Microsoft heavy handed?

[PC Guy]

Many people would rather not run Security Center,

I've been in exactly this situation.

I've got a machine that I'm reasonably sure would fail the WGA check. I
also was in the habbit of exclusively using WU and have hardly ever even
looked at the Security Center interface. I always say no to WGA.

But then a week ago I was being stonewalled by WU. First I had to
download a new ActiveX component. Then, all it would show me was the
WGA and would show me nothing else until or unless I downloaded the WGA
first. Screw that.

So then I went to Security center and set it to "notify-only", and it
showed me a list of what I needed and in that list was WGA, so I
downloaded everything EXCEPT the WGA. Then I turned Security Center
back to totally off, and I'll go back to using it the next time I want
to check for updates.

So after that experience I'm saying that if you don't want to be forced
into running WGA then the security center is the way to do it if WU is
forcing WGA at you.

Not this one.

It totally is.

But that's not the point.

If you're using a black key, and you KNOW it's a black key, then what
the hell are you doing running WGA? Aren't you smart enough to know
that running WGA is going to **** you up?

Why risk infecting yourself with one of these cracks, when the safe way
to get your updates is with Security Center set to manual control.

Running WGA just to invalidate yourself just so you can go out and run
the crack to "fix" it is a moronic thing to do.

 

[Peter]

Many people would rather not run Security Center, and/or waste
time checking every MS update to see if it's "the one". And in any
event, it's just a matter of time until Steve Ballmer's butt cheeks
squeeze together so tightly that WGA is mandatory to receive
any updates. So buy a copy of XP and crack it. MS wins, and
you win.

If you use security center to notify only, then you can decide which
updates you want/need. Those you don't need, just remove the tick and
you will then be asked if you don't want to download that particular
update in the future. If you say you don't then you won't receive
notification of that update anymore. Job done. Can't see that as an
issue.

 

[Guest]

It totally is.

Look, we can debate the morality of cracks all day long, but
misinformation is just misinformation. This crack passed three
different virus scanners on my system, and my system still tests
clean after applying it.

 

[PC Guy]

Look, we can debate the morality of cracks all day long,

I am not debating the morality of cracks. I totally 100% support cracks
for Microsoft products, because Microsoft is itself a criminal
organization.

but misinformation is just misinformation. This crack passed
three different virus scanners on my system, and my system
still tests clean after applying it.

Go and submit the crack to Virus Total. It will be scanned against 40
different anti-virus programs. You will see that it will fail against
some of them.

Like most software cracks, it can take weeks or months before a crack is
discovered by the major AV vendors to be viral. Examining cracks for
malware are not high on their priority list.

Ask yourself why are these cracks are packaged as self-unpacking
executables that can't be extracted manually by win-zip or win-rare.
The answer is because the author does not want the end-user to be able
to unpack the archive himself. Also ask yourself why the authors use
UPX or Yoda's crypter to pack them.

 

[Guest]

I am not debating the morality of cracks. I totally 100% support cracks
for Microsoft products, because Microsoft is itself a criminal
organization.


Go and submit the crack to Virus Total. It will be scanned against 40
different anti-virus programs. You will see that it will fail against
some of them.

It fails against scanners that automatically flag all cracks, regardless
of whether they're infected. If you don't believe that, try getting
specific information about any "virus" these scanners find. You
won't, because the positive results are intentionally false.

Like most software cracks, it can take weeks or months before a crack is
discovered by the major AV vendors to be viral. Examining cracks for
malware are not high on their priority list.

Ask yourself why are these cracks are packaged as self-unpacking
executables that can't be extracted manually by win-zip or win-rare.
The answer is because the author does not want the end-user to be able
to unpack the archive himself. Also ask yourself why the authors use
UPX or Yoda's crypter to pack them.

You're wrong on that front, too. This crack is compressed in standard
..RAR format, and is as previewable as any other RAR file.

 

[PC Guy]

It fails against scanners that automatically flag all cracks,
regardless of whether they're infected.

And just how is an AV scanner supposed to know that a given file is a
crack? If I rename the file and remove the word "crack" from the name,
then how does an AV scanner know the program is still a crack?

You're wrong on that front, too. This crack is compressed in
standard .RAR format, and is as previewable as any other RAR
file.

Yes, this time it can be unpacked, and this time it wasn't packed with a
crypter. But it has in the past.

Of the 4 files in the archive, one of them (WGASetup.exe) is being
flagged by 12 AV programs mostly as containing a trojan-dropper. See
for yourself:

http://www.virustotal.com/analisis/b6d7c00b495cd5cb6d2dfc4784641132

 

[Guest]

And just how is an AV scanner supposed to know that a given file is a
crack? If I rename the file and remove the word "crack" from the name,
then how does an AV scanner know the program is still a crack?

The easiest way is by filename, although other more complicated
ways are used. Look at the file list in the crack.

Yes, this time it can be unpacked, and this time it wasn't packed with a
crypter. But it has in the past.

Of the 4 files in the archive, one of them (WGASetup.exe) is being
flagged by 12 AV programs mostly as containing a trojan-dropper. See
for yourself:

http://www.virustotal.com/analisis/b6d7c00b495cd5cb6d2dfc4784641132

Again, try and get any specific information on any of the listed "viruses".
Just one. You won't be able to, for reasons I explained earlier. If you
are able, I'd be most interested in seeing it.

 

[PC Guy]

Again, try and get any specific information on any of the listed
"viruses". Just one.
WGASetup.exe

Troj.Dropper.W32.Agent.akwk

Trojan-Dropper.Agent!IK

http://www.viruslist.com/en/viruses/encyclopedia?virusid=77851

You won't be able to, for reasons I explained earlier. If you
are able, I'd be most interested in seeing it.

Just wait a few months, and submit the file again, and I'm sure you'll
see more AV packages detect it.

And SupremoPhantom doesn't answer the question on his blog as to why he
doesn't just use a batch file or just give text instructions on what
files need to be replaced, moved around, etc. No need to use an .exe
file for that.

And I still don't know why people seem to just blindly go and download
WGA from Micro$oft, even when they seem to be regular users of these
patches.

And by the way, WGASetup.exe is packed using UPX 2.93. Absolutely no
reason for that.

 

[Guest]

WGASetup.exe

Troj.Dropper.W32.Agent.akwk

Trojan-Dropper.Agent!IK

http://www.viruslist.com/en/viruses/encyclopedia?virusid=77851

Ok, so let's take a look:
http://supremophantom.blogspot.com/2009/03/latest-release-wga-with.html

"To all the users reporting that their Anti-Virus is reporting infection
in the file, I have mentioned before as well that various AV WILL
detect such products as virus coz we are trying to crack the normal
functionality of a windows process. Rest assured, the contents are
100% virus-free. You can safely disable your AV, and install this
crack and then re-enable your AV."

Just wait a few months, and submit the file again, and I'm sure you'll
see more AV packages detect it.

I'm sure, too. Especially if MS doesn't figure out a way to detect
this crack.. :-D

And SupremoPhantom doesn't answer the question on his blog as to why he
doesn't just use a batch file or just give text instructions on what
files need to be replaced, moved around, etc. No need to use an .exe
file for that.

He does answer that question -- explicitly:

"FYI, I have mentioned earlier that the file may be flagged as a virus
because of the automated installer included, or bcoz of the packer
used to encrypt the code as some rippers were stealing my work.
So, for the last time, please do not test my patience by posting
about these fake virus alerts."

 

[PC Guy]

Ok, so let's take a look:
http://supremophantom.blogspot.com/2009/03/latest-release-wga-with.html

Why there?

What to you think that link will tell you about Trojan-Dropper.Agent!IK
?

"To all the users reporting that their Anti-Virus is reporting
infection in the file, I have mentioned before as well that
various AV WILL detect such products as virus coz we are trying
to crack the normal functionality of a windows process.

AV programs will give another type of warning when the code is doing
questionable things. It's called greyware, or riskware. They will even
call it "Something.not-a-virus.something-else".

If they think it's a trojan dropper, it probably is.

He does answer that question -- explicitly:

"FYI, I have mentioned earlier that the file may be flagged as a
virus because of the automated installer included, or bcoz of the
packer used to encrypt the code as some rippers were stealing my
work. So, for the last time, please do not test my patience by
posting about these fake virus alerts."

What a joke.

"as some rippers were stealing my work".

What a lame and bogus reason for using a packer.

 

[Guest]

Why there?

What to you think that link will tell you about Trojan-Dropper.Agent!IK
?


AV programs will give another type of warning when the code is doing
questionable things. It's called greyware, or riskware. They will even
call it "Something.not-a-virus.something-else".

If they think it's a trojan dropper, it probably is.


What a joke.

"as some rippers were stealing my work".

What a lame and bogus reason for using a packer.

The bottom line is, WGASetup.exe is required simply to install
this crack, and it can be deleted once the crack is applied. And
again, my system tests clear of any malware (using Avira, AVG
and McAfee) after installation of this crack. I'll continue to scan
my system in the coming weeks and months to see if anything
pops up.

 

[DevilsPGD]

WGASetup.exe

Troj.Dropper.W32.Agent.akwk

Trojan-Dropper.Agent!IK

If you want proof, use the crack in a VM and compare the system before
and after. I work for a software company and we do evaluate
cracks/keygens that modify our software when we find them, they
typically set off our local AV software.

I've gone as far as to confirm that the hard drive is not modified in
any manner at all by one of those tools, all it does is generate a key
and display it on screen.

*shrugs*

I'm not saying that all cracks are safe, far from it, but the specific
cases where I've had experience have been safe, yet were still reported
as suspicious with ominous sounding phrases like "TrojanDropper"

 

[DevilsPGD]

Go and submit the crack to Virus Total. It will be scanned against 40
different anti-virus programs. You will see that it will fail against
some of them.

Yes, and?

Back in the 90s I wrote a little port scanner in Visual Basic, just a
quick and dirty junker that would connect to every host in a specified
range on a specified port, look for a greeting string and report which
hosts answer, and of those, which match the string.

I then posted it publicly to help someone out in a relatively specific
task. Skip ahead a couple years, this EXE and source code is still out
on my file server somewhere and I get an email from someone who found it
from an archive of the discussion back in the 90s but their AV software
trips on my little program.

It was listed on several AV packages as a hacker tool or similar.

Since I wrote it and the source was trivially stupidly simple I can
guarantee that there is no virus.

A year or two after that I learned that one of it's sister tools, a port
flooder, was also listed for similar reasons. Again, the tool does
nothing malicious to the system it's running on, it's entire purpose was
just to create a large number of connections to a remote system and
report when the greeting changed.

Most other small port scanner and port flooder tools are similarly
blacklisted despite the fact that they have no negative impact on the
system they're running on and do nothing that isn't perfectly clearly
documented (as far as I'm concerned, nothing should be in an AV
definition set that doesn't meet both of those criteria -- Even if it's
malicious, if it does what it claims to do, that's not a virus or even a
trojan)

Like most software cracks, it can take weeks or months before a crack is
discovered by the major AV vendors to be viral. Examining cracks for
malware are not high on their priority list.

With all due respect, yes this is on the priority list.

1) Daddy buys big AV product.
2) Kiddo downloads cracked software, infects machine.
3) Daddy (paying customer) gets angry at AV vendor for not protecting
the system.

Daddy won't accept "well your kid shouldn't be doing that", AV software
targets those who don't have the technical knowledge to know what
they're doing.

 

[Guest]

If you want proof, use the crack in a VM and compare the system before
and after. I work for a software company and we do evaluate
cracks/keygens that modify our software when we find them, they
typically set off our local AV software.

I've gone as far as to confirm that the hard drive is not modified in
any manner at all by one of those tools, all it does is generate a key
and display it on screen.

*shrugs*

I'm not saying that all cracks are safe, far from it, but the specific
cases where I've had experience have been safe, yet were still reported
as suspicious with ominous sounding phrases like "TrojanDropper"

The trick is to try and find *specific* info on any "viruses" detected.
Years ago software developers discovered something like 4 out of
5 computer users will blindly delete cracks, keygens and anything
else their AV software claims is infected, without doing any further
research. This was music to the ears of companies like MS and
Adobe, and shortly thereafter we began seeing these generic and
utterly fake virus "detections".

 

[PC Guy]

How so? Cracking software is a very competitive field and the
various crackers / groups defend their territory aggressively.

Any cracker can add a text file to his crack where he takes ownership of
his work. Other crackers can read that file and know who did the
crack. The only people that need to know who made the crack are other
crackers.

The general public that stumbles upon the crack and downloads/uses it
could care less who made the crack.

That's why using something like yoda's crypter or UPX doesn't make sense
to "protect" the payload from being copied by other hackers. If it's a
game to them, if it's about who came up with what hack and about
bragging, then copying the hack is lame and not part of their game.

 

[PC Guy]

I've gone as far as to confirm that the hard drive is not modified
in any manner at all by one of those tools, all it does is generate
a key and display it on screen.

We're not talking about a keygen here.

The WGA stuff is supposed to modify the hard drive.

Now tell us how you determine if the modifications are legit, or
malicious.

 

[PC Guy]

With all due respect, yes this is on the priority list.

1) Daddy buys big AV product.
2) Kiddo downloads cracked software, infects machine.
3) Daddy (paying customer) gets angry at AV vendor for
not protecting the system.

No, you've got it wrong.

Daddy sets up kid's PC with cracked or hacked XP product key.

At some point later, Daddy stupidly downloads WGA. Daddy and WGA makes
the PC inoperable.

Daddy searches for WGA crack, finds one, and installs it. It's also a
trojan. AV software doesn't detect the trojan.

The PC now works, but it's also doing stuff for a bot-owner. Daddy
doesn't know it, because the kids are using it not him. Daddy isin't
going to bitch and complain to AV companies because their shit doesn't
detect the trojan immediately. Eventually when the trojan is detected
Daddy won't have a clue when it was installed, or what payload installed
it. He'll just say "jeeze - I've got great AV software because it just
detected this trojan".

 

[DevilsPGD]

We're not talking about a keygen here.

The WGA stuff is supposed to modify the hard drive.

Now tell us how you determine if the modifications are legit, or
malicious.

Well, you start by evaluating what specifically is changed, depending on
the components involved you look for behavioural changes.

AV software makers wouldn't care though, of course, but it could be
done.