Online Game TrojanSecurityLabs.websense.com

Hermes Li

Contents

Why game trojans is so popular1

The underground market operation2

Analysis of an online game trojan3

How to protect against trojans 4

Download link http://ifile.it/7qmt3u8 (deepsec)

Internet Status in China

Total internet users in China

485 Milion, 36.2% amone total population

Internet users encounter with the Trojan

217 Milion, 44.7% amone Total internet users in China

Affected users

121 Milion, 24.9% amone Total internet users in China once lost

there account by trojan's attack

Data from CNNIC, up to Jun 2011

Online Game Players in China

Online gaming market More than RMB 34.9 Billion (EUR 4 Billion)

Total number of game players 311 million. active player: more than120 million

Personal spending for online game

Representative cost on average RMB 99 per player per month

Normal Online Game Market

Inside Game

Outside Game

Virtual Goods Selling AD

ADs screen shot (in Chinese character)

The Underground Market Operation

GamePlayer

AccountRetailer

TrojanBuyer

TrojanWriter

Major target:Massive Multiplayer Online Role Playing Gameslike World of Warcraft

1 Trojan = 100RMB

1000 account = 500RMB 1 top leavel sword> 10,000RMB

personalServer

CrackedSoftware

SocialNetwork

MaliciousWebsites

Cheating Program

Where Are Game Trojans From

How Trojan Installed

Compromised site

Bad guy

Black SEO

Social networks

IM chats

Email

Victim Client Trojan

Downloader

Victim DBAccount Data

Crafted website

Trojan

Analysis of a Game Trojan Framework

How to generate a trojan

The work process of the trojan

Source code of module component

Detection Rate

0

5

10

15

20

25

30

35

40

IMEH

ost.

dll

Stol

or.d

ll

dllh

ost.

dll

AddN

ewSe

ssio

n.ex

e

Gene

rato

r.ex

e

Vi rusTotal Scan Resul t

Example http://www.virustotal.com/file-scan/report.html?id=b2ddf6556b34879f57bed99ecca4620ebb5827afe3c05736b3cf803f617a0628-1318214118

Generate Trojan

Packed trojan file

Stolor.dll IMEHost.dll

AddNewSection.exe

Generator.exeto pack with upack

DllHost.dll

C:\windows\System32

Work Process

Run

Injected system files• comres.dll• ddraw.dll• dsound.dll

dbr01021.ocx

dbr99005.ocx

winnt.com

stolor.dll

IMEhost.dll

dllhost.dll

Trojan.exe

C:\windows32\fonts\dbr01021.ttf

3 Modules to Monitor Game

InfectInfectInfect system dlls (dsound.dll,ddraw.dll, d3dx.dll, comres.dll) under System folder, add a new session

IMEIMERelease a fake font file as config fileRegister a fake Input Method and set to default

HookHookCall API CreateRemoteThread or SetWindowsHookEx. Hook game exe file’s process and append trojan dll thread.

Module Component (Hook)

SetWindowsHookEx (DllHost.cpp)

Module Component (Hook)

CreateRemoteThread (Funcs.cpp)

Module Component (IME)

Append fake IME to system and set as default (IMEHost.cpp)

Module Component (IME)

Export Function (IMEHost.cpp IMEHost.def)

Module Component (Infect)

Kill game process and Infect system dll file (StoreMain.cpp)

Module Component (Infect)

Infect and encrypt new added session (Infect.cpp, Pecrypt.cpp)

Special Functions

AntiAV (AntiAV.cpp) AdjustPrivileges (Func.cpp)

Special Functions

Grid Authentication Crack (KickProc.cpp)

Grid Authentication Crack

grid card screen shots

Special Functions

Grid Authentication Crack (CapPic.cpp)

Type of trojans

Advanced hidden technology

Anti-Detection technology

Prediction solution

More About All Trojans

Type of Trojans

Act in Advanced Persistent Threats

Trojans to steal bank account directly,real money damage

Back door program to monitorIM, Email or other accounts, or remote controller

APT Trojan

Bank Trojan

Game Trojan

Common Trojan

Hackers use this to steal game account and sale out to get money

Advanced Hidden Technology

Hide fileMonitor system API ZwQueryDirectoryFile, remove itself from files list.

API HookModify result lists

(Root kit)

Hide process Hook processes list API EnumProcesses, remove itself from result.

Anti Detection Tech

Core Core codescodes

encryptionencryption

PackerPacker

ObfuscationObfuscation

Prediction Solution for Enterprise

•Real-Time Security Scan(both content and URL)

•IP Overblock / Domain Overblock

•Outbound and Inbound traffic scanning

•Reputation score

•Advanced Detection

websenselab@gmail.com