Pirated Sites Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 09 Aug 2024 12:31:28 +0000 en-US hourly 1 https://wordpress.org/?v=86358 200474804 PUA:Win32/SBYinYing https://gridinsoft.com/blogs/pua-win32-sbyinying/ https://gridinsoft.com/blogs/pua-win32-sbyinying/#respond Fri, 09 Aug 2024 12:31:28 +0000 https://gridinsoft.com/blogs/?p=26161 PUA:Win32/SBYinYing is a potentially unwanted application (PUA) that is often bundled with certain cracked games. It may display ads to users or redirect them to potentially harmful websites, which puts it in the same line with adware and browser hijackers. Most often, user get infected with that malware after downloading cracked software. PUA:Win32/SBYinYing Overview PUA:Win32/SBYinYing… Continue reading PUA:Win32/SBYinYing

The post PUA:Win32/SBYinYing appeared first on Gridinsoft Blog.

]]>
PUA:Win32/SBYinYing is a potentially unwanted application (PUA) that is often bundled with certain cracked games. It may display ads to users or redirect them to potentially harmful websites, which puts it in the same line with adware and browser hijackers. Most often, user get infected with that malware after downloading cracked software.

PUA:Win32/SBYinYing Overview

PUA:Win32/SBYinYing is identified by Microsoft Defender as a potentially unwanted program. This detection is most commonly associated with a file named “EMP.dll”, which is typically found in pirated games. Torrents, especially those offering cracked games, are the main distributors of this malware. This is an ideal distribution method for malicious software because running cracked games often requires disabling antivirus software or adding the game to an exclusion list.

PUA:Win32/SBYinYing Detection window screenshot
PUA:Win32/SBYinYing Detection window

Once this PUA infiltrates a system, it starts doing its nasty job, particularly showing excessive ads and gathering basic information about the user. It is not as severe as regular spyware, but still creates a less than favorable situation for anyone who cares about privacy. And the aforementioned advertising behavior is what adds on top of that risk. Promotions that Win32/SBYinYing shows may contain phishing redirects, downloading links for unwanted programs or sometimes even straight up malware.

Technical Analysis

The previous information about PUA:Win32/SBYinYing provided a general overview, but to fully understand the nature of this threat, a more in-depth analysis is required. Let’s examine how this unwanted app behaves within a system using the “EMP.dll” file from a repackaged game as an example. While some behaviors of this software may be related to bypassing license checks, other actions raise significant concerns.

Note: we at GridinSoft heavily vote against using any illegally-activated software, as it violates copyright laws in the majority of countries. Aside from this, such software is a significant malware risk. This test with the actual library from the cracked program was done purely for the purpose of research, with all the needed precautions.

Execution

Since “EMP.dll” is not an executable .exe file, it requires another process to run it. In this case, a part of the installer calls for the rundll32.exe, a default process for launching dynamic-link libraries. The execution command looks like this:

C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\EMP.dll

The DLL file contains a section that may hold compressed or packed code. Similar to regular malware, PUA:Win32/SBYinYing performs standard checks to detect whether it is running in a virtual environment or a sandbox. It does this by examining certain system parameters, specifically:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display

SBYinYing queries various system settings, including information about hardware (disks, volumes) and software (policy settings, cryptographic machine GUIDs, etc.). It will cease further execution shall any of these contain traces of virtualization or sandboxing.

Defense Evasion

The next step involves identifying and evading security solutions. The techniques used here are more typical for malware, than for unwanted programs. File obfuscation, data encryption, attempts to disable or modify security software, injection into legitimate processes – Win32/SBYinYing does all of this. Among other things, the malware checks the following locations:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles

These places contain information about installed antivirus/anti-malware software. Typically, malicious programs change their behavior depending on which AV-vendor is present.

Privilege Escalation and Persistence

After basic checks, an unwanted program goes for escalating its privileges. It leverages legitimate processes like WerFault.exe and rundll32.exe, making this step relatively straightforward. As mentioned earlier, the malware uses rundll32.exe to execute the DLL library, allowing it to run malicious code embedded within the DLL. Additionally, the malware terminates the wmiadap.exe process with parameters /F /T /R, which appears to be an effort to evade detection or stop system monitoring. Here’s what the commands look like:

C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1052 -s 460
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5188 -s 432
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2296 -s 484

WerFault.exe is a legitimate system process used for error reporting in Windows and Windows applications. In addition to leveraging this process, the malware creates scheduled tasks, enabling it to persist by running each time the system starts.

Network Activity

The malware exhibits notable network activity, making several DNS requests to connect to the internet. Some of the observed connections include:

TCP 40.88.32.150:443
TCP 65.9.73.63:443 (firefox.settings.services.mozilla.com)
TCP 54.187.157.95:443 (pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com)
10.216.185.205.in-addr.arpa
125.21.88.13.in-addr.arpa
130.155.190.20.in-addr.arpa

There are also numerous internal addresses that may be used to make the analysis harder. These connections suggest that the malware could be communicating with command servers, potentially exfiltrating data or receiving further instructions.

Does PUA:Win32/SBYinYing Steal Data?

While it’s theoretically possible for PUA:Win32/SBYinYing to steal data, in practice, this is unlikely. This unwanted app mostly works as adware, and the information it collects mostly serves for fingerprinting the system. Still, adware can redirect users to potentially dangerous websites, which in turn could be a source of more harmful malware. And that is when user data gets in risk.

This might explain why some users report that their Facebook and Steam accounts were compromised after PUA:Win32/SBYinYing was found on their systems. Another plausible explanation is the general risk associated with using pirated software. Using cracked games or software increases the likelihood that a user will eventually have their personal data stolen or files lost.

How to Remove PUA:Win32/SBYinYing?

To remove PUA:Win32/SBYinYing, it’s advisable to use advanced anti-malware software. Some users encounter difficulties when trying to eliminate this threat with Microsoft Defender. For this reason, I recommend using GridinSoft Anti-Malware as a tool to remove PUA:Win32/SBYinYing. You can follow the step-by-step guide below:

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

Additionally, I strongly recommend refraining from downloading pirated games and software, as this is the most common method of distributing malware. Not only is it dangerous, but it’s also illegal.

The post PUA:Win32/SBYinYing appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pua-win32-sbyinying/feed/ 0 26161
Cracked Games https://gridinsoft.com/blogs/5-dangers-cracked-games/ https://gridinsoft.com/blogs/5-dangers-cracked-games/#comments Thu, 20 Jun 2024 14:10:13 +0000 https://blog.gridinsoft.com/?p=1138 Another one may crack everything that one human ever created. This sentence, in different alterations, is often used by computer pirates. Cracked games can be easily downloaded on the Internet. Of course, the main advantage of cracked apps is that they are completely free. This factor is a reason for cracked games’ popularity in 3rd… Continue reading Cracked Games

The post Cracked Games appeared first on Gridinsoft Blog.

]]>
Another one may crack everything that one human ever created. This sentence, in different alterations, is often used by computer pirates. Cracked games can be easily downloaded on the Internet. Of course, the main advantage of cracked apps is that they are completely free. This factor is a reason for cracked games’ popularity in 3rd world countries. But didn’t you think that computer pirates want to have money to live, too? To have this essential option, they profit in other illegal and possibly harmful ways. Let me explain which ways I am talking about and why using unlicensed games is bad.

Cracked Games Origins

Every not-freeware program has its own license checking mechanism. Such a check may be performed exclusively on the user’s PC and using a PC and a server where all data about licenses is stored. But the code responsible for this operation is stored inside the program’s root directory. Hence, a hacker is able to find this code and modify it in a specific way: he creates a specific “jump” on the license checking stage, so the operation will be simply skipped, and the program will think it is activated1.

The process of Game Hacking
The process of cracking games

Why are cracked programs dangerous?

After the described modification hacker can distribute his program for the wide pirate public. However, he will not have any profit in such a scenario. To solve this problem, hackers add several programs to the initial package. Which programs? Ones whose developers agreed to pay the pirate for this operation. And here goes the most interesting.

Many small developers distribute their programs as a part of the games bundle. It can be whatever – antiviruses (Segurazo, Santivirus, McAfee, Avast, et cetera), “fast and comfortable browsers”, different utilities with or without practical use, etc. Such apps are more annoying than harmful, but their usage may be dangerous because of wrong actions in tight places, like the registry or Group Policies.

McAfee installation
McAfee is going to install as a part of games bundle

But, besides free trash bag-like apps, computer pirates can add different malicious apps. And their type and severity depend only on the size of the reward promised to the hacker by malware developers. It may be something non-critical, like adware or browser hijacker. However, in most cases of malware injection through the cracked games, users get a full-house: trojan-stealer, trojan-backdoor, trojan-downloader, worm, virus, and, finally, ransomware. Because of modern trends through malware, you will get every malware mentioned earlier inside the single app. Bad perspective, isn’t it?

Breaking The Law With Cracked Games

Using cracked games is an outlaw action in all civilized countries. And if you use it on your home computer and do not create any commercial product with the pirated programs, you may keep calm – it is tough to detect that you use exactly unlicensed games. However, the executive authorities can check big companies and any other commercial organization. And in case cracked games usage is confirmed, the corporation will receive a large fine. The size of this fine is usually much bigger than the license cost for all games that has been used in its cracked version. So, think well before using cracked Spiderman Remastered or Call Of Duty.

Cracked Games: Judge finishes the lawsuit
Making use of cracked games may led to extremely large fines

Download games without any risks

There are various ways to download games without exposing yourself to any risk. Here are some tips on how to practice safe gaming:

  • Download games from official stores only.
  • Avoid buying games from bizarre locations like forums or random pages.
  • Learn how to protect your accounts on Twitch, Discord, Origin, Battle.net, and Steam. Many of them offer two-factor authentication, allowing you to protect your device from unauthorized access even further.
  • Check the security features on the platforms you use.
  • Always try to download the platform’s official app.
  • Use an antivirus for PC when going online and downloading anything.
  • Use a reputable antivirus program on all your devices and never disable it.

If you’ve used cracked games in the past, it’s imperative to check your computer for viruses. One effective way to do this is by using a reliable security tool like Gridinsoft Anti-Malware. This software specializes in identifying and removing malware that might have sneaked in through unsecured downloads. By conducting a thorough scan, you can ensure that your system is clean and secure. Remember, proactive measures are key to maintaining the health of your computer and the safety of your personal information. Always prioritize security in your digital activities to avoid potential hazards.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

As you can see, cracked game usage carries many disadvantages that can cost you much more than the license for this program. Yes, in some cases, cracked game usage can be forced – for example, if you want to test the program before purchasing, being not sure if it can satisfy your needs. But even in such a situation – pirating with good intentions – you can become a victim of malware attacks.

The post Cracked Games appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/5-dangers-cracked-games/feed/ 2 1138
VPN hosting provider agrees to block access to pirated sites https://gridinsoft.com/blogs/vpn-hosting-provider-agrees-to-block-access-to-pirated-sites/ https://gridinsoft.com/blogs/vpn-hosting-provider-agrees-to-block-access-to-pirated-sites/#respond Tue, 12 Oct 2021 16:57:36 +0000 https://blog.gridinsoft.com/?p=6012 Hosting provider Sharktech has settled a copyright infringement lawsuit filed by several film companies and agreed to block access to pirated sites. The companies accused the service of not taking action against VPN providers, some of whose subscribers were pirating movies. As part of the agreement, Sharktech agreed to block significant pirate sites, including Pirate… Continue reading VPN hosting provider agrees to block access to pirated sites

The post VPN hosting provider agrees to block access to pirated sites appeared first on Gridinsoft Blog.

]]>
Hosting provider Sharktech has settled a copyright infringement lawsuit filed by several film companies and agreed to block access to pirated sites.

The companies accused the service of not taking action against VPN providers, some of whose subscribers were pirating movies. As part of the agreement, Sharktech agreed to block significant pirate sites, including Pirate Bay, YTS, and RARBG.

In recent months, a group of independent film companies has filed lawsuits against VPN providers and their hosting companies. Films such as Hunter Killer and Dallas Buyers Club have accused the services of conniving in piracy.

Film companies alerted Sharktech to this piracy activity through various copyright infringement notices that had little impact.

Sharktech could not remove the subscribers or accounts associated with these IP addresses and did not take any meaningful action in response to these notifications. the filmmakers said in a complaint.

Sharktech said the company does not consider itself associated with pirates, as it provides services to VPN companies that provide services to end consumers. The presence of pirates among the latter is tough to prove. The hosting provider likened the situation to a demand for the airline to stop providing transportation services to the postal service since some of its customers may mail something illegal.

Negotiations to resolve the situation began last month, and now the film companies and Sharktech have filed a motion to dismiss the case. In addition, both sides agreed to a confidential settlement agreement.

Sharktech was not alone in facing legal action, however. VPN.ht also settled a copyright infringement lawsuit filed by a group of independent film companies earlier this year. As part of the deal, the VPN provider agreed to block all BitTorrent traffic and log IP address information on its servers in the United States.

The companies have accused the VPN provider of promoting the pirated Popcorn Time app to their users, noting that VPN.ht’s IP address has been used repeatedly to distribute pirated movies. After filing the initial complaint, copyright holders increased the pressure. As a result, they received a temporary restraining order ordering PayPal to freeze the assets of Wicked Technology Limited, the operating company of VPN.ht.

In addition to blocking BitTorrent traffic, VPN.ht has also agreed to keep logs of IP addresses associated with their servers in the US. These logs must be kept for at least a year and point to specific users.

Lawsuits against VPN providers began in September this year. A group of independent film companies has filed a lawsuit in federal court in Virginia (USA) against four VPN providers (Surfshark, VPN Unlimited, Zenmate, and ExpressVPN), which they accused of widespread copyright infringement, writes TorrentFreak.

In particular, the plaintiffs accused the providers of allowing their subscribers to bypass the geographic restrictions of streaming services such as Netflix, including positioning the services as a means of anonymously downloading copyright-infringing content. Thus, the plaintiffs said, VPN services are liable for “direct, facilitating, and indirect” copyright infringement.

Let me remind you that I wrote that COVID-19 pandemic raised interest in pirated sites.

The post VPN hosting provider agrees to block access to pirated sites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vpn-hosting-provider-agrees-to-block-access-to-pirated-sites/feed/ 0 6012
COVID-19 pandemic raised interest in pirated sites https://gridinsoft.com/blogs/covid-19-pandemic-raised-interest-in-pirated-sites/ https://gridinsoft.com/blogs/covid-19-pandemic-raised-interest-in-pirated-sites/#respond Tue, 14 Apr 2020 16:26:20 +0000 https://blog.gridinsoft.com/?p=3666 Currently, hundreds of millions of people remain at home and occur global changes in the Internet traffic trends. In particular, because of the COVID-19 pandemic, raised interest in pirated sites. The fact is that considerable part of the population now works from home, while other people also stay at home, but spend time online searching… Continue reading COVID-19 pandemic raised interest in pirated sites

The post COVID-19 pandemic raised interest in pirated sites appeared first on Gridinsoft Blog.

]]>
Currently, hundreds of millions of people remain at home and occur global changes in the Internet traffic trends. In particular, because of the COVID-19 pandemic, raised interest in pirated sites.

The fact is that considerable part of the population now works from home, while other people also stay at home, but spend time online searching for news and entertainment. Because of this, for example, has significantly increased the traffic of legal streaming services. In particular, in March, Sandvine announced a global increase in traffic to its streaming services by 10%, which for the first time helped YouTube overtook Netflix.

“Of course, users are not limited to just legal content. So, a few weeks ago, the publication noted an increase in interest in pirated sites in those regions where was introduced quarantine. Now, using various data sources, reporters have calculated that file sharing and pirated traffic are showing steady growth around the world”, – wrote Torrent Freak reporters.

So, in China from mid-January of this year, a new coronavirus began to appear in the headlines, and on January 23, 2020, authorities quarantined Wuhan and prohibited entry and exit from the region. In the following days, additional restrictions followed.

As a result, over the period from December to the end of February 2020, significantly increased the number of Chinese visitors to pirated sites. According to the MUSO analytic company, a sharp increase in visits to pirated sites began on January 24, reaching its peak on January 27. After that, traffic slightly decreased, but at the end of February it was still about 20% more than before the epidemic.

raised interest in pirated sites

To figure out what happened after February 2020, journalists turned to the statistics of the iknowwhatyoudownload.com resource, which tracks millions of files available on public torrent sites, including The Pirate Bay and YTS. It turned out that torrent downloads clearly increased from March 6 to April 6 this year. If previously there were about 12 million daily downloads, now their number has increased to 16 million, that is, 33%.

raised interest in pirated sites

A surge in activity is also noticeable for torrent trackers. For example, the operator of the tracker OpenTrackr.org told Torrent Freak that it is observing an increase in the total number of connections, as well as the number of connected peers. As you can see in the illustration below, from March 31 to April 6, the daily peak in the number of peers increased from 24 million to 26 million.

Journalists expect that quarantine in certain countries will made this trend even more noticeable. In the meantime, the publication collects and processes data, promising to continue collecting and publishing statistics.

What about the pirates – researchers say that cybercriminals increasingly use pirated software to deliver backdoors and ransomware.

The post COVID-19 pandemic raised interest in pirated sites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/covid-19-pandemic-raised-interest-in-pirated-sites/feed/ 0 3666