Security Experts:

Microsoft: Software Activation Key Generators Linked to Malware Infections

The growth of software activation key generators is linked to the spread of malware, according to findings from Microsoft's latest Security Intelligence report.

In volume 13 of the report, which was released Monday, Microsoft reported that Win32/Keygen was the most commonly reported threat family in the first half of 2012. Win32/Keygen, which represents software activation key generators, was detected nearly five million times.

A user who downloads the package runs the key-generator utility to create a product key that will supposedly allow the software to be used illegally, Microsoft explained. In many cases, the distributed packages contain malware alongside - or instead of - the pirated software, the company noted in the report.

"Keygen detections have increased by a factor of 26 since the first half of 2010 and today Keygen is the number one consumer threat family worldwide, rising above other prevalent threat families like Pornpop, Blacole, Conficker and FakePAV," blogged Tim Rains,  Director of Product Management in Microsoft’s Trustworthy Computing group. "The prevalence of Keygen varies from location to location, however it is listed as a top 10 threat for 103 of the 105 countries/regions studied in SIRv13.  That means Keygen is in the top 10 list of threats for 98 percent of the locations we provide analysis for in SIRv13."

According to the report, more than 76 percent of computers infected with Keygen also reported detections of other malware families.

"This is a good indication that Keygen is often bundled with, or leads to, malware infections," Rains blogged. "In the report we have a feature story which dives into greater detail on deceptive downloads like Keygen and provides mitigation guidance on how to help protect against this type of social engineering threat."

The strategy of bundling malware with software on unsecure file distribution sites and networks is not limited to pirated commercial software—attackers sometimes take advantage of traffic in freely distributed software as well, the report notes. In the first half of the year, the Microsoft Malware Protection Center spotted 35 different threat families being distributed using the file name install_adobeflash.exe, which poses as an installation package for Adobe Flash Player.

Besides malware, the report also delves into the number of vulnerabilities. Vulnerability disclosures across the industry increased 11.3 percent during the first six months of the year when compared to the second half of 2011.

 "This increase reverses a trend of small declines in every six-month period from 2H09 to 2H11," according to the report. "The majority of the increase comes from application vulnerabilities, as operating system vulnerabilities continue a downward trend."

The number of computers reporting exploits delivered through HTML or JavaScript remained high during the first half of 2012, primarily due to the Blacole exploit family. Blacole is used by the notorious “Blackhole” exploit kit to deliver malware through malicious webpages, and was the most commonly detected exploit family during the first half of the year.

"Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets," according to the report. "It consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components. When the attacker installs the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack."

The report can be downloaded here.

Subscribe to the SecurityWeek Email Briefing
view counter