Monday, August 11, 2008 9:35 PM
by
mmpc
MMPC @ Gamefest 2008
I had the privilege of presenting a couple of weeks ago at Gamefest 2008—a Microsoft sponsored technical conference targeted at the games industry. I spoke about game password stealers- what they do, which games are targeted by which families and the behaviors of those families, prevalence, number of variants and so on. This is a completely different type of audience than the security folks to whom I usually present and it was a very refreshing change of pace. These were sharp, savvy technologists who are committed to a great experience for their customers and pushing the limits every day. In other words, these are my kind of folks.
As we've talked about these before in this blog I thought I'd provide some updated numbers. Thanks to inclusion in the Malicious Software Removal Tool we have been able to remove more than 7.6 million game password stealers. These trojans target an array of games and game related sites including Lineage, World of Warcraft, Legend of Mir, MapleStory, ZhengTu, Perfect World, QQ and many others. Some of these don't stop with game credentials but also target various web sites. This is not all of the malware families which steal passwords but, even so, we see a significant amount of activity in this space- even more so than the threats which tend to become news.
|
Family |
Removals |
|
Taterf |
4,088,366 |
|
Frethog |
2,080,441 |
|
Tilcun |
972,016 |
|
Ceekat |
607,210 |
|
Zuten |
120,615 |
|
Lolyda |
113,088 |
|
Corripio |
84,264 |
|
Storark |
4,059 |
What's also interesting is the geographic distribution. Looking at Win32/Frethog and Win32/Taterf as examples we see the largest majority of the infections in Chinese locales where gaming is often done at Internet cafes or on other public terminals. Remember, if you can't trust the machine, you probably shouldn't input any credentials you aren't willing to lose. This is not to suggest that public terminals are to blame for password stealers, they merely represent an opportunity for an attacker to compromise many accounts. Folks who run these terminals should ensure that they are always up to date with security updates and that they are running up to date antivirus software and have a firewall in place and active. It would also be a best practice to prevent customers from installing software or, if that is not practical for the business, to revert to a known clean state at the end of each session through the use of virtualized images. If you do use virtualized images as a method of maintaining a known state make sure to keep those images up to date on security updates as well as anti-virus definitions as part of your ongoing maintenance.
|
Frethog |
2,080,441 |
|
Chinese (PRC) |
1,237,026 |
|
English (United States) |
203,776 |
|
Chinese (Taiwan) |
144,223 |
|
Spanish (Spain, Modern Sort) |
91,200 |
|
Japanese (Japan) |
50,416 |
|
Russian (Russia) |
46,330 |
|
Spanish (Mexico) |
45,741 |
|
Korean (Korea) |
39,975 |
|
Turkish (Turkey) |
35,467 |
|
French (France) |
28,311 |
|
Arabic (Saudi Arabia) |
22,994 |
|
Portuguese (Brazil) |
16,072 |
|
Chinese (Hong Kong SAR, PRC) |
12,899 |
|
English (United Kingdom) |
11,835 |
|
Arabic (Egypt) |
8,976 |
|
Polish (Poland) |
7,313 |
|
Spanish (Spain, Traditional Sort) |
5,247 |
|
Italian (Italy) |
5,098 |
|
German (Germany) |
4,411 |
|
Thai (Thailand) |
4,095 |
|
All Other |
59,036 |
|
Taterf |
4,088,366 |
|
English (United States) |
621,697 |
|
Chinese (Taiwan) |
603,266 |
|
Spanish (Spain, Modern Sort) |
598,275 |
|
Korean (Korea) |
465,460 |
|
Spanish (Mexico) |
331,434 |
|
Turkish (Turkey) |
253,631 |
|
Russian (Russia) |
167,217 |
|
French (France) |
152,916 |
|
Portuguese (Brazil) |
139,240 |
|
Japanese (Japan) |
96,757 |
|
Polish (Poland) |
86,588 |
|
Arabic (Saudi Arabia) |
77,856 |
|
Spanish (Spain, Traditional Sort) |
42,328 |
|
Italian (Italy) |
33,673 |
|
English (United Kingdom) |
32,270 |
|
Chinese (PRC) |
28,983 |
|
Spanish (Venezuela) |
26,868 |
|
Chinese (Hong Kong SAR, PRC) |
26,838 |
|
Spanish (Peru) |
24,341 |
|
Portuguese (Portugal) |
23,739 |
|
All Other |
254,989 |
In my session I also emphasized that security doesn't end at RTM and there are many things developers should be thinking about. I suggested a number of things which can help improve security of their platforms overall- things like: secure your portal, don't have insecure features like "save your password", validate your process space to prevent injection, fuzz your protocols, don't ship symbols broadly- even in beta, validate IP location, don't create your own encryption or compression algorithms, leverage telemetry to spot things that are not "normal".
While there is a clear positive impact from MSRT based on conversations I had with GameFest participants, it is probably not the best business strategy to rely on cleanup after the fact. Because of this, many game ISVs are looking to other approaches to protect their platforms. For example one major vendor has moved to two factor authentication- a great move as it raises the bar against these password stealers by requiring a physical token to log on in addition to the password. While multifactor authentication is good there are also a number of other ways to improve security behind the scenes. One method is to figure out what is "normal" for a user by watching the IP address from which they log in and at what time. If you see that Jimmy has logged on consistently at 4pm Pacific every Wednesday from a computer in the U.S. and suddenly you see him logging on at 2am Pacific from Malaysia, you might classify that as out of the ordinary. In fact, you could even take it a step farther and offer to your users controls that only allow them to log in from specific machines- users who only use one or a few machines and are security minded might find this a welcome option. If you have ActiveX controls which have vulnerabilities, update them and request that the
MSRC apply a killbit to the old version. Don't know if your ActiveX controls or binaries are vulnerable? Take the advice my colleague Dave Weinstein from SWI who also presented at GameFest and fuzz them (because the bad guys do…). At a minimum, take a look to see if there is an associated CVE for any of your components or dependencies. And, of course, when you find that your business is being harmed by password stealers (which are probably generating support calls that cost you money in addition to any other damages) you can work with law enforcement. The security of your platform does not end when you release. You must continue to be vigilant and protect your assets and your customers.
If you are a company impacted by a PWS and can quantify the impact, let us know and we will review your data as part of our MSRT family selection process. We're happy to work with you to help protect our mutual customers.
--Jeff Williams
[It’s true. I’ve yet to visit Malaysia. -- Jimmy Kuo]
