1) Ed Bott - Confessions of a Windows 7 pirate

[rbdietz]

[My cautionary lettering and emphasis - RBDietz]

http://blogs.zdnet.com/Bott/?p=1817#more-1817If you do intend to try this stuff out for yourself, I recommend extreme caution. My hunt for utilities that bypass Windows 7 activation technologies led me to some very seedy corners of the Internet. First, I did what any red-blooded wannabe pirate would do and tried some Google searches. Of the first 10 hits, six were inactive or had been taken down. After downloading files from the remaining four sites, I submitted them to Virustotal.com, where three of the four samples came back positive for nasty, difficult-to-remove Windows 7 rootkits. Here's one example:

A prudent tester would assume the remaining samples are false negatives and similarly infected. Anybody here heard of VirusTotal before?Tomorrows posting may also be a interesting read -

Last weekend, I used some sophisticated forensic tools to take an equally close (and completely unauthorized) look at what Microsoft is doing with its most recent anti-piracy update. Tomorrow, I'll publish the surprising results of that analysis.

The missing link to the story on ZDNet. (Thanks, Zlim. ) Edited March 4, 2010 by rbdietz

[lewmur]

Anybody here heard of VirusTotal before?Tomorrows posting may also be a interesting read -

I read it. Interesting. Somehow I think the pirates are smarter the MS's "engineers."

[zlim]

Yup, I've heard of VirusTotal.I use Jotti more than VirusTotal http://virusscan.jotti.org/enIt helps to figure out if a file has malware or is a false positive when scanning with the security programs installed on the computer. Jotti uses so many if only 1 or 2 find something then I suspect a false positive; if it more than 1 or 2, the file gets put in the vault.The blog article referenced but not linked in post #1http://blogs.zdnet.com/Bott/?p=1817

Edited March 3, 2010 by zlim

[striker]

Yep, Virustotal is what I use regularly besides the jotti link. However, be cautious and use the right virustotal... there's a fake one out there. You can read about it at:http://sunbeltblog.blogspot.com/2010/02/no...ustotalcom.html

[striker]

BTW: it's very well possible an admin may temporary make this thread unavailable until further notice... (#5 forum rules)

[rbdietz]

BTW: it's very well possible an admin may temporary make this thread unavailable until further notice...

Admins will have to do what they think best. But the article isn't intended as a how-to for bad guys wanting to pirate Windows. The intent (at least as it appears to me) is to provide some background information for deciding if you're going to allow KB971033 to be installed. (My current - but maybe temporary - answer is 'no.'

The two exploits I describe in this post are certainly not the only ones out there. Indeed, Windows pirates have been playing a cat-and-mouse game with Microsoft for years. In the Windows XP era, pirates focused most often on stealing legitimate product keys, especially Volume License keys. Beginning with Windows Vista, Microsoft has begun building anti-piracy components directly into the operating system, and pirates have aimed their hacking skills at those components with increasing sophistication. The latest salvo from Microsoft in the war against pirates is the Windows Activation Technologies Update (KB971033). In its default configuration, it performs an initial validation check and then repeats the process every 90 days, downloading new signatures to detect exploits that flew under the radar in the previous scan. When I initially wrote about this subject last month, the question I heard most often was, "Why does it need to keep checking? If I get validated, shouldn't that be good enough?" Unfortunately, the experiences I've written about here prove why that strategy doesn't work

[striker]

Yep, knowing you it was for informational purposes. The 971033 'fix' BTW seems to manage some nice 'forced reinstalls' I've read. And with this I mean people having a good copy, some of them who accepted to install the 'fix' had to reinstall, they were not able to get out of a blue screen at reboot. So beware: I would say 'no' for this 'fix' too.

[goretsky]

Hello,VirusTotal is a multi-engine scanning service provided by Hispasec Sistemas, a security consultancy headquartered in Spain, with offices in Mexico and Argentina. They have been around for about a dozen years and are well-regarded in the anti-virus community. Similar offerings include Jotti's Malware Scan, OPSWAT's FilterBit and VirSCAN.Org . There are numerous other services in different languages such as Chinese and Russian, but those are three English language ones I'm aware of.Regards,Aryeh Goretsky

[goretsky]

Hello,Every software company has to deal with piracy--even some Open Source projects that use the GPL license have had to deal with violations from time to time. It also happens in the entertainment industry, where the content protection systems used by both DVD and Blu-ray discs have been bypassed. When dealing with computers, pretty much anything that can be done in software can be bypassed in software., and it is very difficult to deal with an attacker who has the time, resources and skill to "crack" a product. Software companies have to very carefully balance the costs of copy protection (which includes parts end users do not normally see, like quality assurance testing, building robustness into authentication servers if Internet-based, etc.) with the inconvenience to legitimate paying customers. The effort (time and money) you put into dealing with pirates is, generally speaking, time and money you do not get to put into making your product better by fixing bugs, adding new features, et cetera so there is always some sort of a question as to what the right balance is for each developer and/or product.Regards,Aryeh Goretsky

I read it. Interesting. Somehow I think the pirates are smarter the MS's "engineers."

[mac]

I read it. Interesting. Somehow I think the pirates are smarter the MS's "engineers."

Maybe, maybe not. On the 4th page of the article Ed Bott writes:

Unfortunately, the experiences I’ve written about here prove why that strategy doesn’t work. If you used a copy of RemoveWAT that was created in 2009, you were able to fool Microsoft validation servers with a 100% success rate. However, as the anguished cries of forum participants proved, the KB971033 update in February exposed all of those hacks, restoring the correct license files and causing the systems to (correctly) fail validation. As a result, the RemoveWAT developer modified his code and released a version last week that trumped the new update and once again allowed hacked machines to pass the activation test.In the past, that would have been counted as a win for the pirates. But with its new signature-based system, Microsoft can improve its exploit-detection code and, at least in theory, identify the updated hacks in 90 days (or, in the worst case, 90 days after that). The point is that pirates can’t count on getting a permanent free pass on activation. If you’re a hobbyist obsessed with pirating Windows, you have to put up with the nuisance of updating your hacking tools every few months. But if you’re selling pirated software (in a box or preloaded on a system), you risk getting put out of business and maybe sent to jail when the systems you sold in March are detected as pirated in June or July.

Emphasis is mine.