I downloaded a cracked install from tpb (haxnode). It was a loader exe that loaded the original exe and supposedly removed the drm in RAM. It required admin permissions, I didn’t trust it, but i ran in a vm and nothing happened.
Then i told myself “i have microsoft defender and windows firewall control, they will warn me” and I ran it in my main laptop, and still nothing happened. Like, literally nothing happened. The original program would not start. It would simply exit. Nothing. The other 6 almost identical torrents from the same uploader but with a different program version had a similar result. I gave up.
Then i reboot, and firstly i notice a couple DOS prompts flashing on the screen, and windows firewall control asking me if “aspnet_compiler.exe” is allowed to access the internet or not.
Suspicious, i go to check that “aspnet_compiler.exe” and it’s located in the .net system folder, i scan it with microsoft defender and it doesn’t report as a virus. I do not pay attention to the fact that it doesn’t have a valid Microsoft signature, and i tell myself “probably just a windows update” and i whitelist it on the firewall.
After a few hours I realize “wait a minute: it’s impossible that an official windows exe isn’t signed by microsoft!” I go back to scan it, not infected… or it looks like, defender says “ignored because in whitelist”. What? The “loader” put c:* in the whitelist!
The “crack loader” wasn’t a virus per se. It dropped an obfuscated batch in startup, which had a base64 encoded attachment of the actual malware, that was copied in the .net framework directory with unassuming names…
And this for a $60 perpetual license program that i should buy anyway because it’s for work
Depending on what you work on, maybe there’s an alternative FOSS or at least paid DRM free software?
Or, if you work for a company and it demands this tool, maybe you could ask them to provide the software for you?
On a 3rd point, I’ve seen official softwares detect when they’re being run in VMs or similar, so maybe that’s what happened.
On a 4th point, if you must use a crack, maybe do so on a less usual Linux system, so if it’s a functional one but packaged with virus, the virus breaks either because it runs under Wine or similar, or because the less usual system lacks some needed dependency for the virus if it can run on Linux as well?
this is becoming more common afaik. why blow away your cover in a vm where you would not even get much (unless you are just a miner, but even then performance is worse), especially when checking if we are running in a vm is reaaly easy.
Cynical as I have become in recent years, I can’t help but to think it’d be due to a VM seldom carrying interesting data for data brokers - your real machine is usually where the “good stuff” is.