Windows Activation Trojan
|
Windows Genuine Advantage is the target of a new Trojan, which pretends to be Microsoft's activation mechanism. |
Symantec issued a bulletin in late April on the Kardphisher Trojan, which has a threat rating of "very low." But the Trojan picked up new attention over the weekend, following a Friday post on Symantec's security Weblog.
The Trojan takes advantage of one controversial feature of Microsoft's Windows Genuine Advantage anti-piracy mechanism: revalidation. To receive most downloads, including Internet Explorer or anything from the Windows Update Web site, end users must validate that their computers are, in Microsoft parlance, "genuine." But one validation isn't enough. Microsoft has Windows clients periodically revalidate. The process is designed to catch new pirated versions as Microsoft continually updates its piracy database.
Revalidation is an increasingly familiar process for many end users and, for some, warnings of counterfeit software should the software fail validation. The counterfeit popup appears when the computer reboots or wakes from sleep. The Trojan plays off both behaviors and even Windows Vista's mechanism of essentially shutting down when product activation fails.
The Trojan launches a Windows Piracy Control Screen on bootup following infection.
"You can choose only 'Yes' or 'No,'" Takashi Katsuki wrote on the Symantec security Weblog. "You can't run Task Manager or any other applications. If you choose 'No' your PC will be shut down immediately."
If the end user chooses "Yes," an "Activation of Windows" box opens, requesting personal information, including credit card number.
Katsuki explains:
"Now you may think 'It can't be true. I have activated my legitimate copy of Windows. MS can't do such a thing!.' Surely almost everyone will notice that something strange is going on, and hopefully very few people will actually become victims by inputting their credit card details. But unfortunately even the people who are not tempted to give up their information this time might well become victims the next time. After all, failure to follow the on-screen instructions results in your PC shutting down immediately."
Microsoft has started selling Windows Vista upgrades online, which is a scenario where the company would ask for a credit card. Like a slick grifter, Trojans seek to create confusion and in doing so lead people to act stupidly. Microsoft would ask for its money upfront. Still, there is plenty of trial software out there for which people would pay after a set time period. So, for some end users there is ingrained behavior about paying for something after a period of usage.
Katsuki warned: "This Trojan teaches us all a good lesson—trust no one."
That's sad advice.
Related Posts:
- I Was Carded by Windows Vista, Microsoft Watch, Feb. 1, 2007
- Another Activation Crack Appears, Microsoft Watch, Dec. 27, 2006
- Mom's Genuine Holiday Surprise, Microsoft Watch, Dec. 21, 2006
- Vista Crack Means Big Trouble, Microsoft Watch, Dec. 8, 2006
- WGA: Friendly Face, Or Saving Face?, Microsoft Watch, Nov. 26, 2006
- My Mother is a Software Pirate, Microsoft Watch, Nov. 14, 2006
Comments (8)
Believe this maybe one of the first trojans/virus'es etc that is being used to exploit the WGA and DRM embedded in Vista, as I posted earilier on another Microsoft Watch topic.
Stealing and using someoones credit card number is not a small attack. Not to mention shutting down their computers.
Microsoft in its zeal to protect itself from pirate's, and to add further control over the computers of legit users, has given the black hats scores of useable exploits with all these WGA and DRM features already designed by MS to cripple their Vista computers. The end effect might be to actually make Vista less secure than XP in the long run. Give MS track record on security, this should not surprise us.
The DRM in Vista could be a real problem, as from what I understand it has to look up licenses on the internet. Anytime you need this control to come from the internet, I believe this control will be easy to hack and put users computer into a reduced functionality mode, at least for starters. Further there is some tuffer functions in the DRM that would allow MS to reject the license if they or the other License holders (RIAA and MPAA) thought you were doing something they did not like. Just seems likely to produce a whole other level of exploits, given some time.
Posted by chips b malroy | May 6, 2007 11:51 AM
Joe, you are acrossing to Security Watch .
Be focus !!
Posted by Eder | May 6, 2007 10:05 PM
Microsoft Vista and Onecare might drive Symantec out of anti-virus business.
Please take another perspective to look at Symantec.
Posted by Anthony | May 7, 2007 10:23 AM
I am surprised that people think this is the first WGA activation hack that has appeared. This is one of MANY that have been circulating around for quite some time now. And as one person has already pointed out, the main point of entry is the Windows DRM. There have been tons of trojans and exploits created that take advantage of this data stream. This is why WiMP is turned off on my computer completely, and why I will never upgrade to Vista. I also have to occasionally re-install my Win2k3 server software because of it getting re-infected every few months with a new version of a WGA hack or trojan.
Posted by Kokuryu Tenchi | May 8, 2007 1:02 PM
If I recall correctly, WGA was not included in WinXP Home SP2. It was an update you could (or could not) install. Convinced I'd purchased a valid OEM from a valid seller who's been in business for years, I stupidly accepted the update ... and gleefully crowed when I'd been "cleared" of the implied charges. Now, I'm wondering if there's a way to uninstall or disable WGA altogether.
Posted by J. Alec West | May 9, 2007 1:12 AM
I have problem in windows vista home edition. I am unable to logon user. Before logon it ask for activation. I try with my product key which stick in my laptop. My laptop is HP pavilion dv6000. any one suggest me what to do for logon my computer normally.
Posted by sanjoj | July 12, 2007 12:02 AM
i bought my windows xp home edition sp2 legally from
bestbuy recently, i had to reinstall xp.Upon activation i was told my copy was no good and took me to microsoft website and wanted to charge $84 dollars to activate the same product i already bought legally.i declined to pay for something i already own my copy of xp!So i uninstalled windows put my xp software on the shelve where it sits until
i throw it away.Now i have Linux on my pc and also a
mac g4 and i'm so happy no more windows no more slave to microsoft.Free at last, no viruses no worries. and all my devices i used for windows in the work even better under linux and mac.
Posted by james | August 23, 2007 10:19 PM
i want vista production key.if u have mean's piease send it in following email id rajankbc@yahoo.com
Posted by rajan | March 13, 2008 9:54 AM