Windows 7 users are more exposed to ransomware, says Microsoft Watch Now

I've been hanging out with a bad crowd lately.

In the interest of research, I've been digging into message boards and forums run by unabashed Windows enthusiasts who are intent on breaking Microsoft's activation technology. I've had these forums bookmarked for years and stop in every once in a while just to see what's new. This time I decided to drop by and actually try some of tools and utilities to see if I could become a pirate, too.

Unfortunately, I succeeded.

In this post, I'll share my experiences, including close encounters with some very nasty malware and some analysis on how the latest showdown between Microsoft and the pirates is likely to play out.

You won't find names or direct links here--although these guys seem like genuine enthusiasts, I have no intention of giving them any free publicity. But if you're interested in tracking down the tools I tested you should have no trouble finding them using the clues available in screenshots and descriptions here.

If you do intend to try this stuff out for yourself, I recommend extreme caution. My hunt for utilities that bypass Windows 7 activation technologies led me to some very seedy corners of the Internet. First, I did what any red-blooded wannabe pirate would do and tried some Google searches. Of the first 10 hits, six were inactive or had been taken down. After downloading files from the remaining four sites, I submitted them to Virustotal.com, where three of the four samples came back positive for nasty, difficult-to-remove Windows 7 rootkits. Here's one example:

And that experience is borne out by at least one real-world experience, which was reported, ironically, in the Talkback section of this blog. After I wrote about Microsoft's most recent anti-piracy initiative last week, one commenter (a loud, proud Linux advocate) insisted that the update opened a secret back-channel, probably as part of a plot by Microsoft to covertly gain access to its customers' PCs. A day or so later, after checking with his Windows-using friend, he returned with this sheepish admission:

It turns out his iso was not a bona fide purchased copy [of Windows 7], but rather a cracked version off of the net. In all likelihood the iso was trojaned...

Indeed. Which is why I exercised extraordinary caution. For my hands-on tests, I used a fresh copy of Windows 7 Ultimate, installed without a product key. I then looked at two widely distributed tools that work in completely different ways.

Page 2: Disabling Windows activation completely

A clever little tool called RemoveWAT not only disables Microsoft's activation subsystem, it also installs the latest anti-piracy update from Microsoft and then disables it, too!

Page 3: Fooling Windows by tinkering with the BIOS

Big PC makers get to install copies of Windows that don't require activation. Naturally, pirates soon figured out how to make any PC look like it came from one of those big factories.

Page 4: Microsoft versus the pirates

Pirates are clever and fast. Microsoft is highly motivated to keep its lucrative Windows revenue stream intact. Are customers going to get caught in the crossfire?

Details and screenshots begin on the next page.

Disabling Windows activation checks completely

RemoveWAT first appeared last summer, around the time Windows 7 was released to manufacturing. The philosophy behind this small utility is simple: It disables the Windows Activation Technologies function while allowing the system to retain its Genuine status in every official check by Microsoft. The most recent version claims to work with all editions of Windows 7 and Windows Server 2008 R2. (It does not work with Windows Vista or Windows Server 2008.)

I downloaded the most recent edition of RemoveWAT (v2.2.5) and verified that it was clean. The single .exe file is small (less than 7MB), and the UI is simple:

After clicking the Remove WAT button and rebooting, I noticed a subtle but significant change in the System properties dialog box. The section describing my system's activation status was gone. There was no sign of a Product ID or activation status. Nothing. Previously, a message in that section had told me that I had 30 days left to activate.

A close inspection of the Windows\System32 folder explained why. RemoveWAT installed its own patched version of a crucial DLL file in the Software Licensing subsystem, Slwga.dll. Thoughtfully, the program's developer had coded it to save a backup of the actual file so that it could be restored if necessary. (And when I tested the Restore WAT function, I found it worked just fine on my system.)

As far as Windows was concerned, the system was perfectly valid. I was able to download and install optional updates through Windows Update and successfully validated the system so that I could install products reserved for Genuine Windows customers. I was also able to install Microsoft Security Essentials, which performs a validation check during setup.

In a fitting piece of irony, the most recent version of RemoveWAT actually goes out of its way to install Microsoft's WAT Update (KB971033), which is designed to detect and remove tampering by programs like... well, like RemoveWAT. The pirate code remained working even when I ran the WAT update manually.

Page 3: Roll your own free OEM copy? -->

Fooling Windows by tinkering with the BIOS

The other popular approach toward cracking Windows activation takes advantage of the difference between retail and OEM copies of Windows. Retail copies have to be activated using a unique serial number. OEM copies from large system makers (Dell, Toshiba, HP, and so on, collectively known as Royalty OEMs) use a technique called System Locked Preinstallation (SLP). The preinstalled copy of Windows uses a single master product key tied to specific information in the system BIOS that is unique to that manufacturer's systems. If the encrypted licensing information in the preinstalled copy of Windows matches the information in the BIOS, no activation is required.

Windows pirates figured out how to exploit this hack around the time Windows Vista was launched. The Windows 7 Loader program, which I used on a test system, looks at your PC's BIOS to see whether it contains an ACPI_SLIC table with software licensing information ("markers" for the Windows operating system and the name of the computer maker). If the SLIC table is present, the tool installs the correct product key for your Windows 7 edition along with a digital certificate; the combination mimics a legitimate OEM preinstallation. For systems with a BIOS that doesn't contain the proper SLIC tables (a scenario I didn't test), it uses an alternate boot loader (typically some variant of GRUB) and installs BIOS emulation code to fool the system into thinking your system is a legitimate OEM installation. You can use the one-click installer or select from advanced options to personalize your PC by choosing a particular brand.

In this case, I had installed a retail copy of Windows 7 Home Premium on a relatively new system (purchased in mid-2009) that was originally licensed for Windows Vista. I didn't enter a product key during setup, and I had gone more than 30 days without activating. Here's what I saw when I ran W7Loader:

The installer correctly detected the brand (Dell) and Windows 7 edition. When I clicked the Install Certificate and Serial button on the right, I was greeted with this message:

The system, which had never been activated, had previously been nagging me with "non-Genuine" warning messages. As soon as the pirate tool completed its work, the watermark on the black desktop went away and the System properties dialog box told me I was activated with a Dell OEM product ID.

Page 4: The Empire strikes back -->

The Empire strikes back

The two exploits I describe in this post are certainly not the only ones out there. Indeed, Windows pirates have been playing a cat-and-mouse game with Microsoft for years. In the Windows XP era, pirates focused most often on stealing legitimate product keys, especially Volume License keys. Beginning with Windows Vista, Microsoft has begun building anti-piracy components directly into the operating system, and pirates have aimed their hacking skills at those components with increasing sophistication.

The latest salvo from Microsoft in the war against pirates is the Windows Activation Technologies Update (KB971033). In its default configuration, it performs an initial validation check and then repeats the process every 90 days, downloading new signatures to detect exploits that flew under the radar in the previous scan. When I initially wrote about this subject last month, the question I heard most often was, "Why does it need to keep checking? If I get validated, shouldn't that be good enough?"

Unfortunately, the experiences I've written about here prove why that strategy doesn't work. If you used a copy of RemoveWAT that was created in 2009, you were able to fool Microsoft validation servers with a 100% success rate. However, as the anguished cries of forum participants proved, the KB971033 update in February exposed all of those hacks, restoring the correct license files and causing the systems to (correctly) fail validation. As a result, the RemoveWAT developer modified his code and released a version last week that trumped the new update and once again allowed hacked machines to pass the activation test.

In the past, that would have been counted as a win for the pirates. But with its new signature-based system, Microsoft can improve its exploit-detection code and, at least in theory, identify the updated hacks in 90 days (or, in the worst case, 90 days after that). The point is that pirates can't count on getting a permanent free pass on activation. If you're a hobbyist obsessed with pirating Windows, you have to put up with the nuisance of updating your hacking tools every few months. But if you're selling pirated software (in a box or preloaded on a system), you risk getting put out of business and maybe sent to jail when the systems you sold in March are detected as pirated in June or July.

The other question I hear on the subject is, "Why pick on legitimate customers? Why not go after the real pirates?"

There's a common misconception that only diehard hackers mess around with pirated software. The reality is that anyone can be a victim, especially if they ever need help reinstalling Windows or repairing some sort of hardware problem. I have lost count of the number of times I have seen a PC that contains a pirated copy of Windows installed by a nephew or a neighbor or even a local computer tech who was trying to share the cool thing he found on the Internet. Back in 2007, I wrote about a firsthand experience with a PC repair tech for a major national chain who used a pirated copy of Windows to "repair" my friend's PC.

In that case, I was able to spot the unauthorized copy quickly and help my friend undo the damage (and get his money back from the crooked tech). If that were to happen today, the tech might be lucky enough to get away with the deception for a few months, but he would eventually be caught out.

One thing I learned while researching this piece is the phenomenal determination of pirates. They've become increasingly sophisticated and are able to react extremely fast to changes from Microsoft. For Microsoft, responding to those fast-moving targets without inadvertently inflicting collateral damage on its customers is a tremendous challenge.

Last weekend, I used some sophisticated forensic tools to take an equally close (and completely unauthorized) look at what Microsoft is doing with its most recent anti-piracy update. Tomorrow, I'll publish the surprising results of that analysis.