# Are Keygens Viruses? How to tell if they are?



## Deleted User (Jan 14, 2019)

I've been pirating paid software from a certain trusted site. From this site I've downloaded Spine2D, FLStudio, Photoshop (the most recent version at the time), Sony Vegas, MalwareBytes, Corel Suites, and a long etc.

I now want to use Sketchbook 2018 Enterprise, and it comes with a KeyGen (I've used some for Corel Products) and Windows Defender as well as Chrome are telling me that the file is dangerous.
Of course, everything I've used in the past is potentially dangerous.
But I was wondering just now, if there's any way to really SEE or TEST if a Keygen is dangerous or not.

Do anyone of you knows a way to "Test the Keygen.exe" to see if it has viruses or not?


----------



## Arras (Jan 14, 2019)

you could try uploading it to https://www.virustotal.com/#/home/upload . A lot of keygens will trigger false positives, just by being a keygen. If the virus information only shows "dangerous software > Keygen" or something, it's probably safe.


----------



## Deleted User (Jan 14, 2019)

Arras said:


> you could try uploading it to https://www.virustotal.com/#/home/upload . A lot of keygens will trigger false positives, just by being a keygen. If the virus information only shows "dangerous software > Keygen" or something, it's probably safe.


I've already tried with it.
But when I choose the Keygen to be uploaded to the site, a window appears telling me:
"Can't open this file as it contains Viruses or Malware"


----------



## Arras (Jan 14, 2019)

Johnton said:


> I've already tried with it.
> But when I choose the Keygen to be uploaded to the site, a window appears telling me:
> "Can't open this file as it contains Viruses or Malware"


Try in a different browser then.


----------



## KleinesSinchen (Jan 14, 2019)

Other than a real malware analysis, which only an expert can do, there is no fully reliable method of telling if a file is malicious. Besides… cracking the malware scanner on your system is not very smart in my opinion. The attribute “trusted” for a site that distributes illegal copies sounds a bit odd.

Simply running the file on a virtual machine → *Malware may behave innocent.*
Simply running the file on a VM → (unlikely for malware in the wild, but possible) *Malware might infect the host system with a VM-escape exploit.*
Running the file on a test computer → *You may not see the malicious behavior at first.* It may wait for X minutes/hours/days or only start if certain condition(s) is/are met. [Wikipedia: Stuxnet]
*Automated software can’t reliably detect unknown malware.*
On the other side: Many scanners treat keygens/cracks… cross-the-board as malicious. You get heuristic hits often (“heu-”, “gen-”, “generic-” in the name). This only adds to the uncertainty and is – in my opinion – a try to discourage people from using “pirating tools”. 

My position on this:

*Best idea: Don’t use such things at all.*

*Second best idea:* Use a _*permanently*_ offline secondary computer. Create a backup image for the case some malware infects the system and makes it unusable.
There is still a (smaller) risk of infecting your main computer when transferring files with USB devices from the dummy PC.


----------



## Joom (Jan 14, 2019)

Keygens are typically marked malicious because they tend to be packed with UPX, and use other anti-RE methods. If you want to find out if one is malicious, you can use a site like Hybrid Analysis. If you'd like to do it locally, you can use Sandboxie, Komodo Firewall, and PE Explorer.


----------



## RattletraPM (Jan 14, 2019)

As @KleinesSinchen said, there's no real answer other than getting your hands dirty with a lengthy and difficult analysis of the executable and/or watching its behaivor in a contained environment. Online scanners such as VirusTotal and heuristics can sometimes give you an idea if what you're using is good or not but most times they're misleading. In the end, if you want to stay safe then the best possible thing you can do is to not use cracks or keygens at all.

If for whatever reason you still want to do so, follow the internet's golden rule: trust your gut. Avoid blogs and channels offering cracked software. Don't download warez from Youtube videos. Repeat after me, _don't download warez from Youtube videos. _Try to avoid direct downloads and stick to P2P networks (it's easy for someone to infect an executable to redestribute malware using a centralized network, while unless the file was already bad to begin with, multiple sources with hash checking as well as other measures will prevent a malicious user from modifying files on P2P ones). Stick to the well-known sources and websites. If possible, get an invite to private trackers/servers as they usually require users to keep a good upload quota in order to download files so everyone is incentivized to share good stuff. Finally, if you're downloading from public sources, check if there's a SFV or other types of hashes available for whatever you've downloaded to see if it's been tampered with (and don't just trust the one that was bundled with your files, check on Pastebin and Google around so you have more than one source just to be safe).

Lastly, if you still want to go through the analyzing process yourself then you could use a VM/sandboxing software but I'd highly recommend getting a cheap junker PC to test your stuff on: not only you won't have to worry about the malware escaping the sandboxing environment anymore (as long as you keep that PC offline and be very mindful about handling USB drives you plug into it) but some badware could detect whether if they're inside a VM (ex. by checking known virtual device names/IDs) and not do anything to make them look safe - something much harder to accomplish on bare metal with real devices.


----------



## Deleted User (Jan 14, 2019)

Woah, this is much more complex than I thought.
Thanks for the advices!


----------



## Zaphod77 (May 6, 2020)

Here's the truth.

1) antiviruses have been intentionally flagging cracks and keygens for ages.  This is a fact.  This started way back when McAffee would say that anything named keygen.exe was infected, and was uncleanable so it had to be deleted.  They had to stop that particular stunt when it was discovered.  The more honest ones will actually tell you it got flagged because it's a crack or keygen. (Hacktool.Gendows anyone?).  In my opinion detecting a crack as a crack is a useful thing to do.  After all, you don't want pirated software on a work computer, and can get your company into serious trouble that way.  I have no quarrel with an antivirus/antimalware that detects a a crack or keygen as a crack or keygen, and classifies it as a potentially unwanted program.

2) cracks and keygens have had viruses in the past for real.  This is also a fact.  Sometimes it was put there by the cracker intentionally, and sometimes it was added in after the fact by someone else.  Scene release groups do NOT put viruses in their cracks on purpose, and any releases that did actually have viruses would be nuked.  This means that an antivirus detecting cracks as viruses can actually protect people, even if it can't actually detect the virus hidden in it.  This is part of why antiviruses like to flag cracks.

3) cracks often need to inject into processes to work.  So does malware.   Thus, unless they are whitelisted specifically, they tend to trip heuristics.  Eventually someone submits a false positive report, and the antivirus program writer investigates.

4) cracks often pack the executable, and have anti reverse engineering stuff to try to stop the software companies from figuring out how they did it.  Again, so does malware, so this also trips heuristics. Again, a false positive report gets filed, and some qualified employee investigates.  Sometimes hoofbeats do mean zebras.

This is also why scene releases are contained in an ISO, and have a crack directory.  By placing the file that's likely to trip false positives on a read only media, it guarantees that you can whitelist it while it's on a read only source.

The best way to be reasonably sure is to virustotal it.   If most antiviruses detect something, it's almost certainly infected. if only a small number do, then it's most likely a heuristic false positive.


----------



## Joom (May 22, 2020)

Zaphod77 said:


> The best way to be reasonably sure is to virustotal it. If most antiviruses detect something, it's almost certainly infected. if only a small number do, then it's most likely a heuristic false positive.


This thread is over a year old and this statement is demonstrably false. Never blindly trust VirusTotal results. It's very easy to encrypt malicious binaries in order to bypass AV detection. The best thing to do is what I suggested and do the heuristics sleuthing yourself. It's very easy to find out if something is actually malicious by just watching it run.


----------



## Zaphod77 (Jun 14, 2020)

Not everyone has a handy sandbox to safely run untrusted binaries in.

and not everyone can easily interpret hybrid-analyssis.

so if you have a better idea for "how to tell if it's a false positive for dummies" i'm all for it.


----------



## notimp (Jun 14, 2020)

Zaphod77 said:


> Not everyone has a handy sandbox to safely run untrusted binaries in.


The only holdback these days is diskspace. (30-50 GB) I run Parallels on a Macbook Air, I ran VMWare Fusion on a 10 year old Macbook Air (Win XP back then, but still full speed.).

A Windows 10 Pro license can be had for 5 USD, and Virtualbox is free.

Also the Windows XP virtual image back when I still used it was 10GB in size.


----------



## Zaphod77 (Jun 14, 2020)

a legit windows 10 pro license for 5$?  That seems.. suspicious.

I've always thought that windows should give a convenient way to run an untrusted binary, but the home version of 10 still doesn't come with the sandbox. 

A sandbox is ideal for actually running a keygen in, as it should lockdown any malware contained within the generator.  But once that becomes common said malware will start having code to try and escape the sandbox.

This solution works specifically for keygens because you don't need to ever run it on the main computer. Even if it did have malware, it can still create a working key, which can then be used on the real computer.

I do know how to get genuine windows 10 for free.  But not how to do it in a virtual machine.  That said even a non genuine winowos 10 in a virtual machine is useful for such testing.


----------



## notimp (Jun 15, 2020)

Zaphod77 said:


> a legit windows 10 pro license for 5$? That seems.. suspicious.


More than that, probably illegal. But with no harm falling on the enduser.

Those licenses more often than not arent even 're-salvaged', old oem license, but mass activation licenses MS hasnt disabled, and that are getting abused.

The issue for MS is the profit calculation here. They get more money off of their average user overall, by 'funneling' them through their legal ecosystem (stores (they get 30% off of every 'native' app you install through the app store), native ads, ecosystem lock in, advertising in general...). So what should they do with you?

If they 'disable' your license retroactively, they both get fallout from the non abuse license users in every block, and they are causing, people that usually arent even that tech savey (those who just wanted 'cheap') additional issues, that might have them switch over to Android, or 'iPad', where none of this is an issue.

MS pivoted their income model to 'service based' (as in not product based) a few years back (under Satya Nadella), and every day since then you as a user became more valuable to them while you were using their software - than you ever where, when they were still selling Windows.

(Calculation there goes: Almost no people back then 'bought' Windows either. Most of their customers got 'a new Windows', when they got a new PC - those also where mass licenses to OEMs, which were heavily discounted compared to end consumer prices. And this was before they sold advertising and 'apps' to you.)

So as a result as far as I know - they dont deactivate abused mass activation keys anymore. It just gets them bad press, and probably costs them money. Part of the calculation still is though, that you have a bad conscience.

And you should have one, because OEM licenses were a profit center for smaller Computer stores. Luckily they still have 'support'. 

So dont do it, if you dont have to (legit OEM licenses arent that much more expensive), but if you are strapped for money, or really, really dont like MS... (Worst case scenario, you are down 5 USD, and can try again five times?  )

Now dont do that with other software licenses. I've literally seen ebay accounts selling 'activators' (basically cracks) as genuine office licenses f.e. Those are distributed 'for free' by their original creators, so don't be the sucker that pays for warez, because they wanted it cheap. Show some decency, be clever, not just cheap, and also pay for software, because most software houses arent Microsoft, cant make money on you by showing you OS level ads, or piggibacking for 30% off of other developers.

So either be 'good' all the way. Or choose your battles.  Dont become 'why should I pay?' guy.

That said - why should I pay more for Windows?  MS doesnt even seem to enforce any action against key reselling... 

(Also, if they only have 'one windows version to support' for most of their customers, their cost structure, makes 'producing Windows' much less expensive. (Which is why they usually dont allow you anymore to turn off auto updating). And every new 'ad driven' scheme rolls out to a much much wider user base (because the non ad driven Windows (which they'd still had to support in the past) dies out faster), which they then can sell to advertisers as bigger numbers... )


----------



## Zaphod77 (Jun 15, 2020)

the trick is updating from an oem activated windows 7.  daz loader and/or bios mods will do the trick.  you will have a genuine windows 10 and it will even remove the loader for you.

still works, still completely undetectable by MS, as they refuse to deactivate the OEM SLP keys for upgrading. (they could easily have demanded you enter your COA key, and yet they don't bother).

if you do have an oem home edition of windows 7 that came with the computer, you can also upgrade it to ultimate first by entering your oems ultimate SLP key in windows anytime upgrade. I've always disconnected from the net before trying it, but not sure if it's needed.


----------



## linuxares (Jun 15, 2020)

Just use Windows 10 Sandbox, run it, copy the information you want to notepad document on your normal machine, close the machine. Tada! The virus can't do shit if it's stuck in the Sandboxed machine that will get wiped as soon as you close it.

https://www.windowscentral.com/how-use-windows-sandbox-windows-10-may-2019-update


----------



## Zaphod77 (Jun 15, 2020)

yeah, if you have Pro....  it doesn't come with the base windows 10....

i really think it should.


----------



## notimp (Jun 17, 2020)

linuxares said:


> Just use Windows 10 Sandbox, run it, copy the information you want to notepad document on your normal machine, close the machine. Tada! The virus can't do shit if it's stuck in the Sandboxed machine that will get wiped as soon as you close it.
> 
> https://www.windowscentral.com/how-use-windows-sandbox-windows-10-may-2019-update


Uh, new and shiny.  (Ok, a year old..  ) Didnt know that was a thing, thanks.


----------



## Captain_N (Jun 19, 2020)

Create a virtual machine and install your software. then,
run the key gen in a virtual machine. Then see what it does. Make sure networking is disabled in that virtual machine as many malicious software is designed to translate through a local network. Since your already getting software, im sure you will have no problem getting something like vmware workstation.

You can also upload the cracked files to online virus scanners to see what they say. All the anti-virus software will report the key gen exe as dirty. Norton is notorious for this.


----------



## sea_sharp-minor (May 20, 2021)

Joom said:


> This thread is over a year old and this statement is demonstrably false. Never blindly trust VirusTotal results. It's very easy to encrypt malicious binaries in order to bypass AV detection. The best thing to do is what I suggested and do the heuristics sleuthing yourself. It's very easy to find out if something is actually malicious by just watching it run.



Well it's not quite a year this time, but I just found this thread through a search and I have learned a lot from it. Thanks everyone for the very insightful and helpful answers.

I am wondering though if you or anyone has any advice on how to go about this kind of 'heuristics sleuthing' or the best way to educate myself about how to detect malicious binaries or other nasty surprises. I've started looking into hybrid analysis and the methods it uses to detect malware. If you have any other advice or sources to recommend it would be greatly appreciated. I don't have an especially strong background in these technical issues and computer security, but I'm trying to teach myself enough to keep my PC safe.

Edit: To be a bit more specific, I would like to try running a suspicious .exe in a VM or more likely Sandboxie. What should I be on the lookout for after opening it?


----------



## jeffyTheHomebrewer (May 20, 2021)

Well, firstly, make sure the VM can't access the network at all before you run the keygen on the VM. Then, once you've confirmed the Vm doesn't have ANY network access, run the keygen as the keygen maker instructs, then wait and see for anything kinda sussy, like system files being missing or corrupt. (e.g. system programs like notepad in the vm not opening, the VM not booting properly, bluescreens, etc,.) Still, be as careful as possible.


----------



## notimp (May 23, 2021)

After rereading this thread, I got actually curious about vectors. Why - beside for the lolz, would you infect machines via cracks these days?

Does anyone have insight? Lets say you stick to scene release channels, where people actively look out for warez. You cant use encryption/extortion scamming, you cant slow down systems too much - or people would notice, get you blacklisted from the channel and so on and so forth.

So why would you infect systems 'low key' except for thrills?

How are botnets doing that were created via that vector today? Does anyone know? Or are all of them mostly IOT device takeovers these days?

How about view scamming? (Ads or payed likes.)

Can anyone gage the economics these days? Is it still worthwhile to create botnets for those purposes these days?

I'm sure much of is is "risk/reward" and if you do it lowkey enough it has staying power, but -- any educated guesses?

Any usage scenarios I'm missing? I'm mostly asking, why you'd infect someone actively seeking out cracks these days, basically.

edit: Nevermind, got my answer.. 

https://www.securityweek.com/microsoft-cracks-infrastructure-infamous-necurs-botnet


----------



## Joom (May 25, 2021)

sea_sharp-minor said:


> Well it's not quite a year this time, but I just found this thread through a search and I have learned a lot from it. Thanks everyone for the very insightful and helpful answers.
> 
> I am wondering though if you or anyone has any advice on how to go about this kind of 'heuristics sleuthing' or the best way to educate myself about how to detect malicious binaries or other nasty surprises. I've started looking into hybrid analysis and the methods it uses to detect malware. If you have any other advice or sources to recommend it would be greatly appreciated. I don't have an especially strong background in these technical issues and computer security, but I'm trying to teach myself enough to keep my PC safe.
> 
> Edit: To be a bit more specific, I would like to try running a suspicious .exe in a VM or more likely Sandboxie. What should I be on the lookout for after opening it?


If you're technically inclined, you can check out Cuckoo. Some assembly, and a Linux distro of your choice, is required.
https://github.com/cuckoosandbox/cuckoo

If you want to operate within a Windows environment, I recommend PE Explorer, Resource Hacker, OlyDbg, a verbose firewall of some kind, and Sandboxie. Deep Freeze and a spare PC are also highly recommended. Of course, you can avoid this last recommendation with a VM, but that comes with the added fun of implementing anti-anti-VM detection. You'll already need to look into implementing anti-anti-debugging since your more sophisticated stuff will just outright kill the process if it detects a debugger.

Check out xylit0l's blog, and the KernelMode archive as well:
https://www.xylibox.com/
https://www.kernelmode.info/forum/v...4&sid=47e495d381c42ac9a467c91129c428b8#p33284

I linked to that thread because the old owner of KM made a really good point; independent malware analysis has become kind of a dead practice because every method used over the past ten years is essentially still used today. Everything your common cyber criminal is going to use has been reversed and analyzed to death. Ransomware is all you ever see anymore, anyway, and enterprise groups are already tackling the rare, interesting stuff. Though, it's never a bad idea to learn this stuff so you can carry the reversing and security knowledge to other avenues.


----------

