Does software piracy lead to higher malware infection rates?

Does software piracy lead to higher malware infection rates?

Summary: Yes it does, at least according to a recently released report by the Business Software Alliance (BSA) which basically correlates data on the known piracy rates for particular countries and their malware infection rates, using public sources.


Yes it does, at least according to a recently released report by the Business Software Alliance (BSA) which basically correlates data on the known piracy rates for particular countries and their malware infection rates, using public sources.

The rationale behind their claims is fairly simple - users relying on pirated copies of software also do not have access to the latest, often critical from a security perspective, updates issued by the vendors, and are therefore susceptible to client-side vulnerabilities.

How biased are BSA's claims, or are the report's claims in fact real, emphasizing on how millions of users relying on pirated Windows copies are usually the first to become part of a botnet?

Infection distribution data for the poster child of patch management failure on a global scale, Conficker, speaks for itself, at least in respect to the report's claims. At the beginning of the year, Symantec also made a connection between the high piracy rates of the most affected countries, and contributed their high infection rates to the user's inability to obtain the released patches ":

On October 20, 2008, Microsoft rolled out an updated Windows Genuine Advantage (WGA) system to help combat the high rate of piracy of its Windows platform. One of the side effects of this policy is that people using illegal copies of Windows will be more likely to disable automatic updates from Microsoft. The fear is that a subsequent update may adversely affect their experience with Windows in a similar way the "black screen" that affected many users in China operating illegal copies of Windows. Without automatic updates, it is highly unlikely that many of these users are manually installing critical updates such as MS08-067.

The same infection distribution was confirmed by IBM's ISS in April, once again highlighting some of the very same countries known to have high software piracy rates as main Conficker targets.

Despite the obvious connections, susceptibility to client-side vulnerabilities isn't entirely driven by the software piracy rate. For instance, despite that vendors of ubiquitous applications release free patches to everyone, millions of end users are not applying them (Research: 80% of Web users running unpatched versions of Flash/Acrobat), with evidence of the practice streaming on a monthly basis (Secunia: Average insecure program per PC rate remains high) based on data from multiple vendors.

In Adobe's case for instance, you need the help of a third-party application, in this case the Firefox browser, in order to patch millions of Flash users, despite the fact that Adobe itself has a updater tool, which no one else besides the cybecriminals appear to be using/spoofing.

Why is this "the patch is there, but we don't care" mentality so common among end users? It's because end users, next to certain network administrators, are still failing to understand the current threatscape and the simple fact that cybecriminals are more interested in targeting specific client-side vulnerabilities than OS related ones. Combined with the fact that according to Qualys, application patching is much slower than operating system patching, once again demonstrates why are web malware exploitation kits using outdated exploits so successful in general - they've found a sweet spot and a window of opportunity to take advantage of.

What do you think? Does software piracy lead to higher malware infection rates, beyond the success of the Conficker botnet? What use are Microsoft's critical patches to the millions of users relying on pirated Windows copies, which would ironically join a botnet and start attacking those using legitimate Windows versions? Should Microsoft care?

Or is software piracy irrelevant to the infection rates considering the fact that millions of users still haven't applied the free patches released by their vendors months ago?


Topics: Operating Systems, Malware, Security, Windows

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Dial-up connections and malware?

    What percentage of the world runs their Windows machines on a dial-up connection? On those machines, it can take HOURS to download routine security patches, and most people aren't that patient.
    • Not to mention...

      That users don't want their computers to be "busy" doing updates/patches when they want to work/play.

      And, it should be noted that an awful lot of computers are being run by people (home, small business) who have no concept that software will need updates/patches. Note that they are never told (in any manner that will ever make a difference) that this is important.
    • Dial Up Users

      Quote: [i]On those machines, it can take HOURS to download routine security patches, and most people aren't that patient.[/i]

      Yesterday, I downloaded these M$ patches (listed by KB number, and size):

      PATCH KB SIZE (in KB)
      KB 974417 - 11,192
      KB 953297 - 13,790
      KB 969059 - 1,038
      KB 974571 - 510
      KB 975467 - 733
      KB 971486 - 2,638
      KB 958869 - 1,275
      KB 973525 - 487
      KB 974455 - 4,861
      KB 854155 - 1,077

      I still have to download a 5+ MB .NET fix.


      I had plenty of time to go out and cut the grass, while the modem was getting choked by this. After a couple of hours doing yard chores, it still was not done.

      For me, cable broadband [b]is out of my budget,[/b] thanks to an economy that plainly [i]sucks.[/i]
  • It sure does . . .

    "The rationale behind their claims is fairly simple - users relying on pirated copies of software also do not have access to the latest, often critical from a security perspective, updates issued by the vendors, and are therefore susceptible to client-side vulnerabilities."

    OH it is more than just that. There is NOTHING preventing somebody from dropping a trojan or five into an illegal download. And if somebody has no qualms about copyright law - how much do you expect them to care about the user's computer?

    It's not just the update policy, it's often questionable behavior, especially behavior where the user is doing something that is a known security risk.

    I know somebody who did a lot of software downloading - his computer was, honestly, malware city. I remember a USB stick used in his computer would drive the antivirus crazy - with a legit trojan. Obviously, that got pulled quickly and I did a complete check to make sure the thing hadn't jumped off the stick.

    That was many years ago. I *hope* he's learned a bit since then.

    Now - my mother doesn't do that kind of stuff, and even though she doesn't know much about computers, a combination of basic precautions and using automatic updates means she's pretty safe. She has AV, but it's been years since I've caught her computer with anything on it.

    IMHO the difference between no security and even basic, common sense security is big.

    Despite claims to the contrary, it doesn't take much to secure a Windows system. I'd say the vast, vast majority of infections are from people who are doing not just stupid things, but often things that are legally questionable.

    One thing I do recommend for Windows systems is to get Secunia's PSI, which keeps an eye on software updates.
    • Windows needs package management similar to Linux.

      If Microsoft would implement some sort of repository and package management system for Windows similar to Linux, many of the malware problems associated with people using outdated versions of programs would simply disappear. Imagine an app built into Windows Update that would automatically tell you that updates are available for Firefox, Java, Flash, Adobe Reader, QuickTime, and iTunes, then automatically install them without (1) each program having its own update service running 24/7 and (2) installing extra "bonus" crapware that the program's maker throws at you (I'm calling you out here, Apple!)

      Secunia's PSI looks like a good program for people that are halfways computer literate, but it still requires way more interaction than should be necessary. For people like my dad, who knows little more about computers than how to click a mouse on an icon, even this is waaaay too complicated. For him, the only way updates are getting installed is if the computer does it automatically every morning at 3:00 a.m.

      I recall reading something about MS looking into the possibility of such a service, but haven't heard if they plan to implement it.
      • I agree

        Windows should come out with an all inclusive
        program that detects what apps you have
        installed on your computer and notifies you of
        any impending updates. True it would probably
        be somewhat difficult to do but I think it
        would greatly improve security on a persons
        computer. People wouldn't have to worry about
        opening up each app on it's own and try to
        figure out how and where to go for these

        I also agree with the Convenience Rules post
        and that most people don't apply updates b/c of
        the steps involved, even though it is extremely
        simple. We've gotten lazy and too accompanied
        to things being instant and the mentality that,
        well it's a computer shouldn't it do it by
        itself, I don't get it. One of the biggest
        security threats is the End-User and their
        unwillingness to try and stay protected.
      • Linux package management

        I have had a dual boot machine (Ubuntu 8.10 and Windoze XP) for some time. The Ubuntu install came from a Live CD.

        Unfortunately, this machine has a "winmodem" (a 'software' modem) and I never was able to successfully get it working under Ubuntu.

        Finally, I obtained a cheap external 56K serial modem; connected it to a serial port. Then I followed the instructions on the Ubuntu web site, and got the modem installed.

        I then opened up a terminal prompt, and issued a 'sudo wvdial' command. That modem dialed out, connected, and authenticated my to my ISP.

        The first thing I did was update the package manager. I was suddenly greeted by an updated list of available packages. About the same time, Ubuntu's update manager informed me that there were over 300 updates available, [b]that list totaled more than 280 MB.[/b] That is one way to choke a modem.

        After pairing it down to something more that 27 MB (I downloaded the essentials FIRST); the update manager went to work.

        Since I clicked to see the details of which files were downloaded, I had a running track of what was already downloaded at any one point in time. Periodically, i would check, and note that it was downloading file xx of (in my case) 116 files.

        I was able to do other things while the files were downloaded.

        Once they all were downloaded, the package manager went off installing the updates. I wanted to see the details, and I watched it as it stopped a service, replaced the required files, and then restarted the service. [b]Very slick![/b]

        M$ should take note, [b]Linux has updating all figured out.[/b]
      • well..

        I tought about it alot and in apparance it's a wonderfull idea. Infact In windows Vista/7 they have an out of browser updater. However it would have 3 problems:

        First: It's a techsupport nightmare, the random joe user wont think that the 3rd party has to support his software but instead random joe would think that MS must support all software.

        Second: How manny software exists for windows? Will all third party would need to certify their system(hence paying a liscence to use MS's service).

        Third: As I said earlier, they have a package manager allready, it's called Windows Update. It manages updates for ms software. If 3rd parties where to use it also... who would pay for the bandwidth.

        PS: Linux does not have those problems for various reasons(OpenLiscences, using school networks... etc).
  • What's causing Japan's variance?

    They have a higher piracy rate, yet a lower malware rate. Why?
    • Japan's rate among the lowest

      According to the Business Software Alliance ( Japan ranks #104 in their 2007 piracy rankings. The US ranks #107.

      Using the same link shows that the highest $ losses due to piracy is in the US (over $8 billion) followed by China and Russia.
    • I suspect that broadband has a lot ot do with it.

      If you have to use a dial up service, the updates take a lot more time AND you will have to PAY for that time.

      I think you will find that in Japan most PCs has a broadband connection.
  • Give me a correlation coefficient and a r-square

    and then maybe these data might be interesting.
    • Software downloaded from pirated sites will always be a greater risk

      You don't need a correlation coefficient to know that a game downloaded from some guy in Russia is more likely to have malware than one bought in the store.
      • All downloaded software carries risk

        I detected a virus in a software download from a "reputable" software vendor's site, which had been attacked and hacked. So in the end, any software download and install carries risk above that of installing from physical media.

        But all the other points raised are valid. When one or both parties are willing to break the law, then that extends to other acts (like malware) as well. And lawbreakers are less likely to request help from legitimate sources in preventing or fixing malware problems.

        Normally, I think that everything said by shills like the BSA should be taken with a metric ton of salt, but they are actually telling the truth for once.
        terry flores
        • Remove "downloaded"

          There's been instances of viruses released on media too.
          • Didn't the original Office macro virus originate from within Microsoft?

        • But not even close to an equal risk, and not all software is downloaded

          Photoshop from Russia is far more likely to have a virus than Photoshop from Amazon.
  • People who have cleaned computers already know that it does

    People that download pirated software are easy targets for people that create trojans.
  • Hanging out with lawbreakers often ends with a jail sentence


    You download pirated software, you you gets what
    you paid for.
    • Some problems with your statement

      1) What if the people didn't download the
      software, but purchased software that they
      believed to be legitimate?

      2) They are not the only ones who "get"
      viruses/malware/etc.--having anyone as an
      unanswered vector for malicious code is not in
      anybody's interest, even if said vector comprises
      people who pirate software.
      Third of Five