In previous blogs, Symantec has highlighted threats that steal user data. We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck.
This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass.
So, picture this: you are a bad guy and have created or purchased a botnet. You have targeted online gaming websites and now have 44 million sets of gaming credentials at your disposal.
Now it’s time to turn those gaming credentials into hard cash. But how do you find out which credentials are valid and thus worth some money? Three options come to mind:
1. Log on to gaming websites 44million times!
2. Write a program to log in to the websites and check for you (this would take months).
3. Write a program that checks the login details and then distribute the program to multiple computers.
Option one naturally seems next to impossible. Option two is also not very feasible, since websites typically block IP addresses after multiple failed login attempts. By taking advantage of the distributed processing that the third option offers, you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck’s creators have done.
Most botnets have the ability to download and run files, so why not push a custom piece of malware to each bot? The malware could log on to the database and download a group of user names and passwords in order to check them for validity.
If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password. The attackers can then log on to the database and search for the valid user name and password combinations.
The database in question currently holds approximately 17GB of flat file data. There are credentials for at least 18 gaming websites in the database. Just how valuable is a database of this sort? While it can be extremely difficult to evaluate a database of this kind, there are legitimate websites out there that focus on the buying and selling of online accounts. Using figures from some of these sites we can detail a range of possible prices (which would be estimates of the requested value, not the value received). The cheapest accounts most likely contain a single character named something like “Mediocre Tom,” whose only weapon is a rusty old spoon. In contrast, an expensive account will typically contain several powerful characters with names like “Warlock, Bringer of Death” who is adept with the “Lethal Lance of Loki.”
It is also worth noting that the actual buying and selling of accounts is typically banned by many online gaming and hosting sites, as evidenced by the terms of their EULAs. The online auctions that enable users to sell accounts, such as at playerauctions.com, are legitimate websites that attempt to protect the buyer and seller against fraud through the use of escrow. We only used these sites to try to put some rough market values on the accounts, and have no evidence that these sites have traded stolen accounts.
As always, Symantec recommends that you keep your definitions up to date in order to ensure protection against new threats. As an added precaution, if you are in possession of an online gaming account from one of these types of websites, an update of your password would not go amiss.
Update (3 June 2010): This blog has been edited from its original version.