How does piracy work? – malware

It should be the last post about the series of articles that i called Piracy – How does it work

Not the last post about piracy though.

So after the piracy organizations find the right product, after putting it online and starting getting revenues from that through several channels, each with a good advertisement background, what else can they do in order to take advantage from that pirated product?

It’s simple, they can place a malware inside the cracked product distribution package.

In case of movies, ebooks and other virtual items that are not strictly software, that can be done by placing a file, somehow, inside the zip but obvously that could lead an expert eye to find it out so the best solution to aggregate a malware to a product occurs when the product is a software.

The exe structure of windows executable allows anybody to attach, literally append an exe to another exe. The operation can be done with mergers or even manually, by opening the product and the malware with an hex editor and appending the viewable code of the malware to the software that is being pirated. Basically something like this:

|—-software bytes—–|


|—-malware bytes—-|

So that as soon as it gets to the last byte of the software you have, immediately after, the first byte of the malware. Once you launch the software, and that is true for any exe attached to another exe in windows, windows will execute the first one (the software) and immediately after the second one. Try it.

The result is that the malware gets executed too and if it’s a custom file, not a well known and widespread virus, most antivirus will not recognize the malware since they usually concentrate on known patterns of code.

What kind of malware is usually attached to a pirated software? I would not like to enter a discussion about taxonomy of viruses since it’s even boring, done better by others, and as per taxonomy definition, is long. But the answer comes easily if you think of what those organizations are looking for:

- passwords (credentials) for bank accounts, paypal emails, website admins

- computers that can be used as bots in several activities like:

  1. ads clicks scam
  2. dos/ddos, bandwidth burners
  3. proxies

1) imagine a game like Need For Speed, that has been cracked and placed in the distribution circuit, ok? Imagine how many people are looking for the free (cracked) version and actually download and install it, let’s assume 1 million gamers. Now imagine that there’s a little malware attached to the main exe of the game and that malware contains the software to click on google ads. It does not have to move your mouse, it will simply get the ads url (something like….. from a central server or through a cookie or whatever, then will open a connection, not visible, from your computer to that url.

Once the 1 million malware installed get that url they will start getting to that url periodically, replacing the old gclid value with the new one (it’s randomly generated by google, guess why…) let’s say 100 of them goes there, another hundred goes to another ads url, each one at an interval of 30 or 40 or whatever seconds you like so that it seems a legit click, coming from a legit computer. Let’s say that the ads url is placed somewhere on a website called  and that is owned by the same piracy organization that included the malware in the game and is distributing the game.

Let’s add that the websites to which the ads url is pointing might be many and you get the complete overview of the scam. In my experience for example, i saw very high click-through percentages for websites like softpedia, brothersoft, many .ru, many many mexican websites, but also honk kong an singapore and many others that are usually owned, run or located in india or russia, malaysia, china too, but i would stick mainly to the first 2 countries for  this kind of scam.

2) and if you get 1 million computers with a malware installed that can point to any url you like without even making that computer owner suspicious, then you can organize all the ddos you like, blackmail websites or burn their bandwidth without even getting to a ddos, so if you run also a e-store whose competitors are better than you, you can make them very weak

3) the malware might a software written to proxy a connection, so that if you got the paypal email and password of a user in Germany, you can use one of your german infected computers to make a transaction, without letting paypal fear that something wrong is going on. Since if you want to pay using a stolen account of a german citizen that has a login history exclusively from german but you live in New Delhi… even the slow giant like paypal will smell something is wrong.

That’s the reality behind your cracked game or downloaded movie. That’s sad, dangerous, illegal and unfair. It is more than all the words you can use to describe it. It’s dirty, smells of shit and ok, close your eyes but the shit will still be there and your computer won’t be only yours anymore.

Is it always like this? well if you ask me that, let me ask you a question, does it change that much if that affects only 10% of the movies or 20% of the cracked software? 20% of 2 billions internet users is a big number and you are gifting internet to some groups of people with no care about ethics. Consequences will be there and sooner or later will affect you too.

This entry was posted in piracy, Piracy - how does it work. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>