We have seen malicious code steal a lot of information in the past: bank credentials and certificates, email accounts, IM passwords, online gaming accounts; but, that was not enough! Now, satellite shared accounts are going to have a turn.
There is a service out there called "cardsharing" that allows you to use the subscription rights of one satellite smartcard on multiple satellite receivers. Using this service, the receivers download the smartcard key information from the Internet or a LAN instead of the original smartcard, which will allow simultaneous viewing of satellite television on several receivers.
A cardsharing user needs to install a couple of computer programs on their local hard drive (WinCSC and ProgDVB), which store a configuration file containing the legitimate account data required to access the satellite service. All of the information is stored in plain text format and the configuration file contains the username and password of the cardsharing user, as well as some sensitive information about the shared sat-card.
Recently, we have discovered new malware targeting this satellite sharing service and detect it as Infostealer.Satkey. It is a not-so-well-written Trojan that attempts to copy the information contained in the configuration file used by WinCSC and then, using an email or FTP connection, attempts to send it to a remote server. Below you can see a part of the archive containing stolen configuration files (figure 1).
So, if you are a cardsharing user, please be careful—someone out there is trying to watch satellite channels using the subscriptions paid for by legitimate users. To protect yourself against this and other malicious code, make sure that you are using up-to-date antivirus software and a personal firewall. You should also ensure that your computer is updated with all necessary security patches from your OS vendor. Last, but not least, you should never view, open, or execute any email attachment unless it is expected, comes from a trusted source, and the purpose of the attachment is known.