If you play Halo, you probably know that the Recon Armor is a rare armor variant that is only available to the makers of Halo, Bungie, and players who have unlocked all Vidmaster challenges in previous versions of the game. With the recent release of Halo: Reach, a lot of users are looking for free means to get hold of this armor for their game play. Apparently, malware writers also took notice of this opportunity to distribute malware masking as code generators for the flaming recon helmet and Halo Reach itself.
Figure 1 - Recon Armor
We came across two samples, detected as PWS:Win32/Fignotok.A, named “Mod V3xD.exe” (Sha1: 1855974d848568968f4c97871a70fa42aff8fbc8) and “Halo Reach Flaming Recon.exe” (Sha1: 775c62aa8530eb616ff5444298d3dc4cff5c823e). These both drop a file named “haloreachflamingrecon.exe” that promises to generate code for the Recon Armor but instead steals the user’s Xbox Live credentials by asking the user for logon details (see Figure 2 below) and sending it to a remote attacker via email. It also connects to a remote location, which is now inaccessible, from where it gets other configuration files.
Figure 2 - Enter your XBox Live account details to activate your Flaming Recon! But actually, just watch your credentials get stolen.
Another malware family that banks on the popularity of the Halo franchise has the file name “Halo Reach Generator.exe” (Sha1: 7ab2f6cbacd967aa72360af76e666e3c6cbf56ec) and is already detected as Worm:Win32/Rebhip.A. This worm can spread via removable drives and can steal sensitive information as well.
So think twice before sprucing up that armor through code-generators, as this might lead to your account being gamed. Everyone hates cheaters, and fair play earns you those bragging rights too.