Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Lion Gu (Senior Threat Researcher)




    Recently, my colleagues have been reporting about tools cybercriminals used in their operations. They reported about Twitter spam and botnet kits, fake point-of-sale (POS) devices, and distributed denial-of-service (DDoS) tools. This time, I will share some information about yet another tool, one that specifically affects Chinese online gamers.

    China is well-known for having a huge population of online gamers. In fact, a recently published study stated that there were 68 million gamers in the country in 2009, which is expected to increase to 141 million by 2014.

    Unfortunately, along with these continuing developments in the gaming industry come opportunities for cybercriminals to make money by selling virtual assets extracted from stolen online gaming accounts.

    Just like the tools previously mentioned, cybercriminals also utilize Trojan generators to steal online game accounts. “响尾马” (Xian Wei Ma or XWM, which means “rattle Trojan” in Chinese) is a popular Chinese Trojan kit. The main highlight of the XWM Kit is that it does not only have Trojan generators but also has a backend server that it uses to receive and sort stolen information, making its operation really convenient for cybercriminals.

    The XWM Kit includes 21 Trojan generators that target popular online games in China, most of which are local games (see Figure 1).

    Click for larger view

    These generators require some configuration before generating a new Trojan. Users need to input the backend server’s URL in order to receive stolen information sent by the Trojan.

    Click for larger view

    Once executed on a victim’s system, the generated Trojan will drop the following files:

    • %system32%{4 random characters}.dll
    • %system32%{4 random characters}.cfg
    • %system32%driversmsacpe.sys

    The .DLL file is loaded in the system’s memory and is used to steal account information as well as to send the information back to the backend server using the following string as URL argument:

    ?a=%s&s=%s&u=%s&p=%s&r=%s[%s]&l=%d&m=%d&pin=%s

    The above-mentioned argument has eight variables, which are used to send back stolen information to the backend server. The variables in the argument are defined as:

    • ‘a’ — area of online game server
    • ‘s’ — server name
    • ‘u’ — user name
    • ‘p’ — password
    • ‘r’ — role
    • ‘l’ — level
    • ‘m’ — virtual money
    • ‘pin’ — PIN code

    The stolen information is then sent to the backend server URL, which is contained in the .CFG file. The cybercriminals then access the backend server, which stores all the stolen information, through a specially developed home page.

    Click for larger view

    The cybercriminals selling this tool even provided a demo page where a list of supposedly stolen information is displayed, showing just how effective the tool is.

    Click for larger view

    The danger in all this lies not only in the attacks that the tool kit can instigate but also in its availability. The more people who use the toolkit, the more people that can be victimized. Thus, more cybercriminals will be motivated to conduct their own operations. This proves yet again how technology can make many things convenient for us while unfortunately doing the same for cybercriminals.

     
    Posted in Bad Sites, Botnets, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice