Game Trojans’ Biggest Tricks in 2010

It’s appropriate that this year’s Blizzcon, the two-day celebration of all things World of Warcraft, takes place during National Cyber Security Awareness Month. No other game is as heavily targeted by thieves as WoW, so we thought this would be as good a time as any to run down some of the malware threats that face gamers. 2010 has been a big year for Trojans that steal game passwords or license keys.

The people who create malware targeting online games show no signs of relenting, nor are they laying down on the job. Innovation is the name of the game, and password-stealers this year innovated their infection techniques to make them more effective and even harder to detect.

Two-factor authentication tokens, such as the Blizzard Authenticator, do a great job of preventing fraud. If you play WoW, the seven or so bucks the Authenticator costs can prevent a lot of headaches if your account becomes compromised by either a Trojan or a phishing Web site. The Authenticator displays a series of numbers that change about once a minute, and a gamer needs to enter these numbers along with a username and password to play the game.

However, while gamers who play Blizzard’s games might find themselves at reduced risk of phishing thanks to the Authenticator, other companies that operate the kinds of massively-multiplayer games most targeted by phishing pages and malware are also targets for theft, and don’t yet offer an equivalent method of securing login credentials.

One technique that emerged this year ties the malicious keylogger to one or more of Microsoft’s DirectX libraries. DirectX is the engine in Windows that most 3D games use to render graphics, play sound effects, and manage game controllers. Trojans that hook into DirectX always load when DirectX is in use, and since DirectX is always loaded when you play a game, it means the “sleeper cell” game phishing Trojan doesn’t wake up and do its job until you’re playing a game. We published a definition in May, Trojan-PWS-Cashcab, which defeats this technique, and you can also simply reinstall DirectX over the top of itself to break the infection.

Another technique that was rarely used before this year is for the keylogger to replace the Input Method Editor (or IME) on the infected computer.

Leave a Reply