periods during the year. Note that this is the case for the most well known and reputable sources. Any unknown website selling cheap software is very likely selling pirated copies and very likely with embedded Trojans. Try to pay less for the hardware, it's a lot cheaper today, you can buy very good business laptops and desktops for a third of the price.
Hmm, the XCode issue does add a new dimension to this. XCode has been legitimately free for years, so it's not quite the same situation as a typical piece of pirated software, but definitely worthy of note.
Where are the "hard statistics to backup the claim that actual pirated software commonly contains malware" the question explicitly asked about? You mentioned "statistical data from BitTorrent" but forgot to mention a source for those statistics.
Let's talk about a hypothetical man named Jim. Jim is a good friend of mine, and Jim has downloaded hundreds of files illegally from major piracy sites on the internet. Jim has always been cautious, and only used the highly rated and downloaded files from these major websites. In Jim's entire life, he has gotten only a couple viruses from anywhere, let alone these files.
Certainly, if you merely go by the amount of malware you are likely to find anywhere on the internet there is an incredible amount. But the idea that every illegal file is very likely to have malware is downright ridiculous. This is a huge market driven by fairly honest if morally questionable people, and just like everything on the internet you're pretty safe if you use common sense.
I absolutely believe that programmers should be paid for their hard work, being one myself. That being said I will never agree with the scare campaigns that companies use to drive their bottom line. This is no different than telling people ad blocker will give them a virus. I think people should buy software because it's the best option available, not that they should be forced to because it's seen as the only option.
The problem with this pirate industry is trust. In case of legitimate software, you have a company name and adress you can complain to. They have a reputation they don't want to loose so they're less likely to publish malicious software. Pirates on the other hand have only pseudonyms which they can change any day. They don't loose anything by publishing malware.
Where are the "hard statistics to backup the claim that actual pirated software commonly contains malware" the question explicitly asked about?
How do you know JIm has only gotten a couple of viruses/trojan horses? The best malware will be subtle and hide traces of its presence. The question isn't about illegal files in general (like mp3s or movies where exploits would be harder and only work in flawed players), but specific to illegal software, where by definition the software has executable permission and may do more than you expect. E.g., it could join your computer in a botnet that doesn't max out your CPU (but uses a core or two occasionally) or just steal passwords and other information.
I will admit that I can't provide any hard statistics, but this is because there is no way to gather statistics. Like gathering statistics about any crime, only the reported ones can be looked at. And the ones that are reported are, by nature, malware, making statistics useless. The only thing I can tell you is that Jim has been perfectly fine. And as to hidden malware, Jim uses anti-virus and monitors his computer and as far as he knows doesn't have any malware. He has also never had his identity stolen on any of his accounts.
Many of the techniques pirates use to circumvent DRM are the sorts of techniques that also run afoul of virus scanners. It's no coincidence most pirated software tells you to disable your antivirus when installing.
The Sims had a big problem with hackers dropping RATs in pirated content of the game so they could spy on teenage girls' webcams.
Who ever knows what else they're packaging in there, but botnets don't build themselves. They could be mining bitcoins with your spare CPU cycles, or your PC could now be part of a distributed LOIC. Games are an easy vector for spreading malware since they're usually installed by kids who won't think twice about installing any- and every-thing with admin privileges.
Nobody has the time or inclination to reverse engineer every distributed copy of every crack on the market, which is part of the reason why you're told "piracy == malware" in the first place. There are enough bad actors in there for it to be a concern. You just never know what you're getting unless you're trained in malware reversal, in which case you're probably paid enough to purchase your entertainment like a responsible adult.
The cracks could contain viruses but probability of this is overrated.
To understand why the antivirus catches some cracks and marks them as malware (viruses, worms, etc.), you should know some things:
- the way of working of cracks;
- the way of working of antivirus software (when trying to detect unknown viruses)
Antivirus software detection approach
It uses few methods of detecting viruses. The simplest one is detection with matching parts of malware body (signature-base detection). It is powerless for advanced malware.
Other approach is emulation of executable file and looking for virus/malware behavior. What is virus/malware behavior:
- Changing executable files.
- Injecting code into program threads.
- Monitoring user’s behavior: recording keystrokes, etc…
Crack - techniques of avoiding genuine checks
Now I will mention two kinds of implementing cracks and I will tell some words for each of them.
Patching an executable file
The crack opens a executable file (.exe, .dll, …) and make corrections inside it to avoid checks for legality. Changing executable files is specific action for viruses and the antivirus could create false positive result.
Injecting code into program threads
This is some kind of in-memory hack to cheat checks for legality. It is typical again for viruses and the crack could be detected as a virus.
So two of the most common approaches of implementing cracks are highly suspicious actions, which could make the AV software think the crack is a virus.
P.S. Compilers for example do some of this virus specific features. But compilers are signed with private keys of producing company (e.g. Microsoft), which guarantees (but not absolute) what this behavior is safe.
P.S.2. From time to time some AVs mark regular software as virus. In this case the producer company contact the AV and the case is investigated. When it is sure that that is a false positive, the AV is fixed. This procedure is not done for cracks, for many reasons.
P.S.3. I am almost sure that some corporations pays AVs to mark the cracks as malware. This is some kind of measure against software piracy.
I think it's worth mentioning that, in some targeted cases, it is a very real threat.
For instance, consider what happened to one of the Panic developers. As a result of the recent Handbrake incident, source code was potentially leaked to a malicious party, whose modus operandi would likely lead to cracked versions of the stolen software with malware embedded in it.
Although, as has been mentioned on here many times already, it's hard to find solid statistics on the matter for the general case. I think it's fair to say that you're more likely to run into trouble with pirated material than non-pirated material.