Oh yeah, i forgot about malware on music cds

https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...

that's arguing gymnastics

I do seriously ask because I avoid pirating stuff because I'm never sure what's there

and yes, I do believe that shady sites are more likely to add some fancy stuff like coin miners to their stuff than actual e.g game vendors like CDPR and similar.

The risk is always there... but you can always check the hash of the iso, if it's the same as on microsofts site, and then check the crack/patch/activator/... on virustotal.

Movies, series, music,.. are usually in file formats not really suitable to carry malware (unless you click on the movie.mp4.exe, but most tech-savy users, who know how to pirate, also know not to do that).

As an IT security professional, depending on virus total and other sites is a pretty horrible idea. It's trivial to use msfvenom to encrypt a trojan and get it executed on a system, at least for a while until it gets recognized by some cloud platform.

> Movies, series, music,.. are usually in file formats not really suitable to carry malware

A few audio file formats are (practically) Turing-complete, and there have before been bugs in the VMs that allow privilege escalation.

Windows is effectively malware at this point, it's clear the users don't care.

The kind of malware the average user is concerned about is the one that will break into their accounts by logging their keypresses, or lock them out of their own computer for a ransom. Neither of those things are likely to come from windows, so whether it technically fits some definition of malware is beyond the point.

> or lock them out of their own computer for a ransom.

True enough; Windows has never asked me for a ransom – though it has shown me the dreaded Bitlocker Blue Screen because my "hardware configuration changed" after a software update.

Untouched MSDN images have their hashes published online (not without subscription anymore but people have made mirrors).

yep, + the keygen/patches can be scanned by virustotal. Same with game cracks (usually done by replacing the "game.exe" with a cracked version)

Also if you have the original file (most cracked software conveniently provides the crack separately) you can run something like ida + diaphora[0] and see the work the crackers did nicely isolated. Sometimes its little as altering a single conditional jump.

[0]: https://github.com/joxeankoret/diaphora

> the keygen/patches can be scanned by virustotal.

Wouldnt open source be better?

Because not all cracks are opensource, and not all games/software is opensource.

If you need a media player, you can get an opensource one (vlc, mpv,...). If you need excell, because of incompatibilities, macros, whatever, and don't want to pay (or don't want to buy a new one, since 2010 version works fine), you must crack it.

There are a lot of open source tools that more or less automate the removal of certain protections, especially from games. I "audited" a few myself. I'd link them here but some self righteous bootlicker would probably report it.

I guess it's about crack.exe then

Personally I prefer to use open source software rather than closed source and official closed source rather than torrented files but realistically the difference may not be that big, when the hardware where the code runs is not open / not possible to be checked.

To be fair, some non-pirated software comes with malware too these days.

This is the question that gets brushed off, and usually hostilely suppressed, as you're experiencing now, when talking about piracy/jailbreaking/ddwrt/etc. Asking this question is not FUD. There's no answer other than just hoping that any problems will come out given enough usage. If you're advanced enough to have multiple levels of trust in your environment, you just shouldn't use cracked software in your most trusted level.