Malwarebytes Offers Pirates Its Premium Antimalware Product For Free

An anonymous reader writes: If you have a cracked or pirated version of Malwarebytes Anti-Malware (MBAM) product the company has debuted an Amnesty program for you. Venturebeat reports: "If you pirated Malwarebytes Anti-Malware, purchased a counterfeit version of the software, or are having problems with your key in general, the company is offering a free replacement key." CEO Marcin Kleczynski explained the program and his statement reads in part: "When I started Malwarebytes, I absolutely had no idea how successful we would be today. I am extremely grateful for all of the support from everyone and how fast we’ve grown. That being said, I picked a very insecure license key algorithm and as such, generating a pirated key was, and is, very simple.

The problem with pirated keys is that they may collide with a legitimate key just by the sheer numbers. For example, Larry may generate a pirated key that matches the exact key that I already bought. Yes, this is silly, and yes, this is literally the first thing a professional software company thinks of when building license key generation, but when you think you’re building a product for just a few people you don’t hash out these details.

Now we’ve grown up, and we’ve got a new licensing system that we’ve rolled out in stages. The only problem is that we have millions of users that we’ve sold keys to, or a reseller has sold keys to, or we’ve given out keys to without keeping track. It is a mess, and you as a consumer have every right to be upset.

It's a great idea

[the_Bionic_lemming]

It's a good marketing move - most people just download the free version and scan. Problems fixed so they won't buy it for the bells and whistles - now they'll get lots of people to try the bells and whistles and might retain future revenue.

It's better than them canceling the free version and make it pay only for revenue.

Re:How stupid could someone be?

[sexconker]

Hash collisions happen.
The real solution is to NOT use a generation algorithm for keys. Generate strings, then approve only those you actually sell and distribute.
Software installation/runtime checks locally against the generation algorithm, allowing for offline installations, bundled installers, old version installs, use in 50 years after all the servers are gone, etc.
Updates ask for your key and the server decides if it's valid (an approved string that hasn't been used by thousands of PCs across the net).
Allow manual updates from pre-downloaded files for offline use, use after the servers are gone, bundled installers, etc. If you want to be nice, allow anyone to download these updates, perhaps after some time period, or perhaps only when the software is EOL.

Re:Hardware Locking

[sexconker]

Burned-in MACs? My nForce 2 motherboard's NIC (the nVidia one, not the Realtek one) has a MAC that's user-definable in BIOS.

Re: How stupid could someone be?

[corychristison]

To expand on this... you should also generate an "Installation ID" upon validation, stored server and client side along with the key.

This prevents users from trying to activate the key on more than one system, and allows you to offer controlled multi-system installs if you so choose.

On update you validate both the key, and the installation ID.

In the event a user needs to move the software to another install, you can contact the licensing dept and revoke the previous installation ID.

Re:Hardware Locking

[vidarlo]

We're upset because you're peddling snakeoil. Here is an excercept generating the hardware ID:
If Dir("gethwi.bat") "" Then Kill "gethwi.bat"
Open "gethwi.bat" For Append As #1
Print #1, "w32tm /stripchart /computer:us.pool.ntp.org /dataonly /samples:5 >gtime.dat"
Print #1, "systeminfo >gsys.dat"
Print #1, "getmac >gmac.dat"
Print #1, "exit"
Close #1
Shell "gethwi.bat", vbHide

You use this information to generate an ID. But you don't even hash it with a one way hash, which means it's possible to forge a reply to give an desired result. A good one way hash would at least make that impossible. It is also not scaling very well - you will need a lot of support for pissed customers who changed parts of their computer or changed timezone.

Furthermore, you do no authentication of the answer from the server. Anyone can send the response, and be accepted. You do not have any security. It would be trivial either remove your DRM by jumping over it, or supplying the very wrong values. A race condition would also work - overwriting the gsys.dat, gtime.dat, gmac.dat before your program reads it. Or simply replacing the code snippet above with a batch file which state echo "Desired values..." > gsys.dat.

So take an evening, think about how you can bypass your system. Try my suggestions. Fire up an debugger, and have a look at the software.

Re: How stupid could someone be?

[jarfil]

To further expand on this... keep talking, meanwhile as a client I'll be looking for software with none of that crap.

Re: How stupid could someone be?

[AmiMoJo]

Please don't try to limit the number of installs. It breaks horribly when you try to do a re-install, or move to a new PC, or run in a VM. The nature of this software is that techs will often install it on customer's PCs, clean them and then remove it.

Install counters are evil.

Re:OK so how do I fix this?

[crypticedge]

Short answer is no. Long answer is yes.

Some versions of the crypto viruses have the keys released so you can decrypt. Others do not. If you know how to google, you know how to find out what version it is and if it's been released. If you've got cryptolocker it's simple.