The number of online games is constantly growing and the amount of money of this market is growing too. It provokes criminals to improve the malicious software which is used to steal player's personal data. In this article Trojan family of Trojan-GameThief.Win32.OnLineGames will be explored. Thousands modifications of this family appear every day.
Figure 1. Detection statistics of Trojan-GameThief.Win32.OnLineGames: 2008.12.01 - 2009.08.23
On the diagram we can see that main peak of activity for the given family of malicious programs happened at the beginning of 2009 because of higher activity of the online players during New Year holidays. According to the data taken from dataforbreakfast.com and cgames.com, the percentage of online-players by age is distributed as follows.
Figure 2. Age groups online – players
The picture shows that the main group of online-players is 18-30 years old, i.e. able-bodied population, who spend much of their time "profitably".
Figure 3. Percentage of time spent on online-games a week
Analysis domain The popularity of online – games highly increases with the appearance of rogue servers, because number of users who do not want to pay for the use of official servers are growing proportional to the number of rogue servers. Black market of game valuables has already been formed and operates. Suggestions of criminals aimed at users who do not want to "pump" their game characters. There will be always people who can pay for "pumped hero". They are not interested how this character came on the market of game valuables and if this market is legal. The general structure of fraud in online games represented in Figure 4.
Figure 4. Scheme of cheating in online-games
Some of the methods used by cyber criminals to steal user's confidential information:
- Social engineering
One method used by cyber criminals is to enter a game or a forum on a game server and offer a bonus, or help in the game, in exchange for other players’ passwords. Also cyber criminal send phishing emails, purportedly from the server administrators, who invite the player to authenticate his/her account via a website linked in the message.
- Exploiting vulnerabilities
Exploiting vulnerabilities by cyber criminals directly in the core game, server applications, operating system.
- Using malware
Cyber criminals are improving propagation techniques (worms and viruses); password stealing functionality; and malware self-defense techniques against antivirus programs. In the article by Sergey Golovanov " Online games and fraud: using games as bait" more information can be found about the evolution of password stealing malware (www.securelist.com/ru/analysis?pubid=204007565 ).www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ).
Trojan complex analysis The kind of the Trojan complex represented in Figure 5.
Figure 5. Trojan complex Trojan-GameThief.Win32.OnLineGames.bkzf
Once launched, the malware copies its executable file to the Windows system directory under the name "updater.exe". In order to ensure that the Trojan is launched automatically when the system is rebooted, the trojan modifies the file userinit.exe, which is part of the Windows and responsible for system startup. Userinit.exe responsible for restoration of network connections and launching OS.
Figure 6. Strings of modified file userinit.exe
Checking MD5 hash to ensure that file userinit.exe is modified (Figure 7)
Figure 7. Comparison of MD5 hashes of the original and modified file userinit.exe
Then the Trojan extracts DLL from its body in the Windows system directory under the name "killdll.dll". The main task of this library is counteraction the protection of target system. Using DLL the Trojans extracts series of processes from memory that is presented by antivirus software, some of them are presented on Figure 8.
Figure 8. List of terminated processes
All specified strings have been encrypted by XOR 0x2 function. The library has two scenarios of work: if the system has process "CCENTER.EXE" (Rising, Rising Process Communication Center) and has not it. According to the scenario the Trojan stops of following services:
An example of ceasing the service and the completion of Kaspersky Anti-Virus process represented in Figure 9
Figure 9. Command line for the completion of service and process.
As a debugger for all applications from the list of terminated programs, the Trojan installs "svchost.exe", changing the parameter point of the following registry key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] In such away the Trojan hampers the work of antivirus program.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "updater" = "%System%\updater.exe" File "~Frm.exe" extracts DLL from its body and places it in the current user’s Windows temporary directory as "tmp.tmp". The system process "%System%\svchost.exe" will then be launched for execution and code from DLL will be injected in address space. (Figure 10).
Figure 10. The injection of malicious code in the address space of the process svchost.exe
This code launches the flow (Figure 11), which downloads a file from the URL shown below:
Figure 11. Definition of malicious flow in the process svchost.exe
The file downloaded by the malicious thread is then saved in the current user’s Windows temporary directory as "tmp.tmp". This file has a list of URL for later download files. The downloaded files are stored in a temporary directory under random names, and then will be launched for execution. Files from the URL are detected as Trojans that steal user passwords to accounts of online-games. Among the basic families can be emphasized Trojan-GameThief.Win32.Magania, Trojan-GameThief.Win32.WOW. Disassembler's listing of the malicious thread is shown in Figure 12.
Figure 12. Disassembling of the malicious thread
Trojan extracts a rootkit "pcidump.sys" from its body. The Trojan uses the services "pcidump" to launch the rootkit in the system:
Figure 13. The display of service in the Registry Editor
This rootkit is designed to hide activity of the Trojan complex and to receive low-level access to the target system. Rootkit sets hook "NtQuerySystemInformation" in KeServiceDescriptorTable:
Figure 14. Replacing of handler NtQuerySystemInformation
Conclusions The growth of the online – games and gaming industry has given birth to the malicious programs.
Figure 15. Sale of accounts to the game Eve Online (http://accountgear.com/buy/Eve-Online)
A google.com / trends search for "hack account", "sell account", "buy account" returned the following diagram:
Figure 16. Google trends
In consideration of a large part of offers "to crack", "to buy" or "to sell" an account belong to online-games, could suppose demand outdistances supply at the market of gaming valuables. This market is constantly growing because of increasing number of people who want to buy a game characters or virtual riches. It means that the interest of malware writers to online games in the near future will not go down. It is possible to suppose that the criminals will actively use the advanced rootkit-technology for the further development Trojan family of Trojan-GameThief.Win32.OnLineGames.
Alexander Saprykin, Alexander Nepokupny"Design and Test Lab" , Ltd. 2009
/specially for www.av-school.com /
Article from blog:
Marina .
Online games and fraud. Battle Trojan complex
