PUA:Win32/SBYinYing Overview

PUA:Win32/SBYinYing is identified by Microsoft Defender as a potentially unwanted program. This detection is most commonly associated with a file named “EMP.dll”, which is typically found in pirated games. Torrents, especially those offering cracked games, are the main distributors of this malware. This is an ideal distribution method for malicious software because running cracked games often requires disabling antivirus software or adding the game to an exclusion list.

Once this PUA infiltrates a system, it starts doing its nasty job, particularly showing excessive ads and gathering basic information about the user. It is not as severe as regular spyware, but still creates a less than favorable situation for anyone who cares about privacy. And the aforementioned advertising behavior is what adds on top of that risk. Promotions that Win32/SBYinYing shows may contain phishing redirects, downloading links for unwanted programs or sometimes even straight up malware.

Technical Analysis

The previous information about PUA:Win32/SBYinYing provided a general overview, but to fully understand the nature of this threat, a more in-depth analysis is required. Let’s examine how this unwanted app behaves within a system using the “EMP.dll” file from a repackaged game as an example. While some behaviors of this software may be related to bypassing license checks, other actions raise significant concerns.

Execution

Since “EMP.dll” is not an executable .exe file, it requires another process to run it. In this case, a part of the installer calls for the rundll32.exe, a default process for launching dynamic-link libraries. The execution command looks like this:

C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\EMP.dll

The DLL file contains a section that may hold compressed or packed code. Similar to regular malware, PUA:Win32/SBYinYing performs standard checks to detect whether it is running in a virtual environment or a sandbox. It does this by examining certain system parameters, specifically:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display

SBYinYing queries various system settings, including information about hardware (disks, volumes) and software (policy settings, cryptographic machine GUIDs, etc.). It will cease further execution shall any of these contain traces of virtualization or sandboxing.

Defense Evasion

The next step involves identifying and evading security solutions. The techniques used here are more typical for malware, than for unwanted programs. File obfuscation, data encryption, attempts to disable or modify security software, injection into legitimate processes – Win32/SBYinYing does all of this. Among other things, the malware checks the following locations:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles

These places contain information about installed antivirus/anti-malware software. Typically, malicious programs change their behavior depending on which AV-vendor is present.

Privilege Escalation and Persistence

After basic checks, an unwanted program goes for escalating its privileges. It leverages legitimate processes like WerFault.exe and rundll32.exe, making this step relatively straightforward. As mentioned earlier, the malware uses rundll32.exe to execute the DLL library, allowing it to run malicious code embedded within the DLL. Additionally, the malware terminates the wmiadap.exe process with parameters /F /T /R, which appears to be an effort to evade detection or stop system monitoring. Here’s what the commands look like:

C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1052 -s 460
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5188 -s 432
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2296 -s 484

WerFault.exe is a legitimate system process used for error reporting in Windows and Windows applications. In addition to leveraging this process, the malware creates scheduled tasks, enabling it to persist by running each time the system starts.

Network Activity

The malware exhibits notable network activity, making several DNS requests to connect to the internet. Some of the observed connections include:

TCP 40.88.32.150:443
TCP 65.9.73.63:443 (firefox.settings.services.mozilla.com)
TCP 54.187.157.95:443 (pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com)
10.216.185.205.in-addr.arpa
125.21.88.13.in-addr.arpa
130.155.190.20.in-addr.arpa

There are also numerous internal addresses that may be used to make the analysis harder. These connections suggest that the malware could be communicating with command servers, potentially exfiltrating data or receiving further instructions.

Does PUA:Win32/SBYinYing Steal Data?

While it’s theoretically possible for PUA:Win32/SBYinYing to steal data, in practice, this is unlikely. This unwanted app mostly works as adware, and the information it collects mostly serves for fingerprinting the system. Still, adware can redirect users to potentially dangerous websites, which in turn could be a source of more harmful malware. And that is when user data gets in risk.

This might explain why some users report that their Facebook and Steam accounts were compromised after PUA:Win32/SBYinYing was found on their systems. Another plausible explanation is the general risk associated with using pirated software. Using cracked games or software increases the likelihood that a user will eventually have their personal data stolen or files lost.

How to Remove PUA:Win32/SBYinYing?

To remove PUA:Win32/SBYinYing, it’s advisable to use advanced anti-malware software. Some users encounter difficulties when trying to eliminate this threat with Microsoft Defender. For this reason, I recommend using GridinSoft Anti-Malware as a tool to remove PUA:Win32/SBYinYing. You can follow the step-by-step guide below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Additionally, I strongly recommend refraining from downloading pirated games and software, as this is the most common method of distributing malware. Not only is it dangerous, but it’s also illegal.

The post PUA:Win32/SBYinYing appeared first on Gridinsoft Blog.

Cracked Games Origins

Every not-freeware program has its own license checking mechanism. Such a check may be performed exclusively on the user’s PC and using a PC and a server where all data about licenses is stored. But the code responsible for this operation is stored inside the program’s root directory. Hence, a hacker is able to find this code and modify it in a specific way: he creates a specific “jump” on the license checking stage, so the operation will be simply skipped, and the program will think it is activated¹.

Why are cracked programs dangerous?

• Exposed to a range of cyberattacks.
• Adware infections.
• Third-party crypto mining viruses.
• Phishing attacks.

After the described modification hacker can distribute his program for the wide pirate public. However, he will not have any profit in such a scenario. To solve this problem, hackers add several programs to the initial package. Which programs? Ones whose developers agreed to pay the pirate for this operation. And here goes the most interesting.

Many small developers distribute their programs as a part of the games bundle. It can be whatever – antiviruses (Segurazo, Santivirus, McAfee, Avast, et cetera), “fast and comfortable browsers”, different utilities with or without practical use, etc. Such apps are more annoying than harmful, but their usage may be dangerous because of wrong actions in tight places, like the registry or Group Policies.

But, besides free trash bag-like apps, computer pirates can add different malicious apps. And their type and severity depend only on the size of the reward promised to the hacker by malware developers. It may be something non-critical, like adware or browser hijacker. However, in most cases of malware injection through the cracked games, users get a full-house: trojan-stealer, trojan-backdoor, trojan-downloader, worm, virus, and, finally, ransomware. Because of modern trends through malware, you will get every malware mentioned earlier inside the single app. Bad perspective, isn’t it?

Breaking The Law With Cracked Games

Using cracked games is an outlaw action in all civilized countries. And if you use it on your home computer and do not create any commercial product with the pirated programs, you may keep calm – it is tough to detect that you use exactly unlicensed games. However, the executive authorities can check big companies and any other commercial organization. And in case cracked games usage is confirmed, the corporation will receive a large fine. The size of this fine is usually much bigger than the license cost for all games that has been used in its cracked version. So, think well before using cracked Spiderman Remastered or Call Of Duty.

Download games without any risks

There are various ways to download games without exposing yourself to any risk. Here are some tips on how to practice safe gaming:

• Download games from official stores only.
• Avoid buying games from bizarre locations like forums or random pages.
• Learn how to protect your accounts on Twitch, Discord, Origin, Battle.net, and Steam. Many of them offer two-factor authentication, allowing you to protect your device from unauthorized access even further.
• Check the security features on the platforms you use.
• Always try to download the platform’s official app.
• Use an antivirus for PC when going online and downloading anything.
• Use a reputable antivirus program on all your devices and never disable it.

If you’ve used cracked games in the past, it’s imperative to check your computer for viruses. One effective way to do this is by using a reliable security tool like Gridinsoft Anti-Malware. This software specializes in identifying and removing malware that might have sneaked in through unsecured downloads. By conducting a thorough scan, you can ensure that your system is clean and secure. Remember, proactive measures are key to maintaining the health of your computer and the safety of your personal information. Always prioritize security in your digital activities to avoid potential hazards.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

As you can see, cracked game usage carries many disadvantages that can cost you much more than the license for this program. Yes, in some cases, cracked game usage can be forced – for example, if you want to test the program before purchasing, being not sure if it can satisfy your needs. But even in such a situation – pirating with good intentions – you can become a victim of malware attacks.

The post Cracked Games appeared first on Gridinsoft Blog.

The companies accused the service of not taking action against VPN providers, some of whose subscribers were pirating movies. As part of the agreement, Sharktech agreed to block significant pirate sites, including Pirate Bay, YTS, and RARBG.

In recent months, a group of independent film companies has filed lawsuits against VPN providers and their hosting companies. Films such as Hunter Killer and Dallas Buyers Club have accused the services of conniving in piracy.

Film companies alerted Sharktech to this piracy activity through various copyright infringement notices that had little impact.

Sharktech said the company does not consider itself associated with pirates, as it provides services to VPN companies that provide services to end consumers. The presence of pirates among the latter is tough to prove. The hosting provider likened the situation to a demand for the airline to stop providing transportation services to the postal service since some of its customers may mail something illegal.

Negotiations to resolve the situation began last month, and now the film companies and Sharktech have filed a motion to dismiss the case. In addition, both sides agreed to a confidential settlement agreement.

Sharktech was not alone in facing legal action, however. VPN.ht also settled a copyright infringement lawsuit filed by a group of independent film companies earlier this year. As part of the deal, the VPN provider agreed to block all BitTorrent traffic and log IP address information on its servers in the United States.

The companies have accused the VPN provider of promoting the pirated Popcorn Time app to their users, noting that VPN.ht’s IP address has been used repeatedly to distribute pirated movies. After filing the initial complaint, copyright holders increased the pressure. As a result, they received a temporary restraining order ordering PayPal to freeze the assets of Wicked Technology Limited, the operating company of VPN.ht.

In addition to blocking BitTorrent traffic, VPN.ht has also agreed to keep logs of IP addresses associated with their servers in the US. These logs must be kept for at least a year and point to specific users.

Lawsuits against VPN providers began in September this year. A group of independent film companies has filed a lawsuit in federal court in Virginia (USA) against four VPN providers (Surfshark, VPN Unlimited, Zenmate, and ExpressVPN), which they accused of widespread copyright infringement, writes TorrentFreak.

In particular, the plaintiffs accused the providers of allowing their subscribers to bypass the geographic restrictions of streaming services such as Netflix, including positioning the services as a means of anonymously downloading copyright-infringing content. Thus, the plaintiffs said, VPN services are liable for “direct, facilitating, and indirect” copyright infringement.

Let me remind you that I wrote that COVID-19 pandemic raised interest in pirated sites.

The post VPN hosting provider agrees to block access to pirated sites appeared first on Gridinsoft Blog.

The fact is that considerable part of the population now works from home, while other people also stay at home, but spend time online searching for news and entertainment. Because of this, for example, has significantly increased the traffic of legal streaming services. In particular, in March, Sandvine announced a global increase in traffic to its streaming services by 10%, which for the first time helped YouTube overtook Netflix.

“Of course, users are not limited to just legal content. So, a few weeks ago, the publication noted an increase in interest in pirated sites in those regions where was introduced quarantine. Now, using various data sources, reporters have calculated that file sharing and pirated traffic are showing steady growth around the world”, – wrote Torrent Freak reporters.

So, in China from mid-January of this year, a new coronavirus began to appear in the headlines, and on January 23, 2020, authorities quarantined Wuhan and prohibited entry and exit from the region. In the following days, additional restrictions followed.

As a result, over the period from December to the end of February 2020, significantly increased the number of Chinese visitors to pirated sites. According to the MUSO analytic company, a sharp increase in visits to pirated sites began on January 24, reaching its peak on January 27. After that, traffic slightly decreased, but at the end of February it was still about 20% more than before the epidemic.

To figure out what happened after February 2020, journalists turned to the statistics of the iknowwhatyoudownload.com resource, which tracks millions of files available on public torrent sites, including The Pirate Bay and YTS. It turned out that torrent downloads clearly increased from March 6 to April 6 this year. If previously there were about 12 million daily downloads, now their number has increased to 16 million, that is, 33%.

A surge in activity is also noticeable for torrent trackers. For example, the operator of the tracker OpenTrackr.org told Torrent Freak that it is observing an increase in the total number of connections, as well as the number of connected peers. As you can see in the illustration below, from March 31 to April 6, the daily peak in the number of peers increased from 24 million to 26 million.

Journalists expect that quarantine in certain countries will made this trend even more noticeable. In the meantime, the publication collects and processes data, promising to continue collecting and publishing statistics.

What about the pirates – researchers say that cybercriminals increasingly use pirated software to deliver backdoors and ransomware.

The post COVID-19 pandemic raised interest in pirated sites appeared first on Gridinsoft Blog.