In a previous blog, I mentioned a family of malware named Dogrobot, which attempts to penetrate the protection offered by particular hardware that is widely used in Internet cafés in China. Interestingly, we recently discovered a trojan, TrojanDownloader:Win32/Chekafe.A, that checks whether an affected machine is in an Internet café or not. If the affected machine is not from an Internet café , it sends the MAC address of the affected machine to a remote server.
 
Leading me to ask two questions:

  • How does it check if the affected host is in an Internet café or not?
  • Why does it require this particular information?

For the first question, the answer is very simple. The malware checks for the presence of the following processes:

BarClientView.exe
Barclient.exe
EWay.exe
NBClient.exe
NxpAuxSvc.exe
clsmn.exe
mzdclient.exe

 
These processes are related to popular administration software used in Internet cafés in China.  If any of these processes are found, obviously, the affected system is most likely from an Internet café.
 
Now, the second question, why does it check for this? I pondered this for a while until I further investigated the samples that Chekafe downloads. I found most of the downloaded samples were password stealing trojans, including: PWS:Win32/Lolyda.AU, PWS:Win32/OnLineGames.FR, and PWS:Win32/OnLineGames.GP. Combined with the fact that it is sending the MAC address information, I realized that this kind of checking may be related to attempts to defeat an account protection mechanism -- MAC address binding.
 
Some popular online games offer the user MAC binding protection - the account can only be logged in from a certain computer (with a unique  MAC address). If the affected machine is from an Internet café, most likely the user won’t enable the MAC address binding for the account since they may not always use the same machine.
 
Otherwise, Win32/Chekafe.A sends the MAC address information so they can forge the same MAC address to bypass MAC address binding protection.
 
-Chun Feng