Are Keygens Viruses? How to tell if they are?

[jeffyTheHomebrewer]

Well, firstly, make sure the VM can't access the network at all before you run the keygen on the VM. Then, once you've confirmed the Vm doesn't have ANY network access, run the keygen as the keygen maker instructs, then wait and see for anything kinda sussy, like system files being missing or corrupt. (e.g. system programs like notepad in the vm not opening, the VM not booting properly, bluescreens, etc,.) Still, be as careful as possible.

 

[notimp]

After rereading this thread, I got actually curious about vectors. Why - beside for the lolz, would you infect machines via cracks these days?

Does anyone have insight? Lets say you stick to scene release channels, where people actively look out for warez. You cant use encryption/extortion scamming, you cant slow down systems too much - or people would notice, get you blacklisted from the channel and so on and so forth.

So why would you infect systems 'low key' except for thrills?

How are botnets doing that were created via that vector today? Does anyone know? Or are all of them mostly IOT device takeovers these days?

How about view scamming? (Ads or payed likes.)

Can anyone gage the economics these days? Is it still worthwhile to create botnets for those purposes these days?

I'm sure much of is is "risk/reward" and if you do it lowkey enough it has staying power, but -- any educated guesses?

Any usage scenarios I'm missing? I'm mostly asking, why you'd infect someone actively seeking out cracks these days, basically.

edit: Nevermind, got my answer..

https://www.securityweek.com/microsoft-cracks-infrastructure-infamous-necurs-botnet

 

[Joom]

Well it's not quite a year this time, but I just found this thread through a search and I have learned a lot from it. Thanks everyone for the very insightful and helpful answers.

I am wondering though if you or anyone has any advice on how to go about this kind of 'heuristics sleuthing' or the best way to educate myself about how to detect malicious binaries or other nasty surprises. I've started looking into hybrid analysis and the methods it uses to detect malware. If you have any other advice or sources to recommend it would be greatly appreciated. I don't have an especially strong background in these technical issues and computer security, but I'm trying to teach myself enough to keep my PC safe.

Edit: To be a bit more specific, I would like to try running a suspicious .exe in a VM or more likely Sandboxie. What should I be on the lookout for after opening it?

If you're technically inclined, you can check out Cuckoo. Some assembly, and a Linux distro of your choice, is required.
https://github.com/cuckoosandbox/cuckoo

If you want to operate within a Windows environment, I recommend PE Explorer, Resource Hacker, OlyDbg, a verbose firewall of some kind, and Sandboxie. Deep Freeze and a spare PC are also highly recommended. Of course, you can avoid this last recommendation with a VM, but that comes with the added fun of implementing anti-anti-VM detection. You'll already need to look into implementing anti-anti-debugging since your more sophisticated stuff will just outright kill the process if it detects a debugger.

Check out xylit0l's blog, and the KernelMode archive as well:
https://www.xylibox.com/
https://www.kernelmode.info/forum/v...4&sid=47e495d381c42ac9a467c91129c428b8#p33284

I linked to that thread because the old owner of KM made a really good point; independent malware analysis has become kind of a dead practice because every method used over the past ten years is essentially still used today. Everything your common cyber criminal is going to use has been reversed and analyzed to death. Ransomware is all you ever see anymore, anyway, and enterprise groups are already tackling the rare, interesting stuff. Though, it's never a bad idea to learn this stuff so you can carry the reversing and security knowledge to other avenues.