Thursday, May 17, 2007

understanding the malware threat of pirated software

recently both symantec and sophos have come out with statements to the effect that pirated software represents a security risk to users' computers and/or identities...

i haven't seen anyone crying FUD about sophos' claims (at least not this time, maybe next time) but mitchell ashley had some choice words about symantec's claims and, while i think i've expressed myself well enough in the comments to that post, the existence of that post and that sentiment makes me think some explanations need to be made more pronounced than they would otherwise be as simple comments...

the basic premise is that pirated software might damage users' machines or steal their identities... the way this would happen would be that the pirated copy of the software would have some malware type of functionality added to it or perhaps even be completely replaced with malware...

the question is, is that a credible threat and is there a good reason to mention it? if the answer to either of those is no then claims like those made by symantec really would qualify as FUD...

one of the oldest safe-hex tips was to only get software from trusted/official sources... this was to counter the major malware vectors of the day, which were warez (pirated software), bulletin board systems, and floppy disks... i personally have encountered a number of people over the years who ran into problems with malware precisely because they didn't follow this safe-hex principle and while floppy disks and bbses are all but extinct now, the warez scene is still around (otherwise we wouldn't be talking about software piracy) and so is still a viable malware vector... it's not an accidental malware vector either, as numerous virus writers and virus spreaders have in the past demonstrated how rich with computer using risk takers the warez scene is by targeting them and successfully spreading their malware... malware profiteers in today's commercial malware world would have to be short sighted indeed to pass up such fertile and proven ground...

of course, in the specific case being referred to by symantec, the users weren't getting their software from some warez site (at least not to their knowledge)... they weren't engaging in obviously risky behaviour, but rather they were purchasing the software from commercial pirates fraudulently posing as authorized resellers...

now you may think that the fact that they're commercial pirates that are in it for the money obviates the conventional warez-associated risks but let's look at that more closely... just because they're in it for the money doesn't mean they don't have other motives... in fact, if you were a malware profiteer trying to deploy bots (for example), why not devise a social engineering ploy that involved bundling the bots with seemingly legitimate software and enjoy the added bonus that you'd need to charge your victims money in order to make the legitimacy of the software believable?... additionally some of the employees of the commercial pirate organization may be disgruntled enough to tamper with the software or it may get contaminated accidentally - it's not like commercial pirates care about their falsified reputation enough to enable strict quality controls, if something goes wrong they can just blame the actual vendor... speaking of which, the software the commercial pirate is selling may not have come directly from that actual vendor but instead from a warez site with all the associated risks but none of the transparency about those risks that would allow the customer to gauge their risk exposure accurately...

so the threat seems plenty credible to me but still you might wonder whether it's worth it to mention the risk if there haven't been any actual reports of anything bad in the pirated software... if you're thinking like this then i can only tell you that you're thinking like a victim... in my experience victims usually think things are safe unless something specifically says they aren't... if you don't want to be a victim you need to turn that around and (as i'm sure robin bloor, marcus ranum, and many other anti-virus detractors/whitelist enthusiasts would suggest) start considering all software to be inherently untrustworthy by default unless given good reason to think otherwise...

1 comments:

Anonymous said...

couldn't agree more. Who would invest the time and above all the legal risk to break the software anti-piracy protection with no return on that investment at all? I think the individuals who ever run a keygen software are greedy and ignorant. After all, there are free alternatives to almost all commercial software I can think off. One only needs to be interested in finding it. See: LINUX, OpenOffice.org, GIMP, Kino, Audacity, Evolution Mail, Inkscape, ....DON'T STILL. IT'S AVAILABLE FOR FREE!