Online games are becoming more popular among Internet users and new services are emerging. One of these is a game service provided by an unauthorized third party. It’s free to play and could enable gamers to earn money or equipment for the game more easily. However, since these “unofficial” game servers aren’t tested or signed by trustworthy organizations, there is no way to tell whether or not user information stored on these servers is secure. Also, applications associated with this service could pose potential threats to users’ computers. Recently, we detected a new trick used to steal gamers’ account information, which could be sold for money in the underground black market later.
We discovered that the malware author inserted Infostealer.Gampass into the executable file of the login service for the unofficial gaming site. When users execute the login file by clicking on the icon, it actually triggers two files: Infostealer.Gampass and the real login window. On an infected system, users may feel that they are waiting longer than usual for the login window to pop up—chances are they would probably consider this to be due to system slowdown or a hardware problem. However, in this case, it is actually Infostealer.Gampass running on their computer, waiting to capture their login ID and password.
Here is a screenshot of what happens right after the login file is executed. In figure 1, before the user clicks on the executable game file, you will see that there is only one file icon. But in figure 2, after the user starts the game, you can see a mysterious file appear in the same folder as soon as the file is executed. This is the file dropped by Infostealer.Gampass that will be used to steal the user’s account information.
Figure 1
Figure 2
Furthermore, the threat disappears without leaving any trace of itself on the compromised computer. By the time the login window pops up, the threat has already been deleted from the folder. Since users don’t usually monitor what happens in the folder while the game starts up, this will help the virus remain undetected.
In figure 3 below, the .dat file highlighted in blue is the file that removes the threat from the folder:
Figure 3
However, being removed from the folder doesn’t mean it was removed from the compromised computer. Usually, Infostealer.Gampass will back itself up, masquerading as a GIF file—it might be named hji2k2b.gif but is actually hji2k2b.gif.exe—in the system, so that it can be run again when another game starts.
Figure 4
Meanwhile, the threat will also transform itself into a .dll file in order to look like a system service file. This way, when the user restarts the computer, the .dll file will run as soon as the computer starts and is ready to steal game account information.
Figure 5
Malware authors are trying all sorts of tricks these days, and now and again they will come up with unexpected methods to intrude into victim’s computers and steal information. Symantec recommends that users always scan suspicious files with up-to-date antivirus software before executing them.
Note: Thanks to Xie Xiaojun for the virus analysis.