Update: Another example: http://www.sevenforums.com/music-pictures-video/39095-animated-gifs-windows-photo-viewer-5.html
I’ve always believed in fair use. And as such I often acquire the “warez” community versions of software I legally own because they often have abilities (such as portability) the “legitimate” versions lack. Considering I own the licenses to the relevant software I consider this to be squarely in the fair use category.
In doing this I often have encountered worms and other malware in keygens. But after a while you get a feel for what is obviously fake, used to spread bad code, and what seems like false positives.
Well, I found a case in point. An instance of strong evidence that the commercial AV community is abusing our trust in order to police a Corporate agenda.
If one runs “Office 2010 Toolkit and EZ-Activator”
Instantly MSEA balks. Crying “severe threat” and I couldn’t help but add in my mind “… to our pocket book.” Which of course is itself a fallacy. Piracy no more harms the software industry’s earnings than libraries and xerox machines destroy book sales. People who pirate do so because they are poor. Poor people aren’t buying software either way. People with money buy the software because it’s easier.
So anyway, I dug into the problem of false positives a little bit. I figured if it’s a “severe threat” then I can find a record of just exactly what it’s doing to my system and in this case I could prove or disprove my hypothesis.
And check out what I found. First of all, here is MSE’s report. (Microsoft Security Essentials)
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.
Items:
file:C:\Windows\AutoKMS.exeGet more information about this item online.
Yet when I scanned the item with Clamwin (Open source AV.) I get the following…
Scan Started Mon Apr 04 13:27:38 2011
——————————————————————————-———– SCAN SUMMARY ———–
Known viruses: 938128
Engine version: 0.97
Scanned directories: 0
Scanned files: 1
Infected files: 0Data scanned: 1.36 MB
Data read: 0.62 MB (ratio 2.20:1)
Time: 3.827 sec (0 m 3 s)————————————–
Completed
————————————–
So, either commercial AV software lies, or Clamwin sucks.
Here is the forum where in the authors of the toolkit comment about this very issue.
http://forums.mydigitallife.info/threads/18746-Office-2010-Toolkit-and-EZ-Activator./page97
Here are a pair of relevant comments from the linked thread, but I suggest reading the whole thing.
Hey Sherlock Holmes, CODYQX4 and I wrote the code of AutoKMS.exe and it’s NOT a virus, it’s not even close of being a trojan. The Keygen.exe (which is a different file) opens a port because it’s a KMS Server emulator, yes, Office needs to conect to a port of the KMS Server to activate.
Hope it’s clear
Later on…
Here’s what the Keygen.exe does.
(Log window showing the file’s activity.)
As you can see, the “Create File” operation is made only with read attributes, which means that the Keygen.exe is reading/using the file. There are also the TCP operations made in the activation attempt using the toolkit “Activate” function.
Here’s an xlsx file if you want to view it in excel as a table:
Keygen.exe Activity ReportI used process monitor, added the filters:
– “Process name” –> “Keygen.exe”
– “Operation” –> “CreateFile”, “TCP-” (all of the TCP operations available to filter)
This is important because while the toolkit may be illegal (I believe it isn’t but that’s a fair use debate) it is NOT malware by definition.
It is Not the AV communities job to police the Internet for piracy. What’s next? False positives on downloaded mp3s?
Also consider that while a false positive might be in a sense harmless, a false negative would be far more dangerous.
Sony’s infamous root kit taught us that The Company is more than happy to invade our systems and privacy to protect its profit margin. If the AV community has betrayed us on the issue of false posatives, who’s to say they aren’t doing so for false negatives?
I think it’s clear that this seriously wounds trust for commercial antivirus software. When I run AV, I’m not scanning for contraband, I’m scanning for infection.
It would seem that even the commercial av ware, at least in the case of MSE, knows that false posatives are common. It was trivially easy for me to “allow” this “threat” to persist on my system. Which begs the question, if they are so good, and these really are threats, then why isn’t allowing a threat more complicated?
And why is their language so ambivalent and cautious? (…programs that may compromise…) Smells like CYA to me.
If anyone has any more proof one way or the other, I would like to see it. If this activator is really dangerous then it undermines my point, not that it applies to me one way or another. But on the other hand, if there is some third party proof that the toolkit is not dangerous, then a wider investigation is warranted.
Well one good advice would be to always use well known and respected antimalware products.
Dean, Antivirus Community
Absolutely. But for me respect comes with evidence. And so long as an av product is closed source, I cannot respect them. Security by obscurity is always a mistake anyway, and other than profit, that’s the only other argument.
The only possible way I could trust them is if they put a bounty on false posatives and negatives. Say, 1000$ per demonstrable instance verified by a third party. But even that’s not enough for me. I’ll always choose open source.
When I try to uninstall “Ask Toolbar” application, Windows prompted me whether to allow to run C:WindowsInstaller4b2b74.msi which does not exist in my file system. This seems to be a virus, but I don’t know how to remove it. Help.
@a11276b318924621f64a1e4d2da936cc:disqus
That’s subjective garbage. The entrenched (aka “respected”) products are the ones most
likely to be afflicted with false negatives and posatives which support
the industries in question.
The solution is to use open source products or open source operating
systems entirely. Closed source is what creates the market for anti
malware to begin with because the closed operating systems in question
are in effect immunodeficient.
Relying on a service that has a clear conflict of interest with regard to the eradication of online threats, to counter online threats, is about as absurd as asking the oil industry to handle alternative energy policy.
http://wiki.answers.com/Q/How_do_you_delete_the_Ask_toolbar
Instructions for removing a toolbar.
Very nice and interesting article.
I really enjoyed reading it.
Software companies do anything to make more profit, even by lying.
I’m glad you found it useful. Indeed, your comment is accurate. Broken intellectual property law has given rise to broken software “development.” Patent trolls and litigation wars are only the most obvious consequences. The more subtle and thus possibly more dangerous effects are expressed as a systemic “attitude” for lack of a better word, which leads to actions described above.
The solution is simple, but not easy; Intelligent Intellectual property law reform. http://motherboard.tv/2011/4/25/lessig-copyright-isn-t-just-hurting-creativity-it-s-killing-science-video–2
The software “pirates” are ignoring the law because it is broken and obviously corrupt. Anyone who knows anything about the subject and isn’t bought off has roughly the same opinion. Not to mention the millions who daily ignore it.
It’s a bit like drug prohibition opinion. The crowd can be usefully divided into groups, the ignorant, the corrupt, and the reformers. You’re pretty much either being paid, being deceived, or being fleeced.
I found myself last night watching a slew of recorded content while I spent the evening doing my quarterly system cleanup and re-organization, you know rid the documents you had good intentions of writing and never did, those documents cluttering the desktop that you promised yourself you would get to later and never did…BAM…up comes MSE with a severe threat warning and I thought that’s weird because I regularly scan not only my system but also my network drives.
I have always given software whether it be video editing, conversion tool or an OS a test drive and some software just does not offer it and I have been burned in the past. I’m not willing to have my converted audio have an “audiomark” or my video or images to have a permanent “watermark” so yes I to utilize “preview” versions however I end up buying the software or donate it if the software meets my needs.
So back to the BAM, it’s identified a KeyGen as the problem, ok possibly but then I thought I should check some others and sure enough same or similar threat warnings. So I quarantined and deleted the folders as I already have the software with key, but then I thought well hold up here how convenient the MSE has identified a keygen app as problematic. Not saying it is not possible but what is the likelihood that 3 different AV and malware detectors miss it? So each family members computer runs a different AV product and malware and I have the drives shared so that overnight when the scans are performed I get a once over from a different set of eyes in the hope that if one misses the other or the other will get it.
I definitely don’t appreciate this if it is a scare tactic and like this discussion has unveiled it appears to be just that. When it comes to software and paying for it I have no issues with that, however I do have issues if I have to pay 700 dollars to use Word as part of a suite and you know what I won’t. Most of the world’s population cannot afford 700 dollars, most cannot afford it at all and yes the developers who put their blood, sweat and tears into the development of the software should be paid and paid fairly however I beg to ask the question, should I be paying for their high end cars, homeS and lavish lifestyle? That’s another argument.
I have some tests planned about these keygens if I can find any, what if I just create a “keygen.exe” file empty…this should be interesting.
Great read…cheers.
That’s interesting, looking for a way to trigger it. I always assumed it was a master list of keygens, I expect them to see slots on such a list under the table to companies irrationally terrified of piracy, but it could of course be procedural as you suggest.
If we can find a provable reproducible false positive heuristic attempting to police pirated software by deception, as I believe they do, I think the online community would like to hear about it.
Thanx robbied, please do comment back here about your results.
this is true, creating a keygen that does nothing but pick a random key from a preset list, and nothing else, and report it to a antivirus company for scanning, they will report it is a virus and will tell you to remove it..
i know this as a friend of mine made a simple keygen that just picks 1 key from a built-in list of 50,
although he is a friend, i still don’t trust it and after no virus programs picked it up, i sent it to Norton internet security for scanning.
got a email saying it was a Trojan and told me to remove it, i kept it and instead just ask my friend to just send me one key instead….
week or two later, Norton updates and finds it as a Trojan, with no option to allow it…
i instantly assumed it was a virus and removed it, and told my friend that antivirus program had found it to be a virus, he insisted it was not and send me the source…
the source was clean, so i compiled it just to see if he had removed something, while trying to compile Norton said it was a Trojan and automatically removed it,
so, a keygen that i had seen the source for and was clean, was removed, the only thing i could think of was, “because it was a keygen”
hope this helps
o, and i like how they block you from getting a keygen, but when you licenses runs out, they will more then happly place a virus on the computer it is installed on (or, after 1week of no activation, it at least says im infected and that i must rebuy/upgrade to the newest version)
if that is not proof, i dont know what is
Could you email me the keygen your friend made, the source, and a brief run down of the process you or he used to compile it? Also what Norton product and version exactly produces the false positive and would it be possible to get some screen caps?
If you can prove a false positive that’s news. Further, if we can document the process of it happening again, duplicate the whole cycle that proves corruption. That’s even bigger news. Whats next? Illegal mp3s being flagged as infected? Wikileak documents? We’re talking about a shadow version of the anti piracy acts here.
Now is absolutely the time to bust them if possible.
Nice work man!! My Comodo AV + windows defender almost scared me to death over this one.
Great article, quite interesting.
Brandon, you’re a fucking thief, you just don’t have the honesty and self-reflective ability to admit it. I am an honest thief – I am not poor, but I steal software and music and movies anyway – and there are MILLIONS of us who do it. We are lazy cheap assholes and scofflaws and so are you – you just have this pathetic transparent wall of self-deception and self-justification and childish parroted excuses built up around your thievery. PATHETIC!
That comment is pure gold.
http://falkvinge.net/2013/12/23/reminder-1-copyright-monopoly-infringement-isnt-stealing-says-the-us-supreme-court/
https://torrentfreak.com/the-copyright-monopoly-is-a-market-distortion-not-a-birthright-121216/
Guys . It is a bitcoins miner. End of discussion. This can be made by Microsoft themself to buy bitcoin on non legit computers.
I see no evidence of it being a miner. But that’s an interesting idea for a business model. Pay for software with spare cpu cycles while it’s running. Like say 10% of the demand of the app is devoted as compensation to the authors.
That’s actually brilliant.
I have the evidence since I removed hundred of installation of this virus or waterver we can call it. A bitcoins miner is not detected as a virus by most antivirus except some companies changing the name of the pattern to hide what it is in reality and claim it as a minor trojan LOL.
The only antivirus that name it correctly is virus total and the only one able to remove it at least of what I can see in some situations is MalawareBytes Anti-Malware. The antivirus remove it on resart if detected in the process before. If not forget it . The miner restart at each reboot until detected.
I suggest you do a YouTube video showing your evidence and linking the video here. I’ll review it and moderate accordingly.
I never heard of anyone saying they saw a cpu hit at all, let alone anything as demanding as a miner.
I think it’s more likely that this app you’ve mentioned has a broken heuristic detection system.
It’s a moot point by now surely anyway. Both “legitimate” users and pirates have moved on to later versions of everything. This is a rather old post after all.
Not to mention that bitcoin mining is now essentially the exclusive purview of server farms.
Well you shouldn’t use this “toolkit…” in the first place, ALTHOUGH IT IS NOT THE RESPONSIBILITY FOR AVS TO FLAG IT. If Microsoft gave 2 shits they would block this crap or patch their activation system.
They can’t risk alienating legitimate users. Plus they know the truth, that no actual loss is incurred due to piracy.
Their participation in anti piracy efforts has an entirely different audience and objective. It’s essentially about creating an impression of value so their real customers can be charged more.
that makes me dream about flooding the internet of millions of different fake keygen.exe compiled with inoffensive code, just for my amusement in seeing the virus knowledge base growing by 200% overnight, counter-productively.
But that’s just a fantasy. I’m not competent doing that. I think AV companies are wrong though. Terribly wrong.
I think it would actually be super super easy. Far easier than making actual keygens or malware obviously.
You could use auto hotkey scripts and compile them as exe files.
It would essentially be nothing but a hello world message with a bit of formatting.
http://ahkscript.org/docs/commands/MsgBox.htm
Now is the time. You could make a billion different windows 10 install key gens.
I am 100% positive everywhere you upload them would complain just from the file name.
Win10keygen.exe 😛
We wouldent need av companies if we had real IPL reform.
Pay for coding should come at an hourly rate or contractual, and be funded by the utility of the code itself.
Released code should be treated legally exactly like how we handle recipes.
Why don’t people up load and share source codes and debugging documentations to prove false positive manufactured by antivirus and software security corporations.
Blaming IP laws as the motive for piracy? That’s hilarious. The person who can’t afford $700 for Word? Good news, it isn’t $700.. but if you can’t afford to pay for software, the answer is not to pirate a copy. Go use Libre office. At least the original poster claims to own the licenses for the cracked wares.
Praising open source while pirating copyrighted work seems counterproductive if not hypocritical.
Copyright laws are a ridiculous mess and our courts are still fifty years behind technology, but cracking ain’t rebelling. Everyone rationalizes, but if you work at a company that makes money from a product they themselves haven’t paid for, it’s theft. Personal use.. well, if you want to be somewhat unethical on your own time, that’s on you.
Disclaimer: career IT person who has seen too many fly-by-night sysadmins willing to use keygens on a corporate network, when they own the license, out of sheer laziness rather than lack of ethics.
Imo libre office is intentionally made to be garbage. It’s maintained by IT people who have day jobs in the industry. Open source work generally is resume building most of the time. When it isn’t a quest for the next patented version of the vowels.
Open source can’t reach its optimum so long as everyone is trying to patent everything or get a job at Google. It’s a goddamn miracle firefox exists.
Open source operating systems for example make no substantive effort to compete with windows. For two reasons, petty ego and job security.
In any case, ignoring an unethical law isn’t just permissible it’s morally urgent. (“Just doing my job” and “I didn’t make the rules” have become American versions of “I was just following orders.) As for company vs people, it depends on how they treat their employees and how desperate I am to keep my job.
If losing my job means I’m homeless in a month and the boss wants a document made in word, I’m pirating word. End of discussion. “Go learn something else” is the kind of thing someone with no concept of their own privilege says.
It’s a goddamn slog for some people to learn new things and every moment spent on anything has an opportunity cost.
Basically society currently is a right wing exploitative shithole. and so long as that’s the case people are justified in doing pretty much whatever they have to economically survive so long as their victims are higher up the economic food chain then they are.
Another point though is simply logic and fair use. Virtually all of us own several licenses by any legitimate definition by virtue of having owned several computers over out life time. Things I own I should be allowed to resell. It is only technological fiat and legislative perversion and mental gymnastics that make it even possible to “license” a string of numbers.
So if I’ve own 15 copies of windows in my life, let’s just pretend I converted one to an office license. Software should be public domain 10 years after release anyway. The sunk costs fallacy is not a legitimate business model to anyone objective, informed, and sane.
Look. Micro$oft is trying to protect their business interests. I get that. This is a game. And Micro$oft is playing to win. Hence, Defender flags apps that are known exploits which allow people to “register” their products. Does that really surprise anyone?
Also, in all fairness, I have noticed that Defender flags KMS emulators (such as KMSpico) as ‘hacktool’ and as a ‘potentially unwanted program’. Fair enough. KMS emulators are in point of fact both of those things. True, the mere appearance of an alert is enough to scare off the uninitiated. But as I said, it’s a game and Micro$oft is a player.
As a side note, people who want to use KMS emulators need to be sure they get them from a legit source. The blackhats are aware of all of this and have repackaged fake versions of the hacks which ARE malware/trojans. Let the non-buyer beware.
But that’s the whole problem when the apps we trust to tell us what are pathogens lie for profit. That’s one less tool we have available to help us determine what a legit source even is.
https://en.wikipedia.org/wiki/Principal–agent_problem
As annoying as a false positive is, a false negative is even worse. Pretty obviously none of these apps spotted the CIA’s recently exposed hack tools. Real protection is more and more a myth. And that’s the price we pay for permitting intellectual property law to even exist.
Thank you for this.
You’re welcome 🙂