By Andrew Brandt
Since the beginning of the year, my colleagues in the Threat Research group and I have been researching an absolutely astonishing volume of phishing Trojans designed solely to steal what videogame players value most: the license keys that one would use to install copies of legitimately purchased PC games, and/or the username and password players use to log into massively multiplayer online games, such as World of Warcraft.
I can only imagine that it takes very little effort for the jerks behind this scheme to retrieve thousands of account details. (We began covering this issue briefly last week.) With such an effortless infection method, and the difficulty of prosecution (let alone identifying the perps), they don’t even seem to be concerned in the slightest about covering their tracks.
These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers — typically, perhaps unsurprisingly, located in China. We know the exact servers they contact, and what kinds of information they’re sending. And we know why: Thar’s gold in them thar WoW accounts, and the rush is on to cash in.
Today, I’m going to go deeper into how the infections happen.
The most common infection method we see is simple but devastatingly effective: A single, tiny executable file contacts a server in China, which returns a list of URLs that point to the phishing Trojan installers. How that file gets onto the victim’s PC varies: It might be embedded in a “cheat” program, or it might get pushed down your browser’s throat by means of an exploit in a malicious iframe.
The executable then downloads, one by one, each phishing Trojan installer, and runs it. Here’s where it gets ridiculous: These downloader applications often pull down as many as forty installers, each of which silently installs a module that watches for logins to certain game-related websites or to game servers, or scans the registry for license keys to specific games.
Seriously, though: Machines infected by one of these things end up with metric tons of malware on them. It gets ugly fast, because the downloaded installers are not always just phishers — some of these payloads can be, themselves, downloaders, and then open up the sewage floodgates for another round of infections. I’ve personally watched a system just get infected for more than 10 minutes nonstop, while installer after installer was downloaded and run, over and over and over again. The list on the right shows just the installers we detected internally while researching just a single Phisher downloader. Each of those installers dropped additional payloads.
The phishing trojans themselves fall into two general categories: Windows Services, and Browser Helper Objects (or BHOs). Running as a service (and yes, the irony of calling a phishing Trojan a “service” is not lost on me, but this is a technical term) gives the Trojan the ability to steal a wider array of information, both in real time as you enter it into a form, and during moments of idle time, when you might not notice something scanning the registry. BHO phishers only become active when Internet Explorer is running, and are used primarily to steal login credentials.
Are you worried yet? If you play online games, you should be. In the next post, I’ll get into what all gamers can do to put the squeeze on these crooks.