What happens if you download a cracked program?

[harlan4096]

Spoiler: nothing good. Along with pirated software, you’ll probably pick up a miner, stealer, or backdoor.
 
What do you do when you need a program but can’t buy an official license yet? Correct answer: “Use the trial version” or “Find a free alternative.” Wrong answer: “Search online for a cracked version.”

Sketchy alternative sources are known to offer cracked versions of software, along with other goodies. After wading through sites stuffed with ads, you may get the program you want (usually minus the future updates and network functionality), but with a miner, stealer, or whatever else thrown in for good measure.

Based on real-world examples, we explain why you should avoid sites that offer instant downloads of in-demand programs.

Miner and stealer on SourceForge

SourceForge was once the largest site for all things open source, the forerunner of GitHub. But don’t think that SourceForge is dead – today it provides software hosting and distribution services. Its software portal hosts multiple projects, uploaded by anyone who wants to.

And, as with GitHub, it’s this cosmopolitanism that is a barrier to high-level security. Let’s take just one example: our experts found a project called officepackage on SourceForge. At first glance, it looks harmless: a clear description, no-nonsense name, even a positive review.

“Officepackage” page on SourceForge

But what if we told you that the description and files were copied outright from an unrelated project on GitHub? Alarm bells are already ringing. That said, no malware lands on your computer when you click the Download button – the project is apparently clean. Apparently, because the malicious payload was not distributed directly through the officepackage project, but through the web page associated with it. How is this possible?

The fact is that every project created on SourceForge gets its own domain name and hosting on sourceforge.io. So a project named officepackage is given a web page at officepackage.sourceforge[.]io. Such pages are easily indexed by search engines and rank high in search results. This is how attackers attract victims.

When visiting officepackage.sourceforge[.]io from a search engine brought users to a page offering downloads of almost any version of the Microsoft Office suite.

But, as ever, the devil was in the detail: when you hovered over the Download button, the browser’s status bar showed a link to https[:]//loading.sourceforge[.]io/download. Spotted the trap? The new link has nothing to do with officepackage; loading is an entirely different project.

Continue Reading...