Fools Gold: The Hidden Cost of "Cracked" Software (Part 1)
NOTE: This content was derived from my presentation @ the 2022 Texas Cyber Summit, with a few additions from the current threat landscape.
Opening Pandora's Box
It is a tale as old as time.
The youngster wishes to download music or a game on the family computer, yet lacks the coin required to buy a copy from the official site. So they type "free" after the keywords in the Google search, and stumble across the candy shop of .xyz domains. These sites offer a catalog of content, from musical goodies like Ludacris_How_Low.mp3 to video game files like COD4wDLC.ZIP.
In a frenzy of greed and excitement, they unzip, mount and execute every binary available to them. Why wouldn't they? They have the entire world of entertainment at their fingertips!
Fast forward to a few weeks later, when the computer's CPU usage is through the roof, is loading pages to a crawl, and has crippled the information nexus for the family. Nobody is sure of what happened, or what to do.
So they go back to that .xyz domain, and download PC_CleanerPRO.exe to solve their problems!
Protecting the Secret Sauce
While these illegitimate copies of programs are prevalent across the internet, software companies conduct much due diligence to combat these practices.
In fact, Original copies of software often have multiple layers of protection to protect their status of authenticity.
One measure is the requirement of external validation, via registration on vendor sites. To access a copy, a user must create an account and purchase the version needed. Since different versions of services/products can be sold (ie single-use vs enterprise subscription), this makes sure there is not an enterprise running 100 home editions, circumventing the business model.
Activation keys have long been a requirement, proving a reliable method for single-use activation. It is always a great moment when you get to watch a Sysadmin scratch off a code like it is the winning lottery ticket. However, universal codes exist and are leaked via word of mouth.
DRM and Hardware Protection protect against illicit copying and distribution of content via dongles, security drives, and routine online validation checks.
Cracking Open the Code
So if you cannot pay for the software, what can you do? Hope there is a Linux or freeware version? Between lacking periodic updates, containing a sharp decrease in functionality/functions, or just not existing as a competitor, open-source can have much left to be desired.
So the market for cracked software continues to grow.
But how does this process happen?
(Disclaimer: I am no RE, and am a novice at best for malware analysis.)
Essentially the compiled code (.exe,.dll) is reverse-engineered via a debugger such as Ollydbg or Hex Editor. As they observe the binary, they look for specific "checkpoints" where conditions are verified (ie activation code). By understanding these checkpoints and where they occur, they can manipulate the program by redirecting it/creating a subroutine that skips this process. One way of doing this is creating a measure that will simply invalidate any failed input. Another is altering the digital signature to accept versions as genuine.
(It is worth noting that any of this changes the hash of the binary).
Now that an open copy exists, what happens next?
Part 1 of this covers an intro to the cracked software predicament. Parts 2 and 3 will cover the creation of it as an attack vector, malware associated with cracked software, and triage steps a defender can follow to help secure their environment.