MMPC @ Gamefest 2008


Gamefest Logo


I had the privilege of presenting a couple of weeks ago at Gamefest 2008—a Microsoft sponsored technical conference targeted at the games industry.  I spoke about game password stealers- what they do, which games are targeted by which families and the behaviors of those families, prevalence, number of variants and so on.  This is a completely different type of audience than the security folks to whom I usually present and it was a very refreshing change of pace.  These were sharp, savvy technologists who are committed to a great experience for their customers and pushing the limits every day.  In other words, these are my kind of folks.  


As we've talked about these before in this blog I thought I'd provide some updated numbers. Thanks to inclusion in the Malicious Software Removal Tool we have been able to remove more than 7.6 million game password stealers. These trojans target an array of games and game related sites including Lineage, World of Warcraft, Legend of Mir, MapleStory, ZhengTu, Perfect World, QQ and many others. Some of these don't stop with game credentials but also target various web sites. This is not all of the malware families which steal passwords but, even so, we see a significant amount of activity in this space- even more so than the threats which tend to become news.
































Family


Removals


Taterf


4,088,366


Frethog


2,080,441


Tilcun


972,016


Ceekat


607,210


Zuten


120,615


Lolyda


113,088


Corripio


84,264


Storark


4,059


What's also interesting is the geographic distribution.  Looking at Win32/Frethog and Win32/Taterf as examples we see the largest majority of the infections in Chinese locales where gaming is often done at Internet cafes or on other public terminals. Remember, if you can't trust the machine, you probably shouldn't input any credentials you aren't willing to lose. This is not to suggest that public terminals are to blame for password stealers, they merely represent an opportunity for an attacker to compromise many accounts. Folks who run these terminals should ensure that they are always up to date with security updates and that they are running up to date antivirus software and have a firewall in place and active. It would also be a best practice to prevent customers from installing software or, if that is not practical for the business, to revert to a known clean state at the end of each session through the use of virtualized images. If you do use virtualized images as a method of maintaining a known state make sure to keep those images up to date on security updates as well as anti-virus definitions as part of your ongoing maintenance. 







































































Frethog


2,080,441


Chinese (PRC)


1,237,026


English (United States)


203,776


Chinese (Taiwan)


144,223


Spanish (Spain, Modern Sort)


91,200


Japanese (Japan)


50,416


Russian (Russia)


46,330


Spanish (Mexico)


45,741


Korean (Korea)


39,975


Turkish (Turkey)


35,467


French (France)


28,311


Arabic (Saudi Arabia)


22,994


Portuguese (Brazil)


16,072


Chinese (Hong Kong SAR, PRC)


12,899


English (United Kingdom)


11,835


Arabic (Egypt)


8,976


Polish (Poland)


7,313


Spanish (Spain, Traditional Sort)


5,247


Italian (Italy)


5,098


German (Germany)


4,411


Thai (Thailand)


4,095


All Other


59,036










































































Taterf


4,088,366


English (United States)


621,697


Chinese (Taiwan)


603,266


Spanish (Spain, Modern Sort)


598,275


Korean (Korea)


465,460


Spanish (Mexico)


331,434


Turkish (Turkey)


253,631


Russian (Russia)


167,217


French (France)


152,916


Portuguese (Brazil)


139,240


Japanese (Japan)


96,757


Polish (Poland)


86,588


Arabic (Saudi Arabia)


77,856


Spanish (Spain, Traditional Sort)


42,328


Italian (Italy)


33,673


English (United Kingdom)


32,270


Chinese (PRC)


28,983


Spanish (Venezuela)


26,868


Chinese (Hong Kong SAR, PRC)


26,838


Spanish (Peru)


24,341


Portuguese (Portugal)


23,739


All Other


254,989


 

In my session I also emphasized that security doesn't end at RTM and there are many things developers should be thinking about. I suggested a number of things which can help improve security of their platforms overall- things like: secure your portal, don't have insecure features like "save your password", validate your process space to prevent injection, fuzz your protocols, don't ship symbols broadly- even in beta, validate IP location, don't create your own encryption or compression algorithms, leverage telemetry to spot things that are not "normal".


While there is a clear positive impact from MSRT based on conversations I had with GameFest participants, it is probably not the best business strategy to rely on cleanup after the fact. Because of this, many game ISVs are looking to other approaches to protect their platforms.  For example one major vendor has moved to two factor authentication- a great move as it raises the bar against these password stealers by requiring a physical token to log on in addition to the password. While multifactor authentication is good there are also a number of other ways to improve security behind the scenes. One method is to figure out what is "normal" for a user by watching the IP address from which they log in and at what time. If you see that Jimmy has logged on consistently at 4pm Pacific every Wednesday from a computer in the U.S. and suddenly you see him logging on at 2am Pacific from Malaysia, you might classify that as out of the ordinary. In fact, you could even take it a step farther and offer to your users controls that only allow them to log in from specific machines- users who only use one or a few machines and are security minded might find this a welcome option. If you have ActiveX controls which have vulnerabilities, update them and request that the MSRC apply a killbit to the old version. Don't know if your ActiveX controls or binaries are vulnerable? Take the advice my colleague Dave Weinstein from SWI who also presented at GameFest and fuzz them (because the bad guys do…). At a minimum, take a look to see if there is an associated CVE for any of your components or dependencies. And, of course, when you find that your business is being harmed by password stealers (which are probably generating support calls that cost you money in addition to any other damages) you can work with law enforcement. The security of your platform does not end when you release. You must continue to be vigilant and protect your assets and your customers.


If you are a company impacted by a PWS and can quantify the impact, let us know and we will review your data as part of our MSRT family selection process. We're happy to work with you to help protect our mutual customers.

 

--Jeff Williams

 

[It’s true.  I’ve yet to visit Malaysia.  --  Jimmy Kuo]

 


 

Comments (2)

  1. Anonymous says:

    Greetings, As you probably figured out from Matt McCormack’s post , and Jeff William’s post ; there are

  2. Anonymous says:

    <<本文章转译自 Microsoft Malware Protection Center 博客文章 " MSRT Observations – Online Game Password Stealers

Skip to main content