Recently we have seen an increase in Trojan horse programs that attempt to steal online gaming accounts. Massively multiplayer online role playing games (MMORPG), such as Lineage, Ragnarok Online, World of Warcraft, and Final Fantasy are often targeted by these Trojans. What is the purpose of the attacks? Money. Players can trade their virtual money or items used in their game of choice online, at a special market called RMT (Real Money Trading). RMT is run by third parties and is not usually permitted by the official game vendors; however, RMT has become a big market. A recent report stated that RMT has traded more than two billion USD thus far in 2006. So, if attackers can steal gaming account information from compromised computers, they can easily sell virtual money for real money in the RMT market.
Attackers use a variety of methods to install Trojans on compromised computers. One of these ways is to use a Web site. In the past, attackers used to disguise Trojans as cheat codes or cheat tools and simply place a bogus link on the site, which then linked to the Trojan threats that were waiting on another Web page or BBS. Now, the attackers use large-scale tricks to obtain money. They hijack vulnerable Web sites and insert exploit code for Web browsers within pages on the infected site. If you visit an infected Web site while running a vulnerable browser, a Trojan horse could be downloaded and silently executed on your computer. In another recent case, we received a report that attackers purchased advertisement space with Google and Yahoo for their own Web sites. People who are interested in a particular game run the risk of visiting the attacker's Web sites by clicking on those ads. Attackers could efficiently gather together the targeted victims and their gaming account information using this method. I have no idea how much money they spent on the ads, but it seems that at the very least the attackers thought that purchasing ads would pay off for their future business.
File infectors are also used for distributing Trojan horse programs. Polymorphic viruses (like W32.Detnat and W32.Bacalid) infect executable files and download additional malicious code (in the form of Infostealer.Lineage) from the Internet. Attackers may decide to use file infectors to distribute the Trojan for two reasons. First, file infectors are much slower to propagate than worms, therefore they are not as conspicuous. Second, file infectors are difficult to remove completely from compromised computers because of file names and MD5s that are constantly changing.
Online games generally use authentication with a username and password combination. Accordingly, simple key logging programs can steal enough information to put the details of the online account at risk. Online banks have been facing similar problems. To further protect customers from attacks, banks have been updating and improving their authentication security. Online game vendors may have to take a similar approach to the “real money” banks very soon.