MSRT Observations – Online Game Password Stealers


The February release of MSRT added a new threat family, Win32/Srizbi, as Vince discussed last week.  As of February 16, MSRT has cleaned 38,697 machines from Srizbi infections, which is 14.1% of the total September 2007 removals of Win32/Nuwar or the “Storm” worm during the same timeframe.


So what tops the detection and removal list this month? Online game password stealers (PWS) Win32/Taterf and Win32/Frethog are the top two threat families, with 981,051 and 316,971 machines cleaned respectively a week after MSRT release. Taterf removals are already 171% higher than the full month’s volume in January. 


Below is the Top 10 threat families from MSRT February telemetry one week after release:

















































Rank


Family


Distinct machines cleaned


1


Taterf


981,051


2


Frethog


316,971


3


Renos


270,395


4


Alureon


205,930


5


Tibs


148,866


6


Vundo


116,837


7


Bancos


114,190


8


FakeXPA


110,855


9


Yektel


101,773


10


Banker


81,873


In the last Security Intelligence Report (SIR), Microsoft observed online game PWS threats as a key area in the threat landscape.



The increasing popularity of massively multiplayer online role-playing games (MMORPGs) has created a new online economy in which players auction off hard-won virtual “gold” and in-game equipment for real-world cash. Though the games’ makers usually discourage such commerce and often penalize players who are known to engage in it, the possessions and attributes of a well-stocked character can fetch hundreds of U.S. dollars from game devotees. Perhaps inevitably, this has led to the development of a curious new class of threat—worms and trojans that steal players’ gaming passwords on behalf of thieves who can then auction the victim’s virtual loot themselves. –- Page 62, Microsoft Security Intelligence Report January through June 2008.


MMPC continues to monitor the activities of these PWS threats. Many of these threats have remained quite prevalent during the last eight months. The trending below shows that Taterf and Frethog remain very active since being added to MSRT detection list in June 2008. Taterf never dropped out of the top 5 and Frethog has consistently been in the top 5 except during last November and December.


PWS Telemetry


What does this mean? In comparison to the families of rogue security software we focused on last November and December, these game PWS threats appear to be more resilient and have longer life cycles. (Win32/FakeSecSen rogue, the threat family included in MSRT November 2008, dropped out of the top 20 a month after the initial #1 ranking; Win32/FakeXPA rogue, the family included in MSRT December 2008, is now #9 after ranked #1 in December) Malware authors are busy updating Taterf and Frethog to make these threats highly polymorphic and to distribute variations of the same codebase to multiple criminal groups. This month we still saw 17,070 different Taterf and 26,420 different Frethog files. 


Top 10 Win32/Taterf files detected by the MSRT February release:






































Top 10 Taterf Sha1


 machines cleaned


0x4D5C36EBFF00262E08FF12DC6B9CC3F297B93A76


                               197,184


0x35072F85D8E5AD7D731BCE01295C2108FCD55C85


                               147,390


0xD7748D299E65AD47D1A48D8E2408612E35A143AC


                                  66,505


0xB3299A705AF4A1E5F6C2FCE2316BB665A0F4E550


                                  56,204


0x00B366551030D6D20D31C7254636CBCEABB53EAF


                                  47,302


0x68DCEC00E799ED4351EFD4A1D74AE016DB72D2A6


                                  47,193


0xFC22B927A8371FF5DA758BA8CF10DCEA30AA5279


                                  43,344


0xD1EB3B53B60277E8CF87F5C7FB2EE526600683AB


                                  38,490


0x814D454466BAB020ABCD71F5097E96732D45E559


                                  33,235


0xBC7A31198F890C27D31AEA70A54A9CC37CB3F1CF


                                  32,505


Top 10 Win32/Frethog files detected by the MSRT February release:






































Top 10 Frethog Sha1


 machines cleaned


0x282CA82931E7D3C80074A7506DCF5B2041B02D38


                           62,649


0xFD747631398350020A1EE126B1E3C27668194809


                           40,798


0xF7C3DD41D5F385C569B2D0C2C3D94904189A2442


                           21,360


0x1E60883D943AFA395708F583AE33FCE6935867DA


                           16,142


0x297C4A4CBA246B70F12EBAADDC48B5D65A41A875


                           11,037


0xD18CF04FC57D0111AA436258AE7DCA9A00645FA0


                           11,017


0x1FA01DC607E5D2FA5893A610DAB49C2DDC96CDB5


                           10,014


0x131C8DC19A6C301BEBB4CF27F231064789A778A5


                             9,695


0xB5EF7032C2E81D6BD99DB6E7A30B43C6063F1EC0


                             8,055


0x6AF19AC78B47FE46AE71ECBD584D1CB6A9CDDE2E


                             6,392


The main shift in geographic distribution of these PWS is that China is no longer in the top 10 for instances of infected systems compared to what Matt McCormack disclosed in his June 2008 blog post or Jeff Williams in his August 2008 blog post, when China was the most prevalent region for these PWS threats.  This may not mean the malware authors are retreating from China. With a projected online game market of “17.03 billion RMB (around 2.43 billion USD) in 2009” described in Chun Feng’s VB paper, “Playing with shadows – exposing the black market for online game password theft“, the malware writers will definitely want a piece of the pie.  Read on Chun’s paper to get a peek of the malware underground economy. You do not want your IDs being auctioned there.


Win32/Taterf, week 1, February 2009:





























































































Rank


Country/Region


 distinct machines cleaned


1


United States


                                       127,833


2


Taiwan


                                       113,944


3


Korea


                                       112,784


4


Turkey


                                       112,464


5


Spain


                                          93,168


6


Brazil


                                          72,196


7


Japan


                                          53,536


8


France


                                          49,688


9


Poland


                                          47,558


10


Mexico


                                          47,512


11


Russia


                                          18,494


12


Italy


                                          16,588


13


Hong Kong


                                            9,849


14


Saudi Arabia


                                            9,757


15


Colombia


                                            7,953


16


United Kingdom


                                            7,953


17


Thailand


                                            5,626


18


Chile


                                            5,329


19


Portugal


                                            4,579


20


Peru


                                            4,375


 


Other


                                          58,248

Note: China is #36 on the Win32/Taterf list


Win32/Frethog, week 1, February 2009:





























































































Rank


Country/Region


 distinct machines cleaned


1


United States


                                            44,859


2


Taiwan


                                            38,804


3


Turkey


                                            32,650


4


Korea


                                            32,122


5


Brazil


                                            22,460


6


Spain


                                            24,858


7


France


                                            15,072


8


Poland


                                            12,704


9


Mexico


                                            12,094


10


China


                                               7,899


11


Italy


                                               4,520


12


Saudi Arabia


                                               3,277


13


Hong Kong


                                               2,838


14


United Kingdom


                                               2,595


15


Russia


                                               2,564


16


Colombia


                                               2,224


17


Thailand


                                               1,957


18


Chile


                                               1,569


19


Japan


                                               1,374


20


Venezuela


                                               1,315


 


Other


                                            18,808


We identified at least the following games or game platforms that are targeted by Taterf and Frethog authors:



  • Rainbow Island

  • Cabal Online

  • A Chinese Odyssey

  • Hao Fang Battle Net

  • Lineage

  • Gamania

  • MapleStory

  • Qqgame

  • Legend of Mir

  • World Of Warcraft

If you play the above games we suggest you read Jeremy Croy’s blog post and be cautious in your online and gaming adventure, especially if you log in from an Internet café. At home, do yourself a favor and install a full AV product. At a minimum, if you suspect your computer has been infected, run a virus scan with Microsoft Windows Live safety scanner at http://safety.live.com.


–Scott Wu

Comments (0)