Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
Computer games are a huge industry, in which almost as much money is spinning as in the oil business. This money attracts not only investors, but also representatives of the criminal world, including many virus writers. The number of malware stealing game items and hijacking Steam user accounts is growing by leaps and bounds. This article explains how these Trojans work.
Developers of modern multiplayer games create entire virtual universes, endowed not only with their own mythology and physical laws, but also with their own economic system. In the game worlds, artifacts and ammunition are necessarily present, which give the player certain advantages or allow you to change the appearance of the character. Ammunition can be obtained in battle, found, obtained by solving a specific task or by completing a quest, or you can simply buy it. This is exactly how some gamers make their living: they sell game items accumulated by overwork or even entire accounts with a pumped character.
And where there is a smell of profit, all sorts of gray schemes inevitably emerge. For example, back in 2011, The Guardian correspondents wrote about prisoners in Chinese prisons who were forced by guards to engage in farming - to extract loot and game currency, which was then sold for real money. Soon, virus makers joined in the pie sharing and started distributing Trojans under the guise of cheats and trainers to steal game accounts from users. And in 2014, the spread of malware was recorded that stole not Steam accounts, but individual game items, and in an extremely clever way.
This is what a typical game item store looks like on Steam.
SteamBurglar
In the summer of 2014, CS: GO users began to mysteriously lose their game inventory, about which they wrote alarmed messages on Reddit. Immediately prior to the incident, the player received a message in the Steam chat from another user with an offer to exchange virtual items. The message contained a screenshot of the inventory proposed for exchange, while the deal itself looked quite profitable. After the successful completion of the operation, the user logged into the game and was surprised to find that part of his most valuable property had disappeared in an unknown direction.
Such messages were received by affected users
Thanks to the investigation carried out by analysts, it was possible to establish the root cause of the "tragedy". It turned out to be the SteamBurglar Trojan. While the unsuspecting user was looking at an expensive item in the chat window, offered to him for exchange for some mediocre trinket, the trio found the Steam process in the computer's memory and pulled out information about the ammunition available in the user's arsenal. This list was then searched using the keywords rare, mythical, immortal, legendary, arcana and key (the list of keywords can be configured in the troy admin area) - this is how SteamBurglar selected the most valuable inventory. The Trojan immediately put up the found junk for sale via Steam at a very favorable price. The proceeds were transferred to the account of the virmaker.
The Trojan itself and the builders for it were successfully offered on cheating forums, and the trojan allowed to steal items not only from CS: GO, but also from other toys: Dota 2, Team Fortress 2, Warframe.
This is what the SteamBurglar builder looked like
SteamBurglar users used third-party tools to send messages, but in December 2014, the author rolled out a troy update that allowed spamming chats directly from the admin application. In response to the outraged messages of the injured players, the Steam administration initially froze, inviting the robbed users to independently search the accounts of the villains on the market pages and complain about them to the support. However, under pressure from the public, they nevertheless changed the procedure for selling in-game items, after which a mandatory confirmation by email was required to complete such transactions.
SteamLogger
In the fall of the same year, a new Trojan, SteamLogger.1, began to circulate on the Web, with the same functionality - stealing items from Dota 2, CS: GO and Team Fortress 2 players. But it was much more intricate.The Trojan's dropper was distributed via links on cheating sites, on social networks and in private messages. The potential victim was offered to buy cheap or exchange game equipment, and she should have received the details of the transaction from the link, which, when clicked, downloaded the troya dropper to the computer.
Inside the dropper, the Trojan itself and its service module were stored in encrypted form. When the executable file was launched, the dropper image was loaded into memory, its contents were decrypted and saved to disk: the service module in a folder %TEMP% under the name update.exe, and the Trojan body was loaded into memory using the Assembly.Load(). Immediately after that, SteamLogger.1 downloaded from the control server and displayed on the screen a picture with an image of a supposedly offered product for sale in order to lull the victim's vigilance.
This is the picture shown to the user by the SteamLogger Trojan.
Then the service module was connected to work. He looked in the folder for a ProgramFiles(x86)\Common Files\ subfolder with a name Steam (if he couldn't find it, he created it), saved the file in it SteamService.exe, assigned the attributes “system” and “hidden” to it, and then launched it, having previously registered this application in the registry branch responsible for autoloading.
After collecting information about the infected machine (including the serial number of the system partition, version and bitness of the OS), the service module sent it to the command and control server. In this case, proxies were used, the addresses of which are stored in the program itself. The main purpose of the service module is to update the Trojan.
The main SteamLogger.1 module hangs in the memory of the infected machine, closely monitors the state of the game client process and waits for the user to log into Steam. As soon as this happens, the trio intercepts the data used to log into the account, determines whether the protection mechanisms SteamGuard, steam-id, security token are used, and transmits all this information to the management server. In response, he receives a list of accounts to which the game items stolen from the victim can be transferred, and the parameters necessary to complete the "deal".
Then the Trojan searches for files in the steam client's folder, the names of which contain a string ssfn*, collects the contents of the subfolder config, then forms a large array from the received files, appends data about the victim's account to its end, and encrypts it all using Base64. The result is sent to the management server. Finally, SteamLogger.1 checks to see if the automatic login feature is enabled in the Steam client, and if not, launches a keylogger that records and sends the codes of keys pressed on the infected machine to the villains. It is curious that the keylogger does not save the result of its work to a file on the local machine, but generates a special POST request and transmits it to the management server with an interval of fifteen seconds. This request is processed and logged on the server side.
It searches the victim's inventory for items that the Trojan plans to steal using the keywords Mythical, Legendary, Arcana, Immortal, Container, and Supply Crate. At the same time, SteamLogger.1 checks whether the user himself has put up anything from the list for sale, and, if so, removes the item of interest from the sale. After that, all the items found are transferred to one of the Steam accounts, the details of which the trooper received earlier from the control server. To resell stolen goods, botsmen have created several online stores.
See the in-game items for sale? In fact, they are stolen!
Malware as a service
Since then, new malware designed to hijack Steam accounts and various game inventory have begun to appear regularly. The spread was also facilitated by the emergence of three, sold as a service - on the principle of malware as a service. Several of these stealers have been actively circulating last summer. The author of this malware, known under the nickname Faker, rented out three for rent at a price of 10 to 25 thousand rubles a month, and, apparently, they were in demand. Hacker has already spoken in detail about these malware and its author, there is no point in repeating it. But it should certainly be noted that a cunning principle was used by one of these Trojans.As soon as the user of the infected machine placed any game item for exchange on one of the designated platforms, the three waited for a request from the user who wanted to exchange the user's artifact, rejected it, and then used the player's avatar and nickname to send the victim a similar offer, but on behalf of the attacker's account. When exchanging inventory on the official steamcommunity.com portal, the Trojan used a web injection to change the images of in-game items. It seemed to the player that he was acquiring an expensive and very valuable artifact, while in fact he was receiving a cheap "trinket". Judging by the fact that the announcement of the sale of the trojan on one of the forums is still active, the malware rental business is still developing successfully to this day.
Trojans to steal game items from Steam users are still successfully sold today.
Conclusions
Summing up, we can say that the entire assortment of "game three" existing now is conventionally divided into several categories. The simplest of them steal files from the Steam client or steal user credentials - keylogging and fake login forms are used for this. Advanced malware uses traffic analyzers and web injections to intercept critical security parameters and replace in-game items when making online trade or sale transactions. And in the future, virus makers will certainly come up with some new methods of taking away valuable virtual property from game lovers: where money is concerned, this is never done without it.(c) xakep.ru
