Illegal Keygen for Reputed Antivirus Comes Bundled with Malware

It is common practice for crooks to use pirated software as a means of disseminating malware. It’s an approach that has been used for years and it still works as a charm. Any new software product launch is awaited and included into this malware distribution cycle. A much anticipated movie or software product becomes the perfect lure for users who are inclined towards piracy rather than legal product or service acquisition.

This is exactly the scenario we spotted last week, when crooks started using the latest Internet Security avtivirus product from Trustport as bait for malware dissemination. They tampered with an illegal keygen (identified by our labs as Application.Keygen.BW) in order to bind it with a piece of backdoor malware  that is also deployed on the users’ systems along with an illegal key for the AV product.

This keygen spreads via P2P sharing services, USB media, instant messaging services or e-mail clients and users may end up downloading serious trouble on their systems as this particular illicit tool does a lot more than it is supposed to do.

The piece of malware inside the keygen is identified by Bitdefender as Trojan.Agent.ASDM and starts its wrongdoing by injecting itself into explorer.exe and adding a list of exceptions to the locally installed firewall. Afterwards, it deploys a keylogger and a backdoor component on the compromised computer. Depending on how you’re using your computer, this piece of malware does the following:

–          steals passwords cached in various web browsers such as Mozilla Firefox or Internet Explorer;

–          spies on the users’ habits and gathering critical information about the compromised computer and, worst of all, showing great interest for all that has to do with e-banking accounts and money transactions;

–          downloading further malware either via internet or from ftp accounts; the sample we analyzed is capable of downloading and installing  Zeus BOT, SpyNet RAT, Bandook RAT, Scwarze Sonne RAT, Apocalypse RAT, Bff BOT, Solitude RAT, PoisonIvy,  Cybergate, which hints to a possible cooperation between Trojan.Agent.ASDMand other cyber-criminal gangs.;

–          captures video and audio  streams from the users’ computer webcams;

–          logs conversations that take place on social networks or instant messenger;

It is safe to say that there’s an extremely high chance that pirated software leads to malware and it’s definitely a risk not worth taking.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender VirusAnalyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.