11 Apr The Winnti honeypot - luring intruders Dmitry Tarakanov
11 Apr Winnti FAQ. More than just a game GReAT
29 Sep Compromise of gaming servers David
01 Jul High profile hacking Costin Raiu
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
During our research on the Winnti group we discovered a considerable amount of Winnti samples targeting different gaming companies. Using this sophisticated malicious program cybercriminals gained remote access to infected workstations and then carried out further activity manually.
Naturally, we were keen to find out how the malicious libraries spread across a local network. To do so, we tracked the attackers- activity on an infected computer.
At the beginning of the investigation we ran the malicious programs on a virtual machine, which worked fairly well - we even spotted some cybercriminal activity. But they quickly realized it wasn-t a computer they wanted to net. Once that was the case, the attackers- servers stopped responding to requests from bots working on virtual machines.
This is what we managed to learn at this stage of our monitoring.
First of all, the perpetrators looked at what was happening on the victim-s desktop. After that they enabled the remote command line and used it to browse the root folder of the current disk, searched for the file winmm.dll, and checked the operating system version. The ListFileManager plugin then came into play. It works with the file system and the attackers used it to browse the folders C:\Windows and C:\Work. Then they tried to restart the computer, but made a mistake in the parameters of the ?shutdown command, having typed ?shutdown /t /r 1 (the computer should have been restarted in 1 second), but after a while they shut the computer down completely with the use of the correct command ?shutdown /s /t 1.
Today Kaspersky Lab's team of experts published a detailed research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.
According to report, the Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active.
The group's objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects.The attackers' favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.
In our report we publish an analysis of the first generation of Winnti.
The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. The incidents, as well as results of our investigation, are described in the full report (PDF) on the Winnti group.
The Executive Summary is available here.
Is this research about a gaming Trojan from 2011? Why do you think it is significant?
This research is about a set of industrial cyberespionage campaigns and a criminal organization which massively penetrates many software companies and plays a very important role in the success of cyberespionage campaigns of other malicious actors.
It is important to be aware of this threat actor to understand the broader picture of cyberattacks coming from Asia. Having infected gaming companies that do business in the MMORPG space, the attackers potentially get access to millions of users. So far, we don't have data that the attackers stole from common users but we do have at least 2 incidents where the Winnti malware was planted on an online game update servers and these malicious executables were spread among a large number of the online gamers. The samples we observed seemed not to be malware targeting end user gamers, but a malware module which accidentally got into wrong place. Hoever, the potential for attackers to misuse such access to infect hundreds of millions of Internet users creates a major global risk.
It's important to understand that many gaming companies do business not only in gaming, but very often they are also developers or publishers of different other types of software. We have tracked an incident where a compromised company served an update of their software which included a Trojan from the Winnti hacking team. That became an infection vector to penetrate another company, which in turn led to a personal data leak of large number of its customers.
So far, this research is dedicated to a malicious group that not only undermines trust in fair gameplay but has a serious impact on trust in software vendors in general, especially in the regions where the Winnti group is active at the moment.
What are the malicious purposes of this Trojan?
The Trojan, or to be precise, a penetration kit called Winnti includes various modules to provide general purpose remote access to compromised machines. This includes general system information collection, file and process management, creating chains of network port redirection for convenient data exfiltration and remote desktop access.
Is this attack still active?
Yes, despite active steps to stop the attackers by the revocation of digital certificates, detection of the malware and an active investigation, the attackers remain active, with at least several victim companies around the world being actively compromised.
A report yesterday suggested that a hacked server used by employees at Novell, Inc. was employed to scan large numbers of machines worldwide.
Of course, Novell is not the first company to fall victim to hackers, nor will it be the last: it's just the latest in a long line over recent years.
It seems that the hacked server ran a mail server for a gaming site called 'Neticus.com'. The main web page for the game was hosted on a separate server, also belonging to Novell. Novell insists that the machine conducting the scans and the game web site lay outside the corporate firewalls.
We live in a world where online games are increasingly being subverted to distribute malicious code, as previously reported on viruslist.com. So the compromise of servers belonging to a major software vendor is of great concern.
I've never played the popular online game "The Legend of Mir". According to some of my friends - who are big fans - I'm really missing out. Yet, I may soon have to take a look, see it for myself. To understand what is driving the hundred of thousand players to desperate measures, even going so far as to kill each other, in real life, for virtual property connected with the game.
All popular places and flourishing economies attract the attention of the bad guys. So it's no surprise that online gaming sites, which sometimes receive as many as a hundred thousand visits a day, make excellent vectors to deliver malware.
During the past month, at least two high profile Korean websites, www.msn.co.kr and www.koreabaseball.or.kr have been hacked and turned into malware distribution points.
Earlier today, our Korean colleagues from Geot informed us that the trend is continuing. Worse, attacks directed at turning popular websites into malware distribution points are on the rise. A couple of websites which act as portals for the players of the online games Lineage, Hangame and Pmang have been hacked and turned into malware distribution points. The malware in question is Trojan-PSW.Win32.Turtle.a and Backdoor.Win32.GrayBird.bs. Both of them were being deployed through a set of scripts which attempted to exploit various Internet Explorer vulnerabilities - a standard approach.
For the time being, the websites have been cleaned and properly secured against future attacks, however, we are expecting more attacks directed at online gaming portals, especially in Korea but also worldwide.
If you are the administrator of a popular website, keep this in mind: the amount of attention you receive from the bad guys will be directly in proportion to the number of visitors to your site.