“Why should I care?”
I was giving a presentation recently and while most of the audience were in the education sector, there were a couple of corporate IT staff there. When it came time for questions, one of the corporate attendees asked “You talked about games in your presentation. We don’t allow games on our network, so why should we be concerned [about gaming Trojans]?”
That was a really good question and it got me thinking. Why SHOULD corporates care?
The reason is “gaming Trojans” aren’t just targeting games anymore. They may have started that way, but now they are much broader and in some cases, much more destructive. Here are just a few examples I found…
World of Warcraft
Troj/WowPWS-A, first seen November 3, 2005, targeted World of Warcraft. It tried to steal the login credentials. However, by Troj/WowPWS-Y, which we detected on September 21, 2006, it was stealing the login credentials from several games. Then by March of 2007, the Trojan became an email worm, spamming itself out with the message of “Chinese test missile obliterates satellite!” That variant not only stole the login credentials for several games, but could infect files with the extensions of “html”, “php”, and “asp” with Troj/Fujif-Gen.
Legends of Mir
Troj/LegMir-M not only stole login credentials for the game but had a generic keylogging DLL, Troj/LegMir-E, that would install and send information to a remote location. It could also terminate security processes. The keylogger would store the information and send it periodically to a remote user. Once again, this “gaming Trojan” morphed into a worm. W32/LegMir-AD was one such worm. While it still had most of its former functionality, it could copy itself to logical drives, and used autorun.inf to automatically launch on those drives.
Lineage and Lineage II
Again this family of Trojans started off stealing gaming passwords and login details. However, even in the early days, such as Troj/Lineage-O from June 2005, it would terminate processes that were related to security. It would also download and execute additional malware. Fast forward to November 2007, Troj/Lineag-CS had a rootkit component so the keylogging component was hidden.
Now the Looked family of viruses tried to steal passwords from both Lineage and World of Warcraft. The W32/Looked family are prepending viruses that can spread to network shares and have download capability. One particular variant downloaded as many as 20 additional pieces of malware, usually banking Trojans or keylogging Trojans such as Troj/PWS viariants. Troj/PWS variants have been used to steal the following info:
- POP3
- HTTPMail
- Protected Storage
- MSN Explorer signup
- IE Auto Complete fields
- Auto Complete passwords
- Password protected sites in Internet Explorer
- Outlook Express (including deleted accounts)
- Accounts stored in the Internet Account Managed
Priston’s Tale
This was more of a one-off. We only saw one of these worms, but W32/PrsKey-A is a password stealing and keylogging worm aimed at the Priston Tale game and Yahoo! web email accounts.
Now, instead of stealing Yahoo web email account information, there has been a move to steal Yahoo Messenger login detals. The thought is it’s the newer avenue for spreading functionality versus email.
Judging from just this, I’d say corporates should definitely care. It’s not just about games anymore.
Posted on December 17th, 2007 by Beth Jones, SophosLabs USFiled under: General, Malware
Windows 7 security - A great leap forward or business as usual?
