online game trojan securitylabs.websense.com hermes li
TRANSCRIPT
Online Game TrojanSecurityLabs.websense.com
Hermes Li
Contents
Why game trojans is so popular1
The underground market operation2
Analysis of an online game trojan3
How to protect against trojans 4
Download link http://ifile.it/7qmt3u8 (deepsec)
Internet Status in China
Total internet users in China
485 Milion, 36.2% amone total population
Internet users encounter with the Trojan
217 Milion, 44.7% amone Total internet users in China
Affected users
121 Milion, 24.9% amone Total internet users in China once lost
there account by trojan's attack
Data from CNNIC, up to Jun 2011
Online Game Players in China
Online gaming market More than RMB 34.9 Billion (EUR 4 Billion)
Total number of game players 311 million. active player: more than120 million
Personal spending for online game
Representative cost on average RMB 99 per player per month
Normal Online Game Market
Inside Game
Outside Game
Virtual Goods Selling AD
ADs screen shot (in Chinese character)
The Underground Market Operation
GamePlayer
AccountRetailer
TrojanBuyer
TrojanWriter
Major target:Massive Multiplayer Online Role Playing Gameslike World of Warcraft
1 Trojan = 100RMB
1000 account = 500RMB 1 top leavel sword> 10,000RMB
personalServer
CrackedSoftware
SocialNetwork
MaliciousWebsites
Cheating Program
Where Are Game Trojans From
How Trojan Installed
Compromised site
Bad guy
Black SEO
Social networks
IM chats
Victim Client Trojan
Downloader
Victim DBAccount Data
Crafted website
Trojan
Analysis of a Game Trojan Framework
How to generate a trojan
The work process of the trojan
Source code of module component
Detection Rate
0
5
10
15
20
25
30
35
40
IMEH
ost.
dll
Stol
or.d
ll
dllh
ost.
dll
AddN
ewSe
ssio
n.ex
e
Gene
rato
r.ex
e
Vi rusTotal Scan Resul t
Example http://www.virustotal.com/file-scan/report.html?id=b2ddf6556b34879f57bed99ecca4620ebb5827afe3c05736b3cf803f617a0628-1318214118
Generate Trojan
Packed trojan file
Stolor.dll IMEHost.dll
AddNewSection.exe
Generator.exeto pack with upack
DllHost.dll
C:\windows\System32
Work Process
Run
Injected system files• comres.dll• ddraw.dll• dsound.dll
dbr01021.ocx
dbr99005.ocx
winnt.com
stolor.dll
IMEhost.dll
dllhost.dll
Trojan.exe
C:\windows32\fonts\dbr01021.ttf
3 Modules to Monitor Game
InfectInfectInfect system dlls (dsound.dll,ddraw.dll, d3dx.dll, comres.dll) under System folder, add a new session
IMEIMERelease a fake font file as config fileRegister a fake Input Method and set to default
HookHookCall API CreateRemoteThread or SetWindowsHookEx. Hook game exe file’s process and append trojan dll thread.
Module Component (Hook)
SetWindowsHookEx (DllHost.cpp)
Module Component (Hook)
CreateRemoteThread (Funcs.cpp)
Module Component (IME)
Append fake IME to system and set as default (IMEHost.cpp)
Module Component (IME)
Export Function (IMEHost.cpp IMEHost.def)
Module Component (Infect)
Kill game process and Infect system dll file (StoreMain.cpp)
Module Component (Infect)
Infect and encrypt new added session (Infect.cpp, Pecrypt.cpp)
Special Functions
AntiAV (AntiAV.cpp) AdjustPrivileges (Func.cpp)
Special Functions
Grid Authentication Crack (KickProc.cpp)
Grid Authentication Crack
grid card screen shots
Special Functions
Grid Authentication Crack (CapPic.cpp)
Type of trojans
Advanced hidden technology
Anti-Detection technology
Prediction solution
More About All Trojans
Type of Trojans
Act in Advanced Persistent Threats
Trojans to steal bank account directly,real money damage
Back door program to monitorIM, Email or other accounts, or remote controller
APT Trojan
Bank Trojan
Game Trojan
Common Trojan
Hackers use this to steal game account and sale out to get money
Advanced Hidden Technology
Hide fileMonitor system API ZwQueryDirectoryFile, remove itself from files list.
API HookModify result lists
(Root kit)
Hide process Hook processes list API EnumProcesses, remove itself from result.
Anti Detection Tech
Core Core codescodes
encryptionencryption
PackerPacker
ObfuscationObfuscation
Prediction Solution for Enterprise
•Real-Time Security Scan(both content and URL)
•IP Overblock / Domain Overblock
•Outbound and Inbound traffic scanning
•Reputation score
•Advanced Detection