Norton AntiVirus Gaming Edition

Online games are becoming more popular among Internet users and new services are emerging. One of these is a game service provided by an unauthorized third party. It’s free to play and could enable gamers to earn money or equipment for the game more easily. However, since these “unofficial” game servers aren’t tested or signed by trustworthy organizations, there is no way to tell whether or not user information stored on these servers is secure.

Also, applications associated with this service could pose potential threats to users’ computers. Recently, we detected a new trick used to steal gamers’ account information, which could be sold for money in the underground black market later. We discovered that the malware author inserted Infostealer.Gampass into the executable file of the login service for the unofficial gaming site. When users execute the login file by clicking on the icon, it actually triggers two files: Infostealer.Gampass and the real login window. On an infected system, users may feel that they are waiting longer than usual for the login window to pop up—chances are they would probably consider this to be due to system slowdown or a hardware problem. However, in this case, it is actually Infostealer.Gampass running on their computer, waiting to capture their login ID and password.

Here is a screenshot of what happens right after the login file is executed. In figure 1, before the user clicks on the executable game file, you will see that there is only one file icon. But in figure 2, after the user starts the game, you can see a mysterious file appear in the same folder as soon as the file is executed. This is the file dropped by Infostealer.Gampass that will be used to steal the user’s account information.

Furthermore, the threat disappears without leaving any trace of itself on the compromised computer. By the time the login window pops up, the threat has already been deleted from the folder. Since users don’t usually monitor what happens in the folder while the game starts up, this will help the virus remain undetected.

In figure 3 below, the .dat file highlighted in blue is the file that removes the threat from the folder:

However, being removed from the folder doesn’t mean it was removed from the compromised computer. Usually, Infostealer.Gampass will back itself up, masquerading as a GIF file—it might be named hji2k2b.gif but is actually hji2k2b.gif.exe—in the system, so that it can be run again when another game starts.

Meanwhile, the threat will also transform itself into a .dll file in order to look like a system service file. This way, when the user restarts the computer, the .dll file will run as soon as the computer starts and is ready to steal game account information.

Malware authors are trying all sorts of tricks these days, and now and again they will come up with unexpected methods to intrude into victim’s computers and steal information. Symantec recommends that users always scan suspicious files with up-to-date antivirus software before executing them.

How crazy is it that cybercriminals are designing malware to steal logins for our online game accounts? Are they really that valuable? I can understand someone wanting to steal my credit card or bank account number. Or someone wanting to steal my identity so they can open new credit accounts in my name and stick me with the bill.

But my game account? Really?

Over the last few years, various security companies (including Symantec) and several independent security agencies have published reports about the growing prevalence of Trojan horses aimed at stealing online game account logins. Recently, the European Network and Information Security Agency (ENISA) published an enormous report called Security and Privacy in Massively-Multiplayer Online Games and Social and Corporate Virtual Worlds about . . . well, the title says it all. It’s an extensive report covering all sorts of risks associated with online worlds, and it says that more than 30,000 programs aimed at stealing online game passwords were released in 2007 alone.

So threats are being documented, but is this really affecting online gamers in a material sense?

In theory, these programs are targeting virtual items that equate to real money. In fact, the sale of virtual objects from Massively Multiplayer Online Games and Virtual Worlds (MMO/VWs) in 2007 was estimated at almost $2 billion worldwide. So the potential is certainly there, but at Symantec, we wanted to find out if gamers were really feeling the pinch from this new underground-economy tactic.

We sponsored a few surveys in the gamer community to find out. At DreamHack Winter 2007, about 12 percent of participants said they’d had game logins or serial numbers stolen. Nine months later, at the German Games Convention 2008, 16 percent of participants said they’d had a game account stolen. Clearly, gamers are experiencing the theft of their game accounts.

According to the ENISA report, criminal activity in MMO/VWs is particularly attractive because the risk is lower than that of traditional identity theft. Unlike traditional theft, virtual theft isn’t addressed (for the most part) by national regulations or international treaties. Victims of credit card or bank account theft have systems in place where they can report the crime. They know that if the criminals who steal these accounts are caught, they can and will be prosecuted—although, we have to admit, not enough of them are caught.

Unfortunately, virtual assets are too often considered frivolous and not worthy of the same official attention. In most legal systems, they qualify as “intangible assets” at best, similar to any electronic record. This leaves the victim of such theft with no official method of reporting the value of it. Can you imagine the response you would get if you called your local police department to report the theft of virtual gold?

Luckily, some game companies do offer recourse through a resolution process. While these systems help the individual gamer victim at the time, the entire gaming community ultimately carries the burden of this criminal activity through either in-game inflation or increased costs for the gaming company that are passed on to the entire customer base.

The ENISA report went into much more detail than I have space to talk about here. It makes these fast-growing and evolving online communities sound a lot like the Wild West. These worlds sure are fun and things are changing fast, but this new style of community is also full of risks and challenges that we haven’t quite figured out how to solve. It will be interesting to see how things go in the months and years to come.

For now, at least we can use the tools we have to protect ourselves from attacks based on traditional technologies, like a good antivirus to keep out those pesky Trojan horses. And a strong password will go a long way to holding off those attacking hordes.

In 2008, Symantec identified 808,000 unique Web domains that tried to infect website visitors with viruses , worms, spyware , bots, and more. These attacks came from mainstream, reputable websites, including those that cover ews, travel, retail, games, real estate, and government. How did cybercriminals corrupt legitimate websites? Can you be infected, too?

It is not uncommon for a Web page today to deliver content pulled from 10 or 20 different domains, including sources that are not controlled by the owner of that page (advertising is an excellent example of this, as is syndicated content). Gaming websites are particularly innovative when it comes to leveraging a multitude of sources and technologies in order to deliver a smorgasbord of content.

Gamers both benefit and suffer from the innovative approach to site development that dominates the gaming Web world. For good or ill, any Web surfing gamer faces a significantly higher risk simply because of the environment they navigate—whether it is a hack applied to their favorite gaming site, a malicious ad, or a scam offered up in an otherwise reputable gaming forum.

How you can catch an infection from a hacked website

There are two common ways your computer can be infected from websites:

1. Drive-by downloads that you catch just by browsing
   This is the sneakiest method of infection and it is very common. All you have to do is browse a site with executable content that is automatically downloaded to your computer. You don’t have to do anything but visit the wrong site—or even the right site at the wrong time. Often the executable content that triggers the download isn’t even on the website you think you’re visiting. Rather, a link is inserted into the site you are purposefully visiting (see more on how this is done below) and this link then leads your browser to receive content from that malicious website without your knowledge or participation.
   
2. Tricking you into downloading something
   Faking a legitimate software download is a very effective way for the bad guys to infect your computer, even if you have otherwise effective antivirus protection in place. They simply misrepresent a piece of software as something else in order to convince you to download it.

Here are three fake-out tactics that often target gamers:

1. A pop-up appears telling you that you need to download an updated version of some browser plug-in or video player in order to view some multimedia content on a website.
2. A new cheat, hack, or other game-enhancing executable is offered in a gamer forum post, chat room, or peer-to-peer network.
3. An advertisement shows up on a Web search result page or in an ad network that offers a free copy of a newly released game or a game enhancement. Sometimes these offers are even bold enough to charge you for the privilege of downloading their software.

How criminals corrupt an otherwise legitimate website

Two popular methods for hacking legitimate websites so that they infect site visitors are:

1. Hack the database that delivers the content to the website.
   The cybercriminal finds a vulnerable Web input form on the website and uses it to insert some SQL instructions into the back-end database. They then collect information on the database so they can add content to it that the system will think is legitimate. This new content is then delivered to the website as part of the normal content-publishing system. Unfortunately, the content typically delivered involves links to malicious script or Web pages, which means that visitors to these pages are exposed to malware attacks from sites that they don’t even know they are visiting.
   
2. Insert malicious advertisements where sheer volume makes them hard to spot We may not like it, but revenue from advertisements is critically important for keeping most of our favorite websites in business. Most sites get their ads from one of the large automated online ad networks—unless they happen to be one of those enormous sites that can generate their own ads.
   Malicious ads usually include a silent redirect to a malicious Web page that will deliver a drive-by download to the unwary visitor. The ad networks do try to police the ads delivered through their network and they are mostly successful in keeping the bad ads out of circulation, but the enormous volume of ads on the network is such that malicious ones do occasionally slip in. Once a malicious ad is distributed, it is difficult to identify. The Norton Community Watch and similar groups in the industry do identify and report attacks as they occur, but when the attack comes from a malicious ad it is very difficult to pinpoint the culprit. In these cases, the website being visited is identified as initiating an attack for one user but not for the next user, because the attack is not on the hosting website—it is in an ad that may only be delivered to a small number of visitors depending on ad rotation.

Conclusion: Stay up to date and be suspicious.

Make sure your antivirus and spyware protection is up to date, but that may not even be enough. It’s really tough for your antivirus to protect you against an infection you get from purposely downloading malicious software that has tricked you into thinking it is something you want. So be very careful about what you choose to download. If you think something looks odd or your antivirus warns you that you are downloading something malicious, even if you think it is probably okay, you may want to stop and wait to download that item another time or from another source.

For more detailed information on Web based attacks, please see the white paper entitled “Web Based Attacks”, published in February 2009 by Symantec.