online game trojan securitylabs.websense.com hermes li
TRANSCRIPT
![Page 1: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/1.jpg)
Online Game TrojanSecurityLabs.websense.com
Hermes Li
![Page 2: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/2.jpg)
Contents
Why game trojans is so popular1
The underground market operation2
Analysis of an online game trojan3
How to protect against trojans 4
Download link http://ifile.it/7qmt3u8 (deepsec)
![Page 3: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/3.jpg)
Internet Status in China
Total internet users in China
485 Milion, 36.2% amone total population
Internet users encounter with the Trojan
217 Milion, 44.7% amone Total internet users in China
Affected users
121 Milion, 24.9% amone Total internet users in China once lost
there account by trojan's attack
Data from CNNIC, up to Jun 2011
![Page 4: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/4.jpg)
Online Game Players in China
Online gaming market More than RMB 34.9 Billion (EUR 4 Billion)
Total number of game players 311 million. active player: more than120 million
Personal spending for online game
Representative cost on average RMB 99 per player per month
![Page 5: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/5.jpg)
Normal Online Game Market
Inside Game
Outside Game
![Page 6: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/6.jpg)
Virtual Goods Selling AD
ADs screen shot (in Chinese character)
![Page 7: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/7.jpg)
The Underground Market Operation
GamePlayer
AccountRetailer
TrojanBuyer
TrojanWriter
Major target:Massive Multiplayer Online Role Playing Gameslike World of Warcraft
1 Trojan = 100RMB
1000 account = 500RMB 1 top leavel sword> 10,000RMB
![Page 8: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/8.jpg)
personalServer
CrackedSoftware
SocialNetwork
MaliciousWebsites
Cheating Program
Where Are Game Trojans From
![Page 9: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/9.jpg)
How Trojan Installed
Compromised site
Bad guy
Black SEO
Social networks
IM chats
Victim Client Trojan
Downloader
Victim DBAccount Data
Crafted website
Trojan
![Page 10: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/10.jpg)
Analysis of a Game Trojan Framework
How to generate a trojan
The work process of the trojan
Source code of module component
![Page 11: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/11.jpg)
Detection Rate
0
5
10
15
20
25
30
35
40
IMEH
ost.
dll
Stol
or.d
ll
dllh
ost.
dll
AddN
ewSe
ssio
n.ex
e
Gene
rato
r.ex
e
Vi rusTotal Scan Resul t
Example http://www.virustotal.com/file-scan/report.html?id=b2ddf6556b34879f57bed99ecca4620ebb5827afe3c05736b3cf803f617a0628-1318214118
![Page 12: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/12.jpg)
Generate Trojan
Packed trojan file
Stolor.dll IMEHost.dll
AddNewSection.exe
Generator.exeto pack with upack
DllHost.dll
![Page 13: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/13.jpg)
C:\windows\System32
Work Process
Run
Injected system files• comres.dll• ddraw.dll• dsound.dll
dbr01021.ocx
dbr99005.ocx
winnt.com
stolor.dll
IMEhost.dll
dllhost.dll
Trojan.exe
C:\windows32\fonts\dbr01021.ttf
![Page 14: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/14.jpg)
3 Modules to Monitor Game
InfectInfectInfect system dlls (dsound.dll,ddraw.dll, d3dx.dll, comres.dll) under System folder, add a new session
IMEIMERelease a fake font file as config fileRegister a fake Input Method and set to default
HookHookCall API CreateRemoteThread or SetWindowsHookEx. Hook game exe file’s process and append trojan dll thread.
![Page 15: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/15.jpg)
Module Component (Hook)
SetWindowsHookEx (DllHost.cpp)
![Page 16: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/16.jpg)
Module Component (Hook)
CreateRemoteThread (Funcs.cpp)
![Page 17: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/17.jpg)
Module Component (IME)
Append fake IME to system and set as default (IMEHost.cpp)
![Page 18: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/18.jpg)
Module Component (IME)
Export Function (IMEHost.cpp IMEHost.def)
![Page 19: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/19.jpg)
Module Component (Infect)
Kill game process and Infect system dll file (StoreMain.cpp)
![Page 20: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/20.jpg)
Module Component (Infect)
Infect and encrypt new added session (Infect.cpp, Pecrypt.cpp)
![Page 21: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/21.jpg)
Special Functions
AntiAV (AntiAV.cpp) AdjustPrivileges (Func.cpp)
![Page 22: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/22.jpg)
Special Functions
Grid Authentication Crack (KickProc.cpp)
![Page 23: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/23.jpg)
Grid Authentication Crack
grid card screen shots
![Page 24: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/24.jpg)
Special Functions
Grid Authentication Crack (CapPic.cpp)
![Page 25: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/25.jpg)
Type of trojans
Advanced hidden technology
Anti-Detection technology
Prediction solution
More About All Trojans
![Page 26: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/26.jpg)
Type of Trojans
Act in Advanced Persistent Threats
Trojans to steal bank account directly,real money damage
Back door program to monitorIM, Email or other accounts, or remote controller
APT Trojan
Bank Trojan
Game Trojan
Common Trojan
Hackers use this to steal game account and sale out to get money
![Page 27: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/27.jpg)
Advanced Hidden Technology
Hide fileMonitor system API ZwQueryDirectoryFile, remove itself from files list.
API HookModify result lists
(Root kit)
Hide process Hook processes list API EnumProcesses, remove itself from result.
![Page 28: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/28.jpg)
Anti Detection Tech
Core Core codescodes
encryptionencryption
PackerPacker
ObfuscationObfuscation
![Page 29: Online Game Trojan SecurityLabs.websense.com Hermes Li](https://reader036.vdocuments.us/reader036/viewer/2022070408/56649e555503460f94b4d466/html5/thumbnails/29.jpg)
Prediction Solution for Enterprise
•Real-Time Security Scan(both content and URL)
•IP Overblock / Domain Overblock
•Outbound and Inbound traffic scanning
•Reputation score
•Advanced Detection