I downloaded a cracked install from tpb (haxnode). It was a loader exe that loaded the original exe and supposedly removed the drm in RAM. It required admin permissions, I didn’t trust it, but i ran in a vm and nothing happened.
Then i told myself “i have microsoft defender and windows firewall control, they will warn me” and I ran it in my main laptop, and still nothing happened. Like, literally nothing happened. The original program would not start. It would simply exit. Nothing. The other 6 almost identical torrents from the same uploader but with a different program version had a similar result. I gave up.
Then i reboot, and firstly i notice a couple DOS prompts flashing on the screen, and windows firewall control asking me if “aspnet_compiler.exe” is allowed to access the internet or not.
Suspicious, i go to check that “aspnet_compiler.exe” and it’s located in the .net system folder, i scan it with microsoft defender and it doesn’t report as a virus. I do not pay attention to the fact that it doesn’t have a valid Microsoft signature, and i tell myself “probably just a windows update” and i whitelist it on the firewall.
After a few hours I realize “wait a minute: it’s impossible that an official windows exe isn’t signed by microsoft!” I go back to scan it, not infected… or it looks like, defender says “ignored because in whitelist”. What? The “loader” put c:* in the whitelist!
The “crack loader” wasn’t a virus per se. It dropped an obfuscated batch in startup, which had a base64 encoded attachment of the actual malware, that was copied in the .net framework directory with unassuming names…
And this for a $60 perpetual license program that i should buy anyway because it’s for work
You must log in or # to comment.
deleted by creator
No offense man. But sounds like typical windows user’s mentality problem.
If you don’t want to go down the Linux route, you might investigate Sandboxie. I remember that thing working miracles back when I was a Windows user.
probably i would have ran it outside as the crack just silently “crashed” (while successfully dropped the malware as admin in the right spot, ready to be ran as admin at the next boot via the task scheduler) and i would have thought “maybe it doesn’t run in a sandbox/vm”.
But yes, in a hindsight, if i ran in sandboxie then i might have noticed that it had dropped suspiciously named files in common:startup with that nice file transfer GUI (unless if the malware detected sandboxie and did not run the malicious routines)
If it didn’t run the malicious routines, problem solved :)
Not a silver bullet, just something to remember exists.
i ran in a vm and nothing happened.
Did you configure the VM so that it didn’t blatantly look like a VM? Of course malware is gonna act like a good boi when it detects that it’s being run in a VM
it probably did exactly in the VM what it did outside the VM.
Yeah true, I misinterpreted “and nothing happened [in the VM]” to mean “and nothing bad happened”
a reminder that you do need an Antivirus in fact as a pirate. Oh People, stop listening to cybersec experts who spend their whole life using foss or buying legit software, they’re in a different world from us pirates.
Also a reminder that it happens to the best of us anyway.
Alternative if you want to be hardcore: air gap the system you run questionable software on.
If you’re bored, you can even try to infect it with as much shit as possible.
Doesn’t work as a test system though. Stuff lies dormant waiting for network access.
Typical newbie experience, downloads stuff from a random website he found on google.com. Use fmhy or rentry to find what you need. Stop blaming yourself, things like this is what many newbies go through before they become like Bartholomew Roberts.
I’ve poked around on FMHY and most of the direct download sites are total garbage banner ads everywhere and popup galore with slow ass download speeds. Even the big public trackers like 1337x are whack in this regard. Yes obviously use an adblocker which takes care of that problem but if the ~average user goes at this blind they’re gonna end up on some random ass sites from misclicks or get redirected or at best wait way too long for a download or it’s in parts of an archive and they have to wait til tomorrow for another download etc etc.
Private trackers or bust, always and forever
A reminder that it only takes a simple lapse in judgment to get pwned
Lmao
