This post is part one of two.

Popular games are often used by malware writers as social engineering bait as documented in previous blogs ("Dota Players Own3d" and "Keeping Kerrigan From Infection"). So, with a watchful eye for anything related to games used as an infection vector, we came across a couple of interesting files:

These files noted as being available through different torrent/file sharing websites.

The first file we found refers to Defense of the Ancients (DotA) 2, which is an update for the popular custom scenario map DotA for Warcraft III : The Frozen Throne. The second refers to Diablo III. Although the official release date for both games is still in 2012, beta versions are available for testers. However, the curiosity for these games seems to lead to other dangers, like in the wilderness of Diablo II (released in 2000 – more than a decade ago!). We played the previous versions of both Diablo and DotA, with and against each other (during our free time of course :) ).

The "fun" begins once the Pontoeb malware is executed. Pontoeb gathers power through obtaining information from the infected system, which it then sends back to a remote attacker. The information is gathered through a WMI query that retrieves data such as SerialNumber, SystemDrive, Operating system and processor architecture. But its ultimate goal is to morph the infected system into a zombie. It installs a backdoor where an attacker connects to in order to control the infected system and execute certain commands (for example, download a file, update itself, visit a website, and perform HTTP, SYN, and UDP flooding). A detailed description of what the malware does can be found in its encyclopedia description.

The second sample, Fynloski, which mimics the Diablo icon, is a remote access tool (RAT) that is used for malicious purposes, as outlined by our colleague Daniel here.

Figure 1: icon used by Fynloski

It's basically a backdoor trojan that gains access to almost all the resources and information in your computer; for example, it can log keystrokes, download and run arbitrary files, and disable security settings. More details about Fynloski are available in its encyclopedia description. But what really got our attention was the obfuscation technique that it uses, which we will discuss in our next post.

If you're running Microsoft Security Essentials, you're protected against these threats like you would be in Diablo if you have a Blade Barrier. And of course, if you want to continue enjoying your video games in a secure environment, please visit the official DotA and Diablo websites for the actual beta versions.

As always, enjoy playing and be vigilant! GG (Good Game) everyone!

--

Andrei && Francis


SHA1s used in this post:
803fbc9388203458060f354b0fd3ffe68c506275 – Backdoor:MSIL/Pontoeb.J
a3ca4151c31181a3b948b7cd6a1ef97754fcce22 – Backdoor:Win32/Fynloski.A