Greet1ngs,

As you all probably know by now, this month in MSRT was a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just to name a few), but World of Warcraft and Valve’s Steam client are high on the hit-list too – you didn’t escape that easily.       

The main offender in this motley crew of badness is Win32/Taterf. Taterf has been running hot the last few months, constituting over 80% of the April and May Wildlists. The worm itself is actually a mutation of Win32/Frethog, being based off the same source code. Frethog is just a drop in the ocean of malware we’re seeing coming out of China nowadays, many of which are targeting online games.

What do they do? Taterf, Frethog and their ilk are designed to steal your online game login details. The methods they use vary; from injecting into game clients and reading memory directly, to basic keylogging - but the end result is the same...  u get pwned. Once they have your details, they are sent back to a remote location and are eventually sold to the highest bidder. After that, you may find your gold gone and toon naked upon your next login (zomg! My purplz!1!!).

So what’s the deal with Taterf? Simply put: it’s rife. Taterf spreads by copying itself to the root of all fixed or removable drives on the infected system and ensures it gets executed by creating an ‘autorun.inf’ file in there too. The autorun.inf file is instructed to execute the worm, whenever the directory is viewed using Windows Explorer. It’s a pretty simple method but is very effective.

Oddly enough, we used to see Worms using this method here and there a few years ago, but it never really caught on. Now days however it is much more effective; every time someone plugs a USB drive in a computer – infected, every time someone puts that drive into a computer connected to a network – infected, and so on. If you’ve mapped an infected drive over the network, that’ll do it too. It's today's version of the old boot sector virus.

Onto the numbers! After its first day in MSRT, Taterf components had been removed from over 700,000 machines! For comparison, Win32/Nuwar (aka ‘Storm worm’) was removed from less than half that in its first month. These are ridiculous numbers of infections my friends, absolutely mind-boggling; many, many whelps. Frethog had proved to be as prevalent as we expected too, with detections on over 200,000 distinct machines.

After the first week of MSRT’s release the numbers looked like this:

Online game PWS family

Disinfected files

Distinct machines

Win32/Taterf

2,342,399

1,269,098

Win32/Frethog

1,374,911

652,625

Win32/Tilcun

379,306

270,712

Win32/Ceekat

355,400

249,717

Win32/Corripio

72,628

58,560

Win32/Lolyda

49,783

27,367

WinNT/Zuten

33,344

21,669

Win32/Zuten

24,565

17,643

... and when we separate by locale:

Country/Region

Disinfected files

Unique machines

China

1,574,532

529,003

Taiwan

567,128

279,428

Spain

482,515

235,381

United States

469,595

213,374

Korea

348,775

184,306

Turkey

191,827

101,119

Mexico

166,508

77,457

Russia

110,134

54,645

France

103,953

50,954

Japan

102,836

50,936

All Other

514,843

253,628

Yep, I know, pretty crazy. Considering the total downloads of MSRT were around 330 million by the end of said 'first week', my Companion Cube and I agree that the infection ratio is, in fact, ungood.

 As a PC gamer (RPGs and First Person Shooters on consoles just seems wrong to me...), and somewhat of a performance junkie myself, I get why many gam0rz don’t run AV. But seriously, a good AV product shouldn’t affect your FPS that much (if you’re chronically being pwned, don’t blame your AV and FPS - just l2p). Also, many gamers are in a higher risk category – downloading dodgy copies of games and the cracks to match, make you much more likely to get infected (NEWSFLASH: Not all cracks are actually cracks).

So how does one avoid being infected? Running an up-to-date anti-virus solution is a good start. Running an up-to-date, patched browser is another necessity – many of the Win32/Frethog trojans are installed via browser exploits (there have been instances in the past of links to malicious sites being posted to popular gaming forums – so be wary!). Enabling Automatic Updates helps a whole bunch too.

Disabling the Explorer ‘autoplay’ feature is useful in helping to avoid these problems. In Vista it’s easily done via the Control Panel. On Pre-Vista OS’ (if you’re admin) you can disable it globally by running ‘gpedit.msc’ -> administrative templates -> System. There are other ways – such as playing with the registry if you’re pretty l337, or tools such as TweakUI. Of course, one can manually hold the ‘Shift’ key when inserting media to disable it, but then you have to remember stuff. You think you’re safe, but infections can come from the most unlikely of places....

Holding out belief in the cake’s existence,

Matt McCormack

 [The cake is a lie.  --  Jimmy Kuo]