1 / 30

Online Game Trojan

Online Game Trojan. SecurityLabs.websense.com. Hermes Li. Contents. 1. Why game trojans is so popular. 2. 3. 4. The underground market operation. Analysis of an online game trojan. How to protect against trojans. Download link http://ifile.it/7qmt3u8 (deepsec).

ima-camacho
Télécharger la présentation

Online Game Trojan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Online Game Trojan SecurityLabs.websense.com Hermes Li

  2. Contents 1 Why game trojans is so popular 2 3 4 The underground market operation Analysis of an online game trojan How to protect against trojans Download link http://ifile.it/7qmt3u8 (deepsec)

  3. Internet Status in China Total internet users in China 485 Milion, 36.2% amone total population Internet users encounter with the Trojan 217 Milion, 44.7% amone Total internet users in China Affected users 121 Milion, 24.9% amone Total internet users in China once lost there account by trojan's attack Data from CNNIC, up to Jun 2011

  4. Online Game Players in China • Online gaming market • More than RMB 34.9 Billion (EUR 4 Billion) • Total number of game players • 311 million. active player: more than120 million • Personal spending for online game • Representative cost on average RMB 99 per player permonth

  5. Normal Online Game Market Outside Game Inside Game

  6. Virtual Goods Selling AD ADs screen shot (in Chinese character)

  7. The Underground Market Operation Trojan Writer Game Player Account Retailer Trojan Buyer Major target: Massive Multiplayer Online Role Playing Games like World of Warcraft 1 Trojan = 100RMB 1 top leavel sword> 10,000RMB 1000 account = 500RMB

  8. Where Are Game Trojans From Cracked Software Malicious Websites Social Network personal Server Cheating Program

  9. How Trojan Installed Trojan Account Data Victim DB Black SEO Bad guy Email Crafted website Trojan Downloader Victim Client Compromised site Social networks IM chats

  10. Analysis of a Game Trojan Framework • How to generate a trojan • The work process of the trojan • Source code of module component

  11. Detection Rate Example http://www.virustotal.com/file-scan/report.html?id=b2ddf6556b34879f57bed99ecca4620ebb5827afe3c05736b3cf803f617a0628-1318214118

  12. Generate Trojan Stolor.dll DllHost.dll Packed trojan file Generator.exe to pack with upack AddNewSection.exe IMEHost.dll

  13. Work Process C:\windows32\fonts\dbr01021.ttf dbr01021.ocx stolor.dll Run dbr99005.ocx IMEhost.dll winnt.com dllhost.dll Trojan.exe C:\windows\System32 • Injected system files • comres.dll • ddraw.dll • dsound.dll

  14. 3 Modules to Monitor Game Release a fake font file as config file Register a fake Input Method and set to default Call API CreateRemoteThread or SetWindowsHookEx. Hook game exe file’s process and append trojan dll thread. Infect system dlls(dsound.dll,ddraw.dll, d3dx.dll, comres.dll)under System folder, add a new session Infect IME Hook

  15. Module Component (Hook) SetWindowsHookEx (DllHost.cpp)

  16. Module Component (Hook) CreateRemoteThread (Funcs.cpp)

  17. Module Component (IME) Append fake IME to system and set as default (IMEHost.cpp)

  18. Module Component (IME) Export Function (IMEHost.cpp IMEHost.def)

  19. Module Component (Infect) Kill game process and Infect system dll file (StoreMain.cpp)

  20. Module Component (Infect) Infect and encrypt new added session (Infect.cpp, Pecrypt.cpp)

  21. Special Functions AntiAV (AntiAV.cpp) AdjustPrivileges (Func.cpp)

  22. Special Functions Grid Authentication Crack (KickProc.cpp)

  23. Grid Authentication Crack grid card screen shots

  24. Special Functions Grid Authentication Crack (CapPic.cpp)

  25. Type of trojans Advanced hidden technology Anti-Detection technology Prediction solution More About All Trojans

  26. Type of Trojans APT Trojan Bank Trojan Game Trojan Common Trojan Act in Advanced Persistent Threats Trojans to steal bank account directly, real money damage Hackers use this to steal game account and sale out to get money Back door program to monitor IM, Email or other accounts, or remote controller

  27. Advanced Hidden Technology API Hook Modify result lists (Root kit) Hide file Monitor system API ZwQueryDirectoryFile, remove itself from files list. Hide process Hook processes list API EnumProcesses, remove itself from result.

  28. Anti Detection Tech encryption Packer Obfuscation Core codes

  29. Prediction Solution for Enterprise • Real-Time Security Scan(both content and URL) • IP Overblock / Domain Overblock • Outbound and Inbound traffic scanning • Reputation score • Advanced Detection

  30. Thank You ! websenselab@gmail.com

More Related