Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Greet1ngs,
As you all probably know by now, this month in MSRT was a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just to name a few), but World of Warcraft and Valve’s Steam client are high on the hit-list too – you didn’t escape that easily.
The main offender in this motley crew of badness is Win32/Taterf. Taterf has been running hot the last few months, constituting over 80% of the April and May Wildlists. The worm itself is actually a mutation of Win32/Frethog, being based off the same source code. Frethog is just a drop in the ocean of malware we’re seeing coming out of China nowadays, many of which are targeting online games.
What do they do? Taterf, Frethog and their ilk are designed to steal your online game login details. The methods they use vary; from injecting into game clients and reading memory directly, to basic keylogging - but the end result is the same... u get pwned. Once they have your details, they are sent back to a remote location and are eventually sold to the highest bidder. After that, you may find your gold gone and toon naked upon your next login (zomg! My purplz!1!!).
So what’s the deal with Taterf? Simply put: it’s rife. Taterf spreads by copying itself to the root of all fixed or removable drives on the infected system and ensures it gets executed by creating an ‘autorun.inf’ file in there too. The autorun.inf file is instructed to execute the worm, whenever the directory is viewed using Windows Explorer. It’s a pretty simple method but is very effective.
Oddly enough, we used to see Worms using this method here and there a few years ago, but it never really caught on. Now days however it is much more effective; every time someone plugs a USB drive in a computer – infected, every time someone puts that drive into a computer connected to a network – infected, and so on. If you’ve mapped an infected drive over the network, that’ll do it too. It's today's version of the old boot sector virus.
Onto the numbers! After its first day in MSRT, Taterf components had been removed from over 700,000 machines! For comparison, Win32/Nuwar (aka ‘Storm worm’) was removed from less than half that in its first month. These are ridiculous numbers of infections my friends, absolutely mind-boggling; many, many whelps. Frethog had proved to be as prevalent as we expected too, with detections on over 200,000 distinct machines.
After the first week of MSRT’s release the numbers looked like this:
Online game PWS family Disinfected files Distinct machines Win32/Taterf 2,342,399 1,269,098 Win32/Frethog 1,374,911 652,625 Win32/Tilcun 379,306 270,712 Win32/Ceekat 355,400 249,717 Win32/Corripio 72,628 58,560 Win32/Lolyda 49,783 27,367 WinNT/Zuten 33,344 21,669 Win32/Zuten 24,565 17,643
Online game PWS family
Disinfected files
Distinct machines
Win32/Taterf
2,342,399
1,269,098
Win32/Frethog
1,374,911
652,625
Win32/Tilcun
379,306
270,712
Win32/Ceekat
355,400
249,717
Win32/Corripio
72,628
58,560
Win32/Lolyda
49,783
27,367
WinNT/Zuten
33,344
21,669
Win32/Zuten
24,565
17,643
... and when we separate by locale:
Country/Region Disinfected files Unique machines China 1,574,532 529,003 Taiwan 567,128 279,428 Spain 482,515 235,381 United States 469,595 213,374 Korea 348,775 184,306 Turkey 191,827 101,119 Mexico 166,508 77,457 Russia 110,134 54,645 France 103,953 50,954 Japan 102,836 50,936 All Other 514,843 253,628
Country/Region
Unique machines
China
1,574,532
529,003
Taiwan
567,128
279,428
Spain
482,515
235,381
United States
469,595
213,374
Korea
348,775
184,306
Turkey
191,827
101,119
Mexico
166,508
77,457
Russia
110,134
54,645
France
103,953
50,954
Japan
102,836
50,936
All Other
514,843
253,628
Yep, I know, pretty crazy. Considering the total downloads of MSRT were around 330 million by the end of said 'first week', my Companion Cube and I agree that the infection ratio is, in fact, ungood.
As a PC gamer (RPGs and First Person Shooters on consoles just seems wrong to me...), and somewhat of a performance junkie myself, I get why many gam0rz don’t run AV. But seriously, a good AV product shouldn’t affect your FPS that much (if you’re chronically being pwned, don’t blame your AV and FPS - just l2p). Also, many gamers are in a higher risk category – downloading dodgy copies of games and the cracks to match, make you much more likely to get infected (NEWSFLASH: Not all cracks are actually cracks).
So how does one avoid being infected? Running an up-to-date anti-virus solution is a good start. Running an up-to-date, patched browser is another necessity – many of the Win32/Frethog trojans are installed via browser exploits (there have been instances in the past of links to malicious sites being posted to popular gaming forums – so be wary!). Enabling Automatic Updates helps a whole bunch too.
Disabling the Explorer ‘autoplay’ feature is useful in helping to avoid these problems. In Vista it’s easily done via the Control Panel. On Pre-Vista OS’ (if you’re admin) you can disable it globally by running ‘gpedit.msc’ -> administrative templates -> System. There are other ways – such as playing with the registry if you’re pretty l337, or tools such as TweakUI. Of course, one can manually hold the ‘Shift’ key when inserting media to disable it, but then you have to remember stuff. You think you’re safe, but infections can come from the most unlikely of places....
Holding out belief in the cake’s existence,
Matt McCormack
[The cake is a lie. -- Jimmy Kuo]