Pirated Windows 7 Builds Botnet with Trojan

Security researchers at Damballa report shutting down the command and control server of a botnet built by a Trojan bundled with pirated copies of Windows 7 RC. The Trojan is believed to have infected thousands of users.

Attackers pushing pirated, malware-laced copies of Microsoft's upcoming Windows 7 operating system have been actively trying to build a botnet.

According to researchers at Damballa, attackers hid a Trojan inside of pirated copies of the operating system and began circulating them on BitTorrent sites. Damballa reported that it shut down the botnet's command and control server May 10, but by that time infection rates had risen as high as 552 users per hour.

"Since the pirated package was released on April 24th, my best guess is that this botnet probably had at least 27,000 successful installs prior to our takedown of its CnC [command and control] on May 10th," said Tripp Cox, vice president of engineering at Damballa.

Targeting users through pirated software is nothing new for hackers. Earlier in 2008, for example, attackers sought to build a Mac botnet on the backs of users of pirated versions of iWork '09 and the Mac version of Adobe Photoshop CS4.

Even aside from the malware threat, piracy is big business. A joint report by the BSA (Business Software Alliance) and IDC estimated software companies experienced $50 billion in losses in 2008 due to piracy.

In the case of Windows 7 RC, pirated copies were leaked on BitTorrent sites with a Trojan horse that, once downloaded, attempts to install a bundle of other malware on the infected machine. Blocking infections is tricky, as many anti-virus tools do not yet support Windows 7 and the operating system is infected before the tools can even be installed, according to Damballa.

"We continue to see new installs happening at a rate of about 1,600 per day with broad geographic distribution," Cox said. "Since our takedown, any new installs of this pirated distribution of Windows 7 RC are inaccessible by the botmaster. The old installs are accessible. The countries with the largest percentage of installs are the U.S. (10 percent), Netherlands (7 percent) and Italy (7 percent)."