A keygen with a twist

14 Jan 2011

minute read

Authors

Vyacheslav Zakorzhevsky

Programs for cracking commercial software are, sadly, not unpopular. They have also caught the attention of malware writers, who prepared a couple of surprises for those who don’t mind a free ride every now and then.

A short time ago, we detected a Trojan dropper which passes itself off as a key generator for Kaspersky Lab products. The file’s name is kaspersky.exe.

Once launched, the file displays a key generator window prompting the user to select a product. After one of the options is selected, the program proceeds to generate a key.

Keygen window

While the freebie lover is waiting for the result, two pieces of malware that were stealthily installed and launched by the dropper make themselves at home on the PC.

One of these is detected by Kaspersky Lab as Trojan.MSIL.Agent.aor. It steals registration data for other programs, as well as passwords, mostly for online games. It rather considerately stores all the stolen data in one file. A fragment of the file is shown on the screenshot below.

Fragment of a file that is filled in with registration data for the software listed in it

The Trojan also modifies the ‘hosts’ system file to block access to a number of websites. For example, such websites as virustotal.com and virusscan.jotti.org, which offer file scanning by solutions from many antivirus vendors, become inaccessible.

Fragment of a modified hosts file:

##Do not touch this file, changing it will cause SERIOUS damage to your computer
127.0.0.1 virustotal.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.virusscan.jotti.org/
127.0.0.1 www.virusscan.jotti.org/en
127.0.0.1 www.virusscan.jotti.org/en

The second piece of malware installed by the dropper is a typical backdoor which also has keylogger functionality, collecting keystroke data. It is detected as Trojan.Win32.Liac.gfu.

Thus, running a supposed key generator for Kaspersky Internet Security will plant a couple of very real malicious programs on your computer, which KIS will then have to deal with. Provided, of course, that the keys generated by the ‘keygen’ actually work.

Authors

Vyacheslav Zakorzhevsky

A keygen with a twist

Latest Posts

Latest Webinars

Reports

While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. We created offline backups of the devices, inspected them and discovered traces of compromise.

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Kaspersky analysis of the CloudWizard APT framework used in a campaign in the region of the Russo-Ukrainian conflict.

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

A keygen with a twist

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

How Security Products are Tested – Part 1

You can’t be invulnerable, but you can be well protected

New Flash Player 0-day (CVE-2014-0515) Used in Watering-hole Attacks

CVE-2014-0497 – A 0-day Vulnerability

Loophole in Safari

Satacom delivers browser extension that steals cryptocurrency

Minas – on the way to complexity

Not quite an Easter egg: a new family of Trojan subscribers on Google Play

QBot banker delivered through business correspondence

Copy-paste heist or clipboard-injector attacks on cryptousers

Latest Posts

Satacom delivers browser extension that steals cryptocurrency

In search of the Triangulation: triangle_check utility

Operation Triangulation: iOS devices targeted with previously unknown malware

Meet the GoldenJackal APT group. Don’t expect any howls

Latest Webinars

Applying ATT&CK to analyze ransomware campaigns

Ransomware trends in 2023

Cryptocurrency Threat Landscape Trends in 2023

Ransomware groups negotiation tactics: what you need to know

Reports

Operation Triangulation: iOS devices targeted with previously unknown malware

Meet the GoldenJackal APT group. Don’t expect any howls

CloudWizard APT: the bad magic story goes on

APT trends report Q1 2023

Subscribe to our weekly e-mails