Network News

X My Profile
View More Activity

Pirated Version of Windows 7 Has Malware Built-in

Security researchers are warning that Internet users who install pirated versions of Microsoft's latest Windows 7 operating system may also be installing malicious software, too.

Experts at Atlanta-based security firm Damballa say they first noticed
hacked versions of the Windows 7 release candidate available on peer-to-peer file-sharing networks and newsgroups last week, shortly after the OS was released to developers.

Damballa found that computers with the tainted versions of Windows 7 were programmed to silently reach out to an Internet server to check for further updates, which in this case is a piece of malware that Kaspersky Antivirus calls Win32.Banload.cdk.

"The first thing this does is phone home and get a list of additional malware to install," said Tripp Cox, vice president of engineering at Damballa.

Damballa managed to grab control over the server that's contacted by the pirated Windows 7 versions -- -- which is how it knows how many new, compromised installations are requesting the malware. As of Monday afternoon, the company had tracked 3,452 compromised systems hitting the site, with a peak of more than 550 new infections per hour on Sunday.

It's a good idea to avoid installing software of any kind -- operating systems in particular -- downloaded from P2P networks. Bundling malware with executable and installer files is an old trick that is still quite useful and effective today. In fact, there are no shortage of shadowy pay-per-install programs that revolve around this concept, granting tiny commissions to affiliates who spread the poisoned files on P2P networks like BitTorrent. The screen shot below shows a popular pay-per-install forum where affiliates of different programs compare methods for making their poisoned installer files more attractive on P2P networks.


By Brian Krebs  |  May 12, 2009; 2:00 PM ET
Categories:  Fraud , Piracy , Safety Tips , Web Fraud 2.0  | Tags: damballa, installer, piracy, windows 7  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Oprah, KFC and the Great PC Cleanup?
Next: Adobe, Apple and Microsoft Issue Security Updates


I myself use a hacked version of vista ultimate that has the activation disabled. I've run superantispyware and it never finds anything I have also installed all patches. I have avira installed and it never detects anything.

I suppose it's theoretically possible that it is root-kitted, but with the way vista is structured, drivers have to be approved by microsoft for them to run on vista, and it would be difficult for a hacker to do this.

And frankly if an antispyware program is able to delete the malware, why not just run it before connecting to the internet and removing it, and you still get to run vis...I mean windows 7 for free.

Besides i only use vista for video games and Excel.

I can always use linux for online banking.

Posted by: el_barto | May 12, 2009 3:11 PM | Report abuse

el_barto, why don't you just buy Vista, you cheap

Posted by: wangbang747 | May 12, 2009 3:29 PM | Report abuse

Honestly, if you didn't know that you could download Windows 7 RC directly from Microsoft for free, you deserve what you get.

Posted by: gamz247 | May 12, 2009 3:30 PM | Report abuse

@el_barto -- Hey, points for honesty. it's quite possible that your "hacked" version of vista is as you say -- completely benign and otherwise pristine. But then again, if it weren't, I doubt that any of the anti-spyware or antivirus tools would tell you otherwise.

Just want it for gaming and Excel? So I guess since it's not stealing your banking credentials, it's no big deal if it gets turned into a spam spambie, phishing site or attacks others online, right?

Posted by: BTKrebs | May 12, 2009 3:30 PM | Report abuse

Can we keep the foul language out of the comments please? I really don't want to have to play referee here.


Posted by: BTKrebs | May 12, 2009 3:33 PM | Report abuse points to a Search Portal. Is it really a C&C domain?

Posted by: rzaboinski | May 12, 2009 6:19 PM | Report abuse

@el_barto - do you have a problem with OpenOffice Calc on Linux? I have never come across an Excel file that calc would not open.

Posted by: kiaser_zohsay | May 13, 2009 9:43 AM | Report abuse contains a typographical error. The original c&c domain was

Posted by: radix42 | May 13, 2009 11:09 AM | Report abuse

Radix is correct. Typo. I have corrected the domain name in the post.

Posted by: BTKrebs | May 13, 2009 11:17 AM | Report abuse

This is happening more in Torrent-based downloads. There used to be very little torrents that had virus or something with it. Well, I actually remember downloading a Vista version (not proud of doing that in the past). it did not had problems.
Well, I actually have Vista that came with my Laptop, so I do have a legal copy of vista i'm using.
I think many torrents and newsgroups started having those programs with viruses in 2008. I remember finding a office 2003 that had virus in the .rar and a limewire pro download that had a small virus. stay safe, guys. :)

Posted by: gonzalesg10 | May 14, 2009 6:19 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company