Game Trojan by nTG0yV

VIEWS: 48 PAGES: 30

									SecurityLabs.websense.com


Online Game Trojan
 Hermes Li
Contents


    1   Why game trojans is so popular


    2   The underground market operation


    3   Analysis of an online game trojan
             Download link http://ifile.it/7qmt3u8 (deepsec)
    4   How to protect against trojans
Internet Status in China



  Total internet users in China
     485 Milion, 36.2% amone total population

  Internet users encounter with the Trojan
     217 Milion, 44.7% amone Total internet users in China

  Affected users
     121 Milion, 24.9% amone Total internet users in China once lost
       there account by trojan's attack



                                                      Data from CNNIC, up to Jun 2011
Online Game Players in China

 Online gaming market
    More than RMB 34.9 Billion (EUR 4 Billion)

 Total number of game players
    311 million. active player: more than120 million

 Personal spending for online game

    Representative cost on average RMB 99 per player per month
Normal Online Game Market




    Inside        Outside
    Game          Game
Virtual Goods Selling AD




         ADs screen shot (in Chinese character)
The Underground Market Operation

                       Major target:
  Trojan               Massive Multiplayer Online Role Playing Games
  Writer               like World of Warcraft



       1 Trojan = 100RMB



                              Account                     Game
 Trojan
                              Retailer                    Player
 Buyer

           1000 account = 500RMB         1 top leavel sword> 10,000RMB
Where Are Game Trojans From



                       Cracked
                       Software
                                       Social
                                      Network

       personal
        Server                    Malicious
                                  Websites
                  Cheating
                  Program
How Trojan Installed
                                                                                       Trojan



                                  Account Data                Victim DB
            Black SEO

Bad guy

              Email

                                            Crafted website
                                                                            Trojan
                            Victim Client                                 Downloader

                                                 Compromised
          Social networks
                                                     site




             IM chats
Analysis of a Game Trojan Framework




How to generate a trojan

The work process of the trojan

Source code of module component
Detection Rate

                                          VirusTotal Scan Result

    40
    35
    30
    25
    20
    15
    10
     5
     0
              IMEHost.dll




                             Stolor.dll




                                                     dllhost.dll




                                                                                       Generator.exe
                                                                   AddNewSession.exe




Example
http://www.virustotal.com/file-scan/report.html?id=b2ddf6556b34879f57bed99ecca4620ebb5827afe3c05736b3cf803f617a0628-1318214118
Generate Trojan

                  Packed trojan file

                      Generator.exe
                   to pack with upack




                  AddNewSection.exe



    DllHost.dll       Stolor.dll        IMEHost.dll
Work Process
                C:\windows32\fonts\dbr01021.ttf




   stolor.dll                                      dbr01021.ocx
                            Run
  IMEhost.dll                                      dbr99005.ocx

  dllhost.dll                                        winnt.com

  Trojan.exe                                      C:\windows\System32

                   Injected system files
                      • comres.dll
                      • ddraw.dll
                      • dsound.dll
3 Modules to Monitor Game

              Call API CreateRemoteThread or
     Hook     SetWindowsHookEx. Hook game exe
              file’s process and append trojan dll
              thread.


              Release a fake font file as config file
     IME      Register a fake Input Method and set to
              default



              Infect system dlls (dsound.dll,ddraw.dll,
     Infect   d3dx.dll, comres.dll) under System
              folder, add a new session
Module Component (Hook)
SetWindowsHookEx (DllHost.cpp)
Module Component (Hook)
CreateRemoteThread (Funcs.cpp)
Module Component (IME)
Append fake IME to system and set as default (IMEHost.cpp)
Module Component (IME)
Export Function (IMEHost.cpp IMEHost.def)
Module Component (Infect)
Kill game process and Infect system dll file (StoreMain.cpp)
Module Component (Infect)
Infect and encrypt new added session (Infect.cpp, Pecrypt.cpp)
Special Functions
AntiAV (AntiAV.cpp)   AdjustPrivileges (Func.cpp)
Special Functions
Grid Authentication Crack (KickProc.cpp)
Grid Authentication Crack

grid card screen shots
Special Functions
 Grid Authentication Crack (CapPic.cpp)
More About All Trojans


  Type of trojans

  Advanced hidden technology

  Anti-Detection technology

  Prediction solution
Type of Trojans



  Act in Advanced Persistent Threats

                                                       APT Trojan

  Trojans to steal bank account directly,
  real money damage
                                                 Bank Trojan

  Hackers use this to steal game
  account and sale out to get money
                                            Game Trojan
  Back door program to monitor
  IM, Email or other accounts,
  or remote controller                 Common Trojan
Advanced Hidden Technology

                              API Hook
                              Modify result lists
                                 (Root kit)




   Hide file                                        Hide process
   Monitor system API                                Hook processes list
   ZwQueryDirectoryFile,
                                                    API EnumProcesses,
   remove itself from files
                                                    remove itself from
   list.
                                                    result.
Anti Detection Tech

                       encryption




               Core
               codes
     Packer


                       Obfuscation
Prediction Solution for Enterprise



 •Real-Time Security Scan(both content and URL)

 •IP Overblock / Domain Overblock

 •Outbound and Inbound traffic scanning

 •Reputation score

 •Advanced Detection
websenselab@gmail.com

								
To top