A topic for gamers: Cracked EXE's

Discussion in 'Trojan Defence Suite' started by jspurlin, Mar 21, 2004.

Thread Status:
Not open for further replies.
  1. jspurlin

    jspurlin Registered Member

    Joined:
    Mar 21, 2004
    Posts:
    2
    I have always paid for my software, but sometimes I have enjoyed not having to insert the cd. Then I came across an article about how commonly "malware" is packaged with these executables.

    Since I do serious programming work on my computer, there is no way I can risk compromising my system this way. What I am curious about, having read about the growing sophistication of hackers to package malware with executables that would otherwise appear "legit", is

    The Question:
    How effective or specialized can TDS-3 be doing more detailed forensics for trojans that may successfully conceal themselves and not exhibit suspicious behavior (for example, in the case of these executables, the file path and the name of the executable are legit. I was reading that hackers will do the same with "legit" system files, albeit the path to the executable will not be "legit". These hacks name themselves after a legitimate system file, and some of these names are associated with critical system processes where task manager will not allow you to "kill" the process, because task manager only sees the name of the file, it does not evaluate the file path, for example.

    The growing level of sophistication is amazing, but it seems that the key to successfully compromising someone's system is even still some style of "social engineering". This would apply to the issue of "hacked exe's". For example, the "disclamer at 'GameCopyWorld' states that the exe's are essentially legal so long as you own the cd. Well, if you are as I have been in the past, you might reason, "Well, I am the lawful owner of the software, I do not copy it or give it to anyone else, this is a legitimate way to use this software without the cd. Very tempting and in my opinion, valid when the ethics apply. Good luck!

    Of course, this particular venue is not likely to compromise a system where there is 'serious business'. I build software. I am not about to compromise my system.

    It seems that there could be more discussion about 'education' in addition to raising the question about what can be done at the engineering level to raise the level of sophistication and prevention at the software level.

    It appears to me that these cracked exe's pose an enormous security risk. I will simply use them no longer. But, I am curious if TDS-3 would be adequate for analysing cracked exe's I have used before to help ascertain the likelyhood my system has been compromised.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello jspurlin and welcome.
    Since you are a programmer yourself and you might still own some of these files yourself, what happened when you tried them on TDS?
     
  3. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Could you share the source of this article please? I'd like to see what it says.

    Little Mike
     
  4. chameleon2

    chameleon2 Guest

    1.
    @jspurlin

    I find your topic quite interesting since you have described one of the most dangerous situations which may occur.

    Btw.: I would also be interested in the source of the article ...

    2.
    And yes. It is indeed possible to compromise an executable file. Actually, it may take you less than a minute.

    I will not describe any details but merely summarize one of the easiest ways how to do it:

    You can patch a LoadLibrary into an executable (e.g., the "cracked" executable of an online game). This is called "static DLL injection". The LoadLibrary will make the game.exe to load a DLL trojan each time it is started. Your firewall is unlikely to help if you have created an allow rule for the online game.

    No file scanner will detect the DLL (containing the trojan) since the DLL is compressed. (I believe that it has become common knowledge that there are commercial protectors which make it impossible for any(!) file AV/AT scanner to "look through" the protector's encryption and detect the trojan.)

    Depending on the cleverness of the hacker the patched executable may be detected as a "suspicious file" by a scan heuristic like NOD32's advanced heuristic. But this can be avoided.

    3.
    A system firewall like SSM or Process Guard cannot help you since no dynamic DLL injection via CreateRemoteThread or SetWindowsHookEX takes place. Integrity/MD5 checks will not help you either since the cracked game.exe downloaded from GameCopyWorld will have a different checksum anyway.

    4.
    Therefore, your only real chance to detect these statically injected DLL trojans is a dedicated AT with a module (mem) scanner. By contrast, an ordinary mem scanner which does not support module (mem) scanning will not help you.

    AFAIK there are only two scanners which feature a module (mem) scanner: BOClean & Trojan Hunter. But I am quite sure that this will change in the recent future. Moreover, I would like to point out that the module scanner does not necessarily make BOC & TH to be better than TDS overall.
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    To scan modules in a process, go to the System Analysis menu and select Process List, then select the process you want to scan and press Ctrl+M (or Process menu | View Process Modules). The "Scan Modules" button is at the top of the module list.
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    @chameleon2
    Well since unless you gave the game .EXE firewall access which allowed it to do anything it liked, why would a trojan prefer to be loaded in this manner when they usually go out on port 80 or through email? Wouldn't it prefer to be loaded by IE, Outlook or netscape or whatever program which actually does a network activity over the ports it wanted?

    So here is your scenario for static DLL loading :-
    1) They run a cracked/hacked game EXE
    2) They then give it COMPLETE internet access because they trust this cracked EXE ?
    3) They also give it complete trusted access in Process Guard or SSM?
    4) The trojan DLL then does everything it wanted until the game is shut down?

    That is laughable, especially since games aren't run that often, if you were going to put forward a reasonable static DLL scenario could have at least chosen IE as the target, not the game EXE. Is everyone who wants NO-CD access going to play online? No. So as soon as their firewall pops up they will say "no" to the access request. Most online games now won't allow you to play if you have a cracked/NO-CD EXE, even if you have a valid key.

    Trojans are designed to be running and active on the system the whole time the system is running, this is why DLL ONLY based trojans will never be widely distributed.

    -Jason-
     
  7. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    A lot of NO-CD cracks/patches are legal and a lot aren't, laws vary from country to country on many things. However there is hardly anything morally wrong with running a NO-CD crack on a game you bought simply because you don't want the CD to be in the drive, I agree with you on that point.

    As long as the no-cd crack you get is from a big webpage then it is unlikely (but still possible) that it will contain anything malicious. I would not download anything from Kazaa or any other P2P network since 95% of them will contain other things. Anti-Virus programs will rarely find anything in cracked EXE's, even ones with big payloads. This is because crackers know how to get around scanners if they use a known virus/trojan easily. Unless the crack is really widespread AV companies will never even see it.

    The only advice one can give is to be wary, if you want to run executables which are hacked then you have to pay the price if something bad happens. The best thing you could do is email the developers and tell them you are unhappy with requiring the CD in the drive, sometimes after a year or so some developers release official patches which don't require the CD.

    -Jason-
     
  8. chameleon1

    chameleon1 Guest

    @Jason

    "Wouldn't it prefer to be loaded by IE, Outlook or netscape or whatever program which actually does a network activity over the ports it wanted?"

    That's what many trojans do. However, it's not "state of the art" anymore since SSM or Process Guard or Tiny Personal Firewall will detect the dynamic injection via CreateRemoteThread. Static injection does not work either because the firewall will ring the bell and tell you that the checksum of IE etc. has changed.

    Therefore, the above situation may frequently occur ITW. But it's not really dangerous if you use Process Guard and a firewall with MD5 check.

    "They then give it COMPLETE internet access because they trust this cracked EXE ?"

    They need to because it's an online game. If they do not grant internet access to the game they will be unable to play.

    The same applies if a DLL is statically injected in another internet application which you download from the web.

    "That is laughable, especially since games aren't run that often,"

    No it's not laughable. Experienced attackers have hundreds or thousands of victims. It is completely sufficient that an online gamer will stay online for quite a long time (several hours). If he stops playing you can simply connect to another vic...

    " this is why DLL ONLY based trojans will never be widely distributed. "

    I did not say that they will be used more frequently than standard trojans. I merely highlighted a dangerous scenario.

    ---

    @Wayne

    Is there any official information on whether the module scanner is a module file scanner or a module mem scanner?
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Is that what in TDS is named Memory Objects?
    Besides the modules Wayne mentioned?
     
  10. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    What happens if you don't give it full access in the firewall? Only access to the game server? Then the trojan won't work at all.

    Many games also require a non hacked EXE checksum (punkbuster won't allow it for example), and all the popular online games have similar protection. So in your example it would have to be a game which doesn't check the checksum of the EXE which is connected to it's server, which doesn't leave very many games. Also how many people who play the game will use it online? If it's even 50% then that is still getting lower and lower for the trojan to be useful.

    So to recap, we have someone who wants to play a game online (rather than single player) for many hours which isn't popular (due to all the good games having integrity checksums and also who would they be playing with if the game wasn't popular?), they don't know how to use a firewall (since they give the game full internet access) and are using a cracked game EXE. :)

    I'm sure all 5 of those people have something to worry about. :)

    -Jason-
     
  11. chameleon1

    chameleon1 Guest

    1.
    @Jason

    How about this game ...

    __________________________________________
    "SUMMARY
    This article describes the ports required to play Microsoft Dungeon Siege as a multiplayer game through a firewall, a proxy server, a router, Network Address Translation (NAT), or Internet Connection Sharing (ICS).
    MORE INFORMATION
    To verify that these ports are open or to open these ports, please contact your network administrator or Internet service provider (ISP).

    If you are the administrator of the network, please consult the documentation provided with your networking software to determine the steps to open these ports.

    Dungeon Siege requires that the following UDP and TCP ports be open to start multiplayer games:

    Connection to ZoneMatch: 2300 UDP
    News and AutoUpdate: 80 TCP
    When a multiplayer game is in session, Dungeon Siege uses the following DirectPlay ports:


    Connection   Ports for Client Configuration   Ports for Host Configuration   
    Initial UDP Connection    6073 Outbound for Joining   6073 Inbound for Hosting   
    Subsequent UDP Inbound   2302-2400   2302-2400   
    Subsequent UDP Outbound   2302-2400   2302-2400"

    ________________________________________

    ... which firewall rules would you suggest? ;-)

    2.
    @all

    Although I'm bugging DCS from time to time I still like many of their products (including TDS). And I am pretty sure that a real module scanner is already in the works.
     
  12. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    There's games which don't require the CD by default, like Call Of Duty :D
    (so no cd-crack).
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can you explain what is for you a memory module scanner? Just for my education, and in what it differs from ther memory objects scanner? And the modules scanner? Think the last is the modules loaded in memory at the current moment?
     
  14. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    I'd suggest firewall rules which stop the game from playing as Dungeon Siege isn't that good. Try NWN :)

    Seriously though, does it not have a checksum request from the server? Any game worth it's salt will and make it as hard to defeat as possible, otherwise it is very easy to write cheats and hacks for games that ruin the online experience.

    My suggestion is if you are going to play a game online don't take the risk of running a NOCD crack, just pop the CD in for online multiplayer games. Some servers will ban CDKEYS if they detect hacked EXE's, so I don't think it is worth the risk.

    -Jason-
     
  15. chameleon1

    chameleon1 Guest

    @ Jooske

    "Can you explain what is for you a memory module scanner? Just for my education, and in what it differs from ther memory objects scanner? And the modules scanner? Think the last is the modules loaded in memory at the current moment?"

    1.
    A module memory scanner will not only scan the process memory but also the memory used by any loaded modules (DLLs).

    By contrast, a module file scanner will perform a simple file scan on any loaded modules. The disadvantage of a module file scanner is that compressed DLLs are unlikely to be detected.

    2.
    Contrary to BOC & TH, TDS does not have an automatic module scanner (i.e., you need to manually scan each module). Depending on the number of modules loaded this may take an hour or two ;-)

    In addition, I feel that the module scanner of TDS is a module file scanner.

    3.
    Object memory scan is a completely different thing. Basically, (the DCS guys will correct me if I am wrong) TDS object mem scan will simply search for window names. This is not completely useless but does not substitute process and module mem scaning. TDS already supports process mem scanning.

    4.
    In addition, please note that my statement re BOClean was probably wrong! I am not so sure anymore whether it uses a file or a mem scanner for module scanning. Recent experiments with the help of a system firewall have shown that BOClean tries to get file access to any loaded modules. If the access is not granted BOC will not detect the respective DLL trojan. Moreover, many compressed DLLs are not detected. Therefore, I am inclined to believe that no module mem scanner exists. (The upcoming BOC report will tell you the truth. Hopefully ;-)
     
Thread Status:
Not open for further replies.