Gamefest Logo

I had the privilege of presenting a couple of weeks ago at Gamefest 2008—a Microsoft sponsored technical conference targeted at the games industry.  I spoke about game password stealers- what they do, which games are targeted by which families and the behaviors of those families, prevalence, number of variants and so on.  This is a completely different type of audience than the security folks to whom I usually present and it was a very refreshing change of pace.  These were sharp, savvy technologists who are committed to a great experience for their customers and pushing the limits every day.  In other words, these are my kind of folks.  

As we've talked about these before in this blog I thought I'd provide some updated numbers. Thanks to inclusion in the Malicious Software Removal Tool we have been able to remove more than 7.6 million game password stealers. These trojans target an array of games and game related sites including Lineage, World of Warcraft, Legend of Mir, MapleStory, ZhengTu, Perfect World, QQ and many others. Some of these don't stop with game credentials but also target various web sites. This is not all of the malware families which steal passwords but, even so, we see a significant amount of activity in this space- even more so than the threats which tend to become news.

Family

Removals

Taterf

4,088,366

Frethog

2,080,441

Tilcun

972,016

Ceekat

607,210

Zuten

120,615

Lolyda

113,088

Corripio

84,264

Storark

4,059

What's also interesting is the geographic distribution.  Looking at Win32/Frethog and Win32/Taterf as examples we see the largest majority of the infections in Chinese locales where gaming is often done at Internet cafes or on other public terminals. Remember, if you can't trust the machine, you probably shouldn't input any credentials you aren't willing to lose. This is not to suggest that public terminals are to blame for password stealers, they merely represent an opportunity for an attacker to compromise many accounts. Folks who run these terminals should ensure that they are always up to date with security updates and that they are running up to date antivirus software and have a firewall in place and active. It would also be a best practice to prevent customers from installing software or, if that is not practical for the business, to revert to a known clean state at the end of each session through the use of virtualized images. If you do use virtualized images as a method of maintaining a known state make sure to keep those images up to date on security updates as well as anti-virus definitions as part of your ongoing maintenance. 

Frethog

2,080,441

Chinese (PRC)

1,237,026

English (United States)

203,776

Chinese (Taiwan)

144,223

Spanish (Spain, Modern Sort)

91,200

Japanese (Japan)

50,416

Russian (Russia)

46,330

Spanish (Mexico)

45,741

Korean (Korea)

39,975

Turkish (Turkey)

35,467

French (France)

28,311

Arabic (Saudi Arabia)

22,994

Portuguese (Brazil)

16,072

Chinese (Hong Kong SAR, PRC)

12,899

English (United Kingdom)

11,835

Arabic (Egypt)

8,976

Polish (Poland)

7,313

Spanish (Spain, Traditional Sort)

5,247

Italian (Italy)

5,098

German (Germany)

4,411

Thai (Thailand)

4,095

All Other

59,036

Taterf

4,088,366

English (United States)

621,697

Chinese (Taiwan)

603,266

Spanish (Spain, Modern Sort)

598,275

Korean (Korea)

465,460

Spanish (Mexico)

331,434

Turkish (Turkey)

253,631

Russian (Russia)

167,217

French (France)

152,916

Portuguese (Brazil)

139,240

Japanese (Japan)

96,757

Polish (Poland)

86,588

Arabic (Saudi Arabia)

77,856

Spanish (Spain, Traditional Sort)

42,328

Italian (Italy)

33,673

English (United Kingdom)

32,270

Chinese (PRC)

28,983

Spanish (Venezuela)

26,868

Chinese (Hong Kong SAR, PRC)

26,838

Spanish (Peru)

24,341

Portuguese (Portugal)

23,739

All Other

254,989

 
In my session I also emphasized that security doesn't end at RTM and there are many things developers should be thinking about. I suggested a number of things which can help improve security of their platforms overall- things like: secure your portal, don't have insecure features like "save your password", validate your process space to prevent injection, fuzz your protocols, don't ship symbols broadly- even in beta, validate IP location, don't create your own encryption or compression algorithms, leverage telemetry to spot things that are not "normal".

While there is a clear positive impact from MSRT based on conversations I had with GameFest participants, it is probably not the best business strategy to rely on cleanup after the fact. Because of this, many game ISVs are looking to other approaches to protect their platforms.  For example one major vendor has moved to two factor authentication- a great move as it raises the bar against these password stealers by requiring a physical token to log on in addition to the password. While multifactor authentication is good there are also a number of other ways to improve security behind the scenes. One method is to figure out what is "normal" for a user by watching the IP address from which they log in and at what time. If you see that Jimmy has logged on consistently at 4pm Pacific every Wednesday from a computer in the U.S. and suddenly you see him logging on at 2am Pacific from Malaysia, you might classify that as out of the ordinary. In fact, you could even take it a step farther and offer to your users controls that only allow them to log in from specific machines- users who only use one or a few machines and are security minded might find this a welcome option. If you have ActiveX controls which have vulnerabilities, update them and request that the MSRC apply a killbit to the old version. Don't know if your ActiveX controls or binaries are vulnerable? Take the advice my colleague Dave Weinstein from SWI who also presented at GameFest and fuzz them (because the bad guys do…). At a minimum, take a look to see if there is an associated CVE for any of your components or dependencies. And, of course, when you find that your business is being harmed by password stealers (which are probably generating support calls that cost you money in addition to any other damages) you can work with law enforcement. The security of your platform does not end when you release. You must continue to be vigilant and protect your assets and your customers.

If you are a company impacted by a PWS and can quantify the impact, let us know and we will review your data as part of our MSRT family selection process. We're happy to work with you to help protect our mutual customers.
 
--Jeff Williams
 
[It’s true.  I’ve yet to visit Malaysia.  --  Jimmy Kuo]