Windows Software Cracking / Patching tools being detected as a Virus/Trojan/Riskware ..etc

Tyr4n7 · March 26, 2020, 8:44pm

Disclaimer: I do not use nor encourage the use of illegal software and this post is only for the sole purpose of understanding AVs and RE topics

I have been doing some Reverse engineering lately, specifically on cracking / patching tools that cracks software license. To give you a general picture, patching softwares come in three shapes as far as I know:

Case 0: A cracking/patching tool that only breaks the license of the software, It isn’t encoded and doesn’t have any suspicious activity, although this is very rare.
Case 1: A good majority of cracking tools are only packed by popular packers like UPX and does a dropper-like behavior by embedding the real binary and decoding it and loading/executing it on the runtime as a sub-process as a mean to hide the patching mechanism.
Case 2: Some patching tools do in fact have viruses (Cryptocurrency bots, ransomware , info-stealer and what not ) embedded in the binary and drops the malware, which is in fact malicious in this case. This is Case 1/2 combined a with a virus. It’s good to know that many developers/RE engineers that sell their keygen/patching tools for malicious actors, so they’d embed a trojan into it. This has been the case for a very long while.

Interesting facts:

An interesting thing that Case 0 / Case 1 “malwares” can pass through AVs by only changing the icon or a single hex value, which changes the the signature entirely.
It can be hard to hide the malicious activity of Case 2 malwares as they are truly malicious and do quite a lot of things that can be observed through the network and the behavior of said malware.
most of case 0/1 “malware” are marked as “Win32/Keygen”, “riskware”, “patcher”, “highConfidence”, “injector” and what not.

You can take a look at this one I recently reverse engineered (a cracking tool for a download manager), which I can guarantee that it doesn’t have any malicious activity, it’s a case 1 Patcher.

This is before changing the icon of the file (31/70) score :
https://www.virustotal.com/gui/file/9f6c7802e99b94dca0db8054bfae0c6b36971ff509a683159e79184306aaa009/detection

Here’s the same file, but with the icon removed (13/70) :
https://www.virustotal.com/gui/file/43b5f631e5e2646782b9f10e5b19d6878d89ab3b1a783388e49b5e23d5d8a3a3/detection

I’m truly starting to wonder if AV companies flag patching/cracking software as malicious just for the sole purpose of protecting other-companies-software?

system · March 29, 2020, 8:44pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.