Malware targets bargain hunters

They say the best things in life are free. There's another saying about when stealing, you get what you deserve. When it comes to software, that's more than what you bargained for. Or so claims Microsoft, which warns malware writers increasingly exploit people's desire to get for free something they should pay for.

Yesterday, the Redmond, Wash.-based company released its first-half 2012 "Security Intelligence Report" -- 134 pages for your reading pleasure. Today, Microsoft's Joe Blackbird highlights one of this volume's findings: bargain-hunting exploits for movies, music and software.

Microsoft identifies three trends, none new but all increasing:

• Free or fake software or content loaded with malware
• Activation key generators used to steal content
• Poisoned search engine results

"The typical situation starts with users looking for some software or media such as movies or music for free, or for a reduced price", Blackbird explains. "They surf the web looking for the file and perhaps also a crack or license key generator (Keygen) so that they don't have to purchase it. This is where the malware distributors step in and attempt to get between these users and the software or media that they are looking for".

In the first scenario, users download what they think is legit software that contains malware. For example, colleague Mihaita Bamburic identifies an exploit using a fake game from Google's Chrome Web Store. Users may also download what they think is legit software that has been cracked, meaning activation thwarted, but also is loaded with malware.

The second scenario probably applies to more than a few BetaNews readers. Surely some of you use key generations to activate software or access content you didn't pay for. Microsoft specifically highlights Win32/Keygen, which technically isn't malicious but often leads to malware.

Tim Rains, director of Microsoft Trustworthy Computing, explains: "In the first six months of 2012, the threat family Win32/Keygen, representing software activation key generators, was detected nearly five million times. Keygen detections have increased by a factor of 26 since the first half of 2010 and today Keygen is the number one consumer threat family worldwide, rising above other prevalent threat families like Pornpop, Blacole, Conficker and FakePAV".

The bigger problem: "More than 76 percent -- that’s approximately 3.8 million of the 5 million aforementioned Keygen detections -- of computers reporting Keygen detections in the first half of 2012 also reported detections of other malware families". China's rate is highest, by far. But the chart above also shows surprisingly high Keygen infection rate in the United States.

Of course, Microsoft's calling out this problem is self-interested, since key generators are used to pirate its software. But there's another area of self-interest, regarding the third scenario: Searching for bargains, free software or key generators.

"In that method of infection, malware distributors hide exploits in webpages that attempt to take advantage of unpatched software vulnerabilities to compromise these bargain hunter's computers", Blackbird says. "In other words, it's not just downloading license key generators, cracked software or free media files that expose users to malware; the act of visiting web pages of unknown origin, claiming to provide this type of free software download, is risky activity".

He observes the use of Blackhole to poison searched pages with malware. Interestingly, and coincidentally, Sophos warns that Bing searches are highly susceptible to Blackhole poisoning, particularly images. Based on a field test: 65 percent, compared to 30 percent for Google.

Credits: maraga/Shutterstock (photo); Microsoft (chart)