As you all probably know by now, this month in MSRT was a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just to name a few), but World of Warcraft and Valve’s Steam client are high on the hit-list too – you didn’t escape that easily.
The main offender in this motley crew of badness is Win32/Taterf. Taterf has been running hot the last few months, constituting over 80% of the April and May Wildlists. The worm itself is actually a mutation of Win32/Frethog, being based off the same source code. Frethog is just a drop in the ocean of malware we’re seeing coming out of China nowadays, many of which are targeting online games.
What do they do? Taterf, Frethog and their ilk are designed to steal your online game login details. The methods they use vary; from injecting into game clients and reading memory directly, to basic keylogging - but the end result is the same... u get pwned. Once they have your details, they are sent back to a remote location and are eventually sold to the highest bidder. After that, you may find your gold gone and toon naked upon your next login (zomg! My purplz!1!!).
So what’s the deal with Taterf? Simply put: it’s rife. Taterf spreads by copying itself to the root of all fixed or removable drives on the infected system and ensures it gets executed by creating an ‘autorun.inf’ file in there too. The autorun.inf file is instructed to execute the worm, whenever the directory is viewed using Windows Explorer. It’s a pretty simple method but is very effective.
Oddly enough, we used to see Worms using this method here and there a few years ago, but it never really caught on. Now days however it is much more effective; every time someone plugs a USB drive in a computer – infected, every time someone puts that drive into a computer connected to a network – infected, and so on. If you’ve mapped an infected drive over the network, that’ll do it too. It's today's version of the old boot sector virus.
Onto the numbers! After its first day in MSRT, Taterf components had been removed from over 700,000 machines! For comparison, Win32/Nuwar (aka ‘Storm worm’) was removed from less than half that in its first month. These are ridiculous numbers of infections my friends, absolutely mind-boggling; many, many whelps. Frethog had proved to be as prevalent as we expected too, with detections on over 200,000 distinct machines.
After the first week of MSRT’s release the numbers looked like this:
Online game PWS family
... and when we separate by locale: