Microsoft reports mass cleanup of gaming password stealers

June 23, 2008
The latest Microsoft Malicious Software Removal Tool (MSRT) has deleted onlinegame password-stealing malware from some two million machines, thecompany said.

The threat appearing the most is a China-based worm known as Taterf, partof the Frethog family, Matt McCormack, a spokesman in Microsoft'sMalware Response Center, wrote in a blog post Friday.

The worm steals gaming credentials either through traditionalkeylogging or by injecting itself into game clients and reading memory,McCormack said. It is executed when an unsuspecting user views amalicious website, and spreads by copying itself to the root of allfixed or removable drives on the infected system.

"Once they have your details, they are sent back to a remote locationand are eventually sold to the highest bidder," McCormack said. "After that,you may find your [virtual] gold gone...on your next login."

Jamz Yaneza, a threat researcher with anti-malware firm Trend Micro,said password stealing worms and trojans for online games are becomingmore common because logins hold real-world value.

"There's a huge underground market for these accounts," he said."There's real cash being used there. You have to pay some form ofmembership. And it's like getting an upgrade on an airline. You gottapay a few bucks to get more stuff."

Many of the attack scenarios take advantage of social engineering and uneducated users, Yaneza said.

For example, the widespread Adobe Flash exploit, uncovered last month,was taking advantage of a previously patched vulnerability and wasdelivering a trojan aimed at stealing World of Warcraft accountinformation.

"People never see [these password stealers] installed on their desktop, and not many peoplepatch on time," he said. "It's not just the operating system underattack, it's now an attack on applications."

One day after the latest MSRT was released with the June 10 securityupdates, it removed the Taterf worm from more than 700,000 machines. By week'send, that number was up to 1.3 million.

"For comparison, [the Storm Worm] was removed from less than half thatin its first month," McCormack said. "These are ridiculous numbers of infections my friends, absolutely mind-boggling."

Many of the infections are occurring outside of the United States,mainly in China, where multi-player games, such asLegend of Mir, are popular. Still, in its first week, the tool found about 215,000 machines in the United States infected with password-stealing malware.

prestitial ad