Microsoft reports mass cleanup of gaming password stealers
The latest Microsoft Malicious Software Removal Tool (MSRT) has deleted online game password-stealing malware from some two million machines, the company said.The threat appearing the most is a China-based worm known as Taterf, part of the Frethog family, Matt McCormack, a spokesman in Microsoft's Malware Response Center, wrote in a blog post Friday.
The worm steals gaming credentials either through traditional keylogging or by injecting itself into game clients and reading memory, McCormack said. It is executed when an unsuspecting user views a malicious website, and spreads by copying itself to the root of all fixed or removable drives on the infected system.
"Once they have your details, they are sent back to a remote location and are eventually sold to the highest bidder," McCormack said. "After that, you may find your [virtual] gold gone...on your next login."
Jamz Yaneza, a threat researcher with anti-malware firm Trend Micro, said password stealing worms and trojans for online games are becoming more common because logins hold real-world value.
"There's a huge underground market for these accounts," he said. "There's real cash being used there. You have to pay some form of membership. And it's like getting an upgrade on an airline. You gotta pay a few bucks to get more stuff."
Many of the attack scenarios take advantage of social engineering and uneducated users, Yaneza said.
For example, the widespread Adobe Flash exploit, uncovered last month, was taking advantage of a previously patched vulnerability and was delivering a trojan aimed at stealing World of Warcraft account information.
"People never see [these password stealers] installed on their desktop, and not many people patch on time," he said. "It's not just the operating system under attack, it's now an attack on applications."
One day after the latest MSRT was released with the June 10 security updates, it removed the Taterf worm from more than 700,000 machines. By week's end, that number was up to 1.3 million.
"For comparison, [the Storm Worm] was removed from less than half that in its first month," McCormack said. "These are ridiculous numbers of infections my friends, absolutely mind-boggling."
Many of the infections are occurring outside of the United States, mainly in China, where multi-player games, such as Legend of Mir, are popular. Still, in its first week, the tool found about 215,000 machines in the United States infected with password-stealing malware.
