Crack hunting: not all it’s cracked up to be

Crack hunting: not all it’s cracked up to be

People sometimes ask us in the forums if a keygen or software crack is safe to use. Sometimes, these programs do what they say on the tin. Other times, they’re not what they say they are. In this post, I’ll describe what happened when I went crack hunting, and why it is often unsafe to carry out this activity.

Researchers like myself often browse crack and keygen sites because they are known to host many affiliate links to third-party applications, many of which include Potentially Unwanted Programs (PUPs), adware, or worse. Many of these sites also host downloads for malware.

These sources are important to research because users often browse crack and keygen sites looking to find paid software for free. This is risky practice, though, because the user may end up downloading unwanted software that can do more harm than good.

In this case, I was looking for a crack for Windows 10 Pro, since it’s popular software. The crack download itself was actually not a crack, but a file we detect as PUP.Optional.InstallCore.Generic. This “crack” did not run properly on my test machine, most likely because of sandbox sensitivity.

While the “crack” was being downloaded, the download page redirected to a page advertising DriverFix. The advertisement is one of many adverts offered by ad rotators.

I clicked on the link, which in turn opened the following site:

Clicking the “download now” button downloaded the file from the DriverFix site and delivered basic instructions on how to get the program to run.

According to the website, DriverFix is a Windows application that scans your machine to find outdated drivers, and allows users to update those drivers from within the application with one click. So I tried it.

Once the software was installed, it automatically launched, ran a scan, and displayed the results of the scan. Here are results from two different machines. Notice the results show drivers as being “Extremely old.”

This gives users false ideas that their machine has issues that must be fixed. When I expanded the info for my batteries and checked it, indeed there are newer drivers available, though calling my drivers “extremely old” is a bit of a fallacy.

When the user attempts to “update all” or update one driver, they are presented with a pricing page to pay for the services to update their drivers.

The user then has the choice to update one driver, update all drivers on their system, or purchase the “family pack,” which will update as many as three PCs. Many users will opt-out of purchasing the services at this point.

This is where things get hairy. One does not have to buy new drivers. In my case, all I did was Google the driver description “Microsoft ACPI-compliant control method battery driver Windows 10” and found results right from the Microsoft Update Catalog site.

If this proves to be difficult for the not-so-tech-savvy folk, you can also open Device Manager, expand the driver in question, open the Driver tab, and click “Update Driver.” Microsoft will download the driver your system needs at no cost. Plus, you can be sure it is coming from Microsoft.

If the user decides not to purchase and simply closes DriverFix, eventually they end up with warning messages from DriverFix regarding their outdated drivers when they do anything on their machine that uses the drivers flagged in the initial scan. Below is the notification I received from DriverFix when I was saving a file to my machine.

This is not typical behavior from benign software. This behavior is designed to scare the user into thinking they have severe issues that will only be solved by purchasing services from DriverFix.

This is after the user might have thought they were getting a free product that promised to fix driver issues in one click when they ran into the initial advertisement.

Unless your machine is very old, Microsoft provides compatible drivers, or the computer manufacturer automatically provides driver updates through its own built-in software at no cost.

Between discovery of this program on December 19, 2018 and January 9, 2019, the installer for this product has been detected 3,245 times by Malwarebytes. There have also been 839 reported traces detected as a result of installs during the same time frame.

Malwarebytes blocks the website that hosts DriverFix downloads, and stops the application installer from launching.

We detect the application as PUP.Optional.DriverFix.

If you installed DriverFix, we have instructions on how to remove it or how to add exclusions if you decide to keep it.

As long as sites continue to try pushing cracked software that seem too good to be true (and thus, is actually harmful to users), we will continue to detect such programs in order to protect our customers.

And for those looking for the silver bullet software in crack or keygen sites, we suggest making sure you can spot benign programs from those that try to squeeze a few bucks out of unsuspecting users. Exploring these sites is not for the uninitiated—best to stick to tried and true, legitimate versions of software programs instead of risking illegal crack or keygen sites and programs.

ABOUT THE AUTHOR

Tammy Stewart

Senior Threat Operations Analyst

Threat hunter and all-around badass.