How to tell if a crack is malicious?

[LonePirate]

How does one tell if a crack, keygen or patch is doing harm to one's computer whether it's executed or not? What do I look for in software such has procmon to check it?

Example: I have a keygen and upload it to VT and then it says 33-45 lets just say is it automatically malicious just because most of the av's says so?

I figured if anyone would know, you crackers would, thanks for any help

[unknownasphyxiated]

it would be too late if you track the changes using procmon

you can try execute the file through sandboxie

use trusted site to download file such as Nsane B)

read comment if you download it from torrent site
upload it to VT and check for infection type

usually Nod32 can detect the type of the file

for example a variant of Win32/Keygen.AS

VT link

maybe this not answering your question but this is what i always do

[rudrax]

:notworthy: shought

[november_ra1n]

Gator@ sorry to disappointing you but you will never tell if the crack or patch is virus or false positive. There is no software you can judge this. Even if you scan via virustotal does not give you true story. Cause sometimes will give you false alarm the other times not. If you look at different virus engine some deject malware others not.

If the crack patching exe files i use Wmware execute the crack and patch exe files then copy and replace in real machine. if it is keygen i do the same open keygen on wmware then use it in real machine. But there is some crack you need to execute into real machine therefore you can not use in Wmware i try to far away from them.

That is how i workaround with them...

[Knightmare]

How does one tell if a crack, keygen or patch is doing harm to one's computer whether it's executed or not? What do I look for in software such has procmon to check it?

Example: I have a keygen and upload it to VT and then it says 33-45 lets just say is it automatically malicious just because most of the av's says so?

I figured if anyone would know, you crackers would, thanks for any help

Every keygen or patch that I have ever ran is a one-and-done thing. I don't get how it could be damaging your computer. When you run the keygen/patch to crack a program, it will infect your computer then. I've had a keygen infect my computer: I got the serial, entered it in the program, then it was activated. However, when I started using my computer, I noticed that it was very sluggish and buggy. I ran a virus scan and found that the keygen had left a present, but my antimalware removed the virus and the program stayed activated. :dunno:

[MAXS]

How does one tell if a crack, keygen or patch is doing harm to one's computer whether it's executed or not? What do I look for in software such has procmon to check it?

Example: I have a keygen and upload it to VT and then it says 33-45 lets just say is it automatically malicious just because most of the av's says so?

I figured if anyone would know, you crackers would, thanks for any help

Can you make some example...

Upload that crack, and share VT results with us to look...

Then we will explain what it is.

Look at this example. I scaned EA Games Multi Keygen and Windows 7 Loader for example. My Malware Bytes detects it, but Kaspersky doesn't...

Let's look at results from VT

https://www.virustotal.com/file/4cb918bdd53fd77c9b2ccaa34f56b7f24c628ae95be9770c7cd829cbc415be3b/analysis/

https://www.virustotal.com/file/fc761228d8892545e813e763deac19105c3fce15ebd642f5332ad12217402ceb/analysis/

You can easily see that this isn't malicious.

How? Look at explanation. One says it's riskware, other says it's Riskware.Tool, third says it's suspicious, fourth says not.a.virus.windows.activator etc etc.. Experienced guy would immediately know that this isn't malicios, only by looking at detection names.

Second way to look for answer is to look at the comments. There is a plenty usefull informations in this section and this could lead to final conclusion.

Third way is to look at Votes section. Look at Green and Red voting order. This could lead to conclusion but not always. Every foul can vote that this is clean. Look at the voters reputation. Guys with high reputation is in 99% times right. You can look at his profile, see if he is trusted and so on...

Hope I was clear, and that you understood :)

[xanax]

in most cases for me is just enough to use vmware + sandboxie + buster sandbox analyzer

also some api monitoring tools, registry tracers, process monitoring tools, disassemblers/debugers and network analyzers

not using any kind of a AV tools for that

but sometimes malware will check if you wanna execute it in virtual machine, and maybe will be protected and then maybe you don't know how make dynamic and static analyze, but you will now then someone want to hide something (in most scenarious)

or use second real machine for dynamic malware analysis

some materials

http://www.seclab.tuwien.ac.at/papers/malware_survey.pdf

http://0xbadcab1e.lu/papers/analyse.pdf

http://zeltser.com/reverse-malware/

test some skills

http://computer-forensics.sans.org/blog/2011/08/10/malware-analysis-challenge-to-strengthen-your-skills

[avmad]

Good question.

You have to use common sense really. Always run keygens virtually or in sandbox etc. Try out the crack in a virtual machine first. Shadow Defender will get rid of your experiments with just a restart.

Make sure you recognise the cracker and download it from as near to source as you can. People can alter it along the way. Many good crackers give md5 checksums to ensure it's not been modified. (Look at the NFO if it has one)

If in doubt don't use it.

Look for good reviews from trusted members.

Stick to well known scene groups, or trustworthy members.

Upload to VT or Virscan and look at the names it gives.

I think it's always a gamble so make sure your security software setup is good and that you understand it. If it does something new or different to past fixes be concerned.

[MinDokan]

Test on a Virtual Machine, if k€yg€n, run it inside and take the code. Then clean sweep.

[SnakeMasteR]

How does one tell if a crack, keygen or patch is doing harm to one's computer whether it's executed or not? What do I look for in software such has procmon to check it?

Example: I have a keygen and upload it to VT and then it says 33-45 lets just say is it automatically malicious just because most of the av's says so?

I figured if anyone would know, you crackers would, thanks for any help

If you have trusted sources for your fixes, the risk to be infected is significantly lower, scene files are mostly clean, there were some small nukes in the past because of infected delphi compiler that has been used or faked pre's.

Also don't force that much on the fixes, most people doesn't recognize that often setup files were infected or bundled with some extra, instead of the meds. So you install an infected setup but can use clean medicine. :lol:

Also it can be hard to make a clear point, not everyone has the time to monitor the changes made to the file system and not everyone has the knowledge to reverse binaries and see what's inside executables or dlls etc, if possible.

If you are sceptic right from the beginning, just pass on those fixes and wait for alternatives.

[Alanon]

nO_risk!, avmad and others have all made very valid points. I can add that besides Sandboxie, and other such stuff, a good classical HIPS such as Malware Defender can sometimes (but not always!) show you the steps the crack is undertaking. For instance, if it's creating an auto-run it has no reason to, or placing files in system32 it really shouldn't touch, you'll get a red flag. Before Nsane, I've found MD saved my ass on several occasions. Just my 2 cents.

[Marik]

you could try sending that crack to threatexpert, it should tell you what its behavior is...more or less, only downside is the 5 mb submission limit

[MrGreen]

Just a quick post to make the point that vmware or sandboxie isn't always a 100% safe way of running a crack or keygen as there are various types of malware out there that can find its way out of the sandbox/vm and onto the host (rare but possible). Also a lot of malware can detect if its being run in vmware etc. and not behave the same way as if it was being run on the host, This is a way the virus/malware writers avoid their work being detected quickly as most honeypots out there use vmware or a variant, and virus writers know that a lot of people use vmware etc. to analyse their work.

Here's a couple of links if your interested

http://zeltser.com/vmware-malware-analysis/

http://blog.trendmicro.com/trendlabs-security-intelligence/vmware-bug-provides-escape-hatch/

many more avail via a simple google.

@ xanax - Thanks, I hadn't heard of buster sandbox analyzer before you mentioned it.

[LonePirate]

I appreciate all your comments, what I have done in the past is look at the rating as one of you mentioned and I do look at the names of the virus in question and if it's riskware or something similar and shows green I usually keep it.

I like to keep all cracks off my main hdd and store them on externals and I also look at which AV is flagging the crack...for example if nod 32, comodo or kaspersky,avast or emsisoft doesn't show it's malicious I usually trust that it's clean, just my preference.

I do have sandboxie, shadow defender and VMware if I ever need them to test out a crack.

[LonePirate]

Here's some examples, I included the acue crack

Windows Loader.exe

http://goo.gl/5fO08

ACUE Crack (Liberator v2).exe

http://goo.gl/DfBo6

PCDPRemover.exe (Universal All PopCap Games Patcher)

http://goo.gl/WmAhb