Blue Coat Labs

Labs Blog

A New Twist in Fake-warez Malware

A New Twist in Fake-warez Malware

Chris Larsen

It's been a while since I've posted anything from the world of "fake warez" malware.

Last week I came across a site that's using a different tactic than the "classic" method. On the surface, it looks very similar:

fake-warez site


But when I clicked a sample link (I chose "corel 2000" out of random curiosity), instead of a link to a malware executable coming from a separate (and temporary) malware host, I was presented with a file instead of a malware executable.

When I downloaded and opened the ZIP, I found an EXE file (named corel_2000_keygen.exe of course) and a very small readme.txt file that basically said "run corel_2000_keygen.exe and follow instructions".

Running the EXE through Virustotal showed that it was very well detected (31/43 hits). (Interestingly, when I ran the ZIP file through, the detection rate dropped to 27/42. I'll let you draw your own conclusions about that, as a non-password-protected ZIP file doesn't seem like it should thwart AV analysis....)