Taterf – all your drives are belong to me!!!1!one!


Greet1ngs,

As you all probably know by now, this month in MSRT was a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just to name a few), but World of Warcraft and Valve’s Steam client are high on the hit-list too – you didn’t escape that easily.       

The main offender in this motley crew of badness is Win32/Taterf. Taterf has been running hot the last few months, constituting over 80% of the April and May Wildlists. The worm itself is actually a mutation of Win32/Frethog, being based off the same source code. Frethog is just a drop in the ocean of malware we’re seeing coming out of China nowadays, many of which are targeting online games.

What do they do? Taterf, Frethog and their ilk are designed to steal your online game login details. The methods they use vary; from injecting into game clients and reading memory directly, to basic keylogging - but the end result is the same...  u get pwned. Once they have your details, they are sent back to a remote location and are eventually sold to the highest bidder. After that, you may find your gold gone and toon naked upon your next login (zomg! My purplz!1!!).

So what’s the deal with Taterf? Simply put: it’s rife. Taterf spreads by copying itself to the root of all fixed or removable drives on the infected system and ensures it gets executed by creating an ‘autorun.inf’ file in there too. The autorun.inf file is instructed to execute the worm, whenever the directory is viewed using Windows Explorer. It’s a pretty simple method but is very effective.

Oddly enough, we used to see Worms using this method here and there a few years ago, but it never really caught on. Now days however it is much more effective; every time someone plugs a USB drive in a computer – infected, every time someone puts that drive into a computer connected to a network – infected, and so on. If you’ve mapped an infected drive over the network, that’ll do it too. It's today's version of the old boot sector virus.

Onto the numbers! After its first day in MSRT, Taterf components had been removed from over 700,000 machines! For comparison, Win32/Nuwar (aka ‘Storm worm’) was removed from less than half that in its first month. These are ridiculous numbers of infections my friends, absolutely mind-boggling; many, many whelps. Frethog had proved to be as prevalent as we expected too, with detections on over 200,000 distinct machines.

After the first week of MSRT’s release the numbers looked like this:

Online game PWS family

Disinfected files

Distinct machines

Win32/Taterf

2,342,399

1,269,098

Win32/Frethog

1,374,911

652,625

Win32/Tilcun

379,306

270,712

Win32/Ceekat

355,400

249,717

Win32/Corripio

72,628

58,560

Win32/Lolyda

49,783

27,367

WinNT/Zuten

33,344

21,669

Win32/Zuten

24,565

17,643

... and when we separate by locale:

Country/Region

Disinfected files

Unique machines

China

1,574,532

529,003

Taiwan

567,128

279,428

Spain

482,515

235,381

United States

469,595

213,374

Korea

348,775

184,306

Turkey

191,827

101,119

Mexico

166,508

Comments (3)

  1. Anonymous says:

    Greetings, As you probably figured out from Matt McCormack’s post , and Jeff William’s post ; there are

  2. Anonymous says:

    <<本文章转译自 Microsoft Malware Protection Center 博客文章 " MSRT Observations – Online Game Password Stealers

  3. Anonymous says:

    Le blog de l’équipe du Microsoft Malware Protection Center (MMPC) vient de s’enrichir d’un billet

Skip to main content