For the past few weeks TMIRT is conducting a sort of investigation on how TSPY_LINEAGE and TSPY_WOW arrives on users’ systems. Sure they are Trojan Spywares that do not have the capability to replicate, but then, why are there so many infection reports?

Owing to the fact that they are Trojan Spywares aimed to steal user accounts for the online games Lineage and World of Warcraft (WoW), it is but logical to target those who actually play the game. So, for more than a week, we scoured the Internet searching for hacks, key generators and cheats for both online games. But alas, our search did not yield a malicious file.

Then, just this morning, I bumped into this old article by the Honeyclient Project, where they reported several compromised World of Warcraft accounts. The compromised accounts was caused by a Trojan Spyware (most probably TSPY_WOW) that was installed in gamer’s machine when he visited an ad in Allakzaham – a site where World of Warcraft players trade, sell, or auction virtual items that can be used in the online game.

As a previous blog entry reports, compromised accounts can be used by the malicious author to steal virtual items and then sell it on sites like Allakzaham.

So there, now we have a clearer idea on how company networks become infected. An employee uses company resources to play online games, browses items that can boost the skill level of his character in the online game, gets infected by a Trojan Spyware and it’s accomplice (ever heard about PE_LOOKED?), and then infection spreads in the company’s network.

Moral of the story?

• 1. Do not allow online games
  
• 2. Block ports used by online games
  
• 3. Block sites related to these online games
  
• 4. Educate your users

Simple enough isn’t it?