One of my reader informed me about Kaspersky Key Finder and told me that this tool is able to search for Kaspersky Key. His guess was it could somehow connect to Kaspersky’s server and download genuine keys. I didn’t really believe that Kaspersky Key Finder is capable of doing that because people would actually be selling this tool for a lot of money instead of putting it RapidShare mirrors for anyone to use.
I’ve managed to download a latest copy of Kaspersky Key Finder V1.5.0. It claims to find keys for Kaspersky Anti-Virus (KAV) Version 6, 7, and 8, and keys for Kaspersky Internet Security (KIS) Version 6, 7, and 8. Requires .NET Framework 3.5 from Microsoft to run. I scanned it with 36 antivirus using VirusTotal and 8 antivirus found that KKF is a hacktool. I am sure it is a false positive because I’ve analyzed the file with ThreatExpert and it doesn’t contain any threat. This tool seems very easy to use. Clicking the list keys button would connect to a database somewhere to search for kaspersky keys. Currently a total of 799 keys is found. To download a key, i just need to place a mark on the checkbox and click Save Key button. There are 5 servers to download the keys from. I got an error “Unable to Download, Try Another Server” error on server 1 and 2. The rest of the servers worked fine and was able to download the key.
I was curious to know where did Kaspersky Key Finder checks for a list of available keys to download and where are the servers located. Please note that you will not find download links for Kaspersky Key Finder here but I will show you how I manage to find out how it works.
Whenever you have a tool that acts as a download manager and it connects somewhere to download a file, the ultimate tool to use to sniff the link is URL Snooper. It even helped me before in sniffing out the direct link so I can record radio streaming broadcast.
I launched URL Snooper and start sniffing for URLs. I then ran Kaspersky Key Finder, clicked the List Keys button and URL Snooper immediately picked up a URL. It shows that Kaspersky Key Finder is downloading a KKP file from http://www.freewebs.com/kkfpage/KKF/TheList.KKP
Opening the freewebs URL in web browser displays a page with a list of uncomplete link with date and filename. Looks like TheList.KKP is the “database” of where Kaspersky Key Finder will load from when you hit the List Keys button.
Next, when I place a mark on any of the checkbox and click Save Key button, again URL Snooper is able to tell me where did it came from. Server 1 and Server 2 didn’t work for me as I got the error “Unable to Download, Try Another Server”. When I selected server 3, 4, 5 and click Save Key, URL Snooper picked up the following URL. It will download .ffp file from the URL below and then rename the file extension to .key
Server 3: http://k-k-f.0catch.com/KKF/2008/Oct_16/
Server 4: http://www.k-k-f.we.bs/KKF/2008/Oct_16/
Server 5: http://kkf.freehostia.com/KKF/2008/Oct_16/
All the servers used to save the key files are from free webhosting. As you can see from the test above, Kaspersky Key Finder tool requires to be updated and maintained by the author of this tool or else it will stop working. Kaspersky Key Finder doesn’t really “find” or crawl from various websites for keys or exploit Kaspersky servers but simply retrieves from a list of database that is manually created.