Nitro PDF is malware

Discussion in 'malware problems & news' started by bbrigg, Jul 30, 2010.

Thread Status:
Not open for further replies.
  1. bbrigg

    bbrigg Registered Member

    Joined:
    Jul 13, 2008
    Posts:
    4
    Nitro PDF uses you boot sector to store its license information. My Nitro PDF with OCR was not showing the OCR as being active so I decided to uninstall and reinstall. I deactivated first then used Revo to uninstall. The uninstall hung up and the system completely locked up. A hard boot brought up Windows 7's boot fixer utility which played for a few minutes and then the system restarted.

    I couldn't find Nitro PDF nor would Revo show it so I tried to reinstall the software. The reinstall went fine but the software would not run giving this error.
    “Multiple Restore Hard drive operations damaged the license and the product must be re-registered. #2”​

    As I'd had problems with their license when using a cloned drive for backup and also when I restored my system from a backup I decided to give the software the flick. I complained to the support people and asked for a utility to get their stuff out of my boot sector but they just play dumb. They said use Revo (I had) and provided a clean-up utility that doesn't do the job.

    No software, other than a hard disk utility, should be allowed to play around in the boot sector.
     
  2. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    If I am not mistaken, Adobe software (CS suites 2/3/4?) also append license data to that part of HDD.

    I recall issue of 2600 magazine where one author dealt with this issue.
     
  3. calamus

    calamus Registered Member

    Joined:
    May 3, 2008
    Posts:
    1
    i agree with you
    the same problem faced me
    and i did not find solution
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Are you sure they are in the boot sector. I rather suspect it is being stored in some other part of track 0, but not the boot sector.

    Pete
     
  5. Z_wise

    Z_wise Registered Member

    Joined:
    Mar 7, 2011
    Posts:
    5
    Location:
    Istanbul
    Nitro's not necessarily a malware but acts like one in terms of its choice of hiding its license info. Writing to hidden sectors is not something that goes well with disk etiquette.

    On two of the machines I've seen the lic. info written at (absolute) sectors 60 & 62. One of them had at least 3 'clean' OS installs. Nitro generates a machine code to prevent x-use of their legit licenses on multiple machines. Lic. info is based on this machine (HW) code. So 'Volume ID' (which changes every time the disk is formatted) alone does not alter your HW specs. If you have a legit license, it stays forever on your disk unless you deliberately choose to deactivate it. Deactivating does not remove the lic. data written at the hidden sectors. It is just marked as inactive. The lic. info survives any full formatting all because it resides at a pre-partition area on your disk. Dunno at where it actually starts, but sector 62 is definitely the last choice to store that .5k lic. info.

    If you tamper with or delete the license written on hidden sectors, Nitro complains about it next time it is launched. The authors of Nitro must be very sure of themselves that the hiding corner they've chosen could have never been found and/or edited. So, the deleted lic. info gets written on another sector next time you start the app. Kinda funny way of self-healing.

    All the endeavor put in to keep the routines covert and encrypted readily fails in protecting the app. Dealing with crypto schemes requires more maths than programming capabilities. Every concerned SW author develops custom protection schemes but when it comes to crypto, almost all of them resort to using ready made, what I call, “package solutions". I think this is the underlying reason why the apps using encryption are less secure than those of the tailor protected ones regarding their immunity against RE attacks.

    Anyway, Nitro does a good job and deserves the money asked for. I'm a happy customer of them.
     
  6. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    being a noob on this subject i find this totally fascinating.

    is there any way to visualize the boot sector/track0 stuff to check for bad stuff?
    i gather it would probably looks like gibberish to me anyway...

    how can a noob make sure there's no bad stuff in there?
    should we all nuke our MBR/Track0 once in awhile just to get rid of the cobwebs? :eek:
     
  7. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Nitro PDF = Malware o_O o_O
     
  8. Z_wise

    Z_wise Registered Member

    Joined:
    Mar 7, 2011
    Posts:
    5
    Location:
    Istanbul
    Disk editors let you see/manipulate MBR area (the boot sector). HxD is a nice and free one.

    To see the contents of the hidden sectors you should always select the 'physical' disk, not the logical one. Logical disk starts with the 1st partition (absolute sector #63) and hence there are no hidden ones from that sector onwards. Sector 0 always starts with 33C0h (at offset 00) and ends with 55AAh (at offset 511) covering a total of 512 bytes length (size of one sector) in which the master boot record resides (not the volume boot record or bootloader, which resides in the first sector of the first partition. BIOS transfers its job to MBR [sector #0] and MBR to VBR [sector #63], then the OS starts to load). You should avoid touching those areas by all means.

    Between sector #1 & #62 there are 31,744 bytes of free space available divided into 62 sectors. Boot sector viruses and a few other legit apps (like Nitro) may use this area. Usually there is no fun in peeking at those sectors and they seldom need any cleaning.

    What I discovered with Nitro was purely a chance (auto activation after initial launch on a freshly formatted and OS installed drive). Data on those sectors are machine readable only. So, one needs process explorers/debuggers to analyze the mechanics of root access, calls, data I/O operations, etc. before deciding if the stuff is bad or not. Trial and error wouldn't be something advisable if you play with your 'system disk' at the lowest level.
     
    Last edited: Mar 8, 2011
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Seems similar to the Sony rootkit fiasco.
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx a lot Z_Wise.

    i'll give HxD a try.

    this is one of the most interesting thread i've seen here @ Wilders! :thumb:
     
  11. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    For Vista/7 the VBR doesn't often reside in sector #63. It's mostly sector #2048 (1MB), in preparation for correct alignment on Advanced Format drives. Hence, I assume, there are now extra hidden sectors between #63 and #2047.
     
    Last edited: Mar 9, 2011
Loading...
Thread Status:
Not open for further replies.