These threats are now predominantly occurring in the United States -- a shift from last June when they mostly were detected in China.
In one week, Microsoft's free Malicious Software Removal Tool (MSRT) cleaned more than 980,000 machines from the Taterf worm -- the top threat family this month, Scott Wu, a spokesman in Microsoft's Malware Response Center, wrote in a blog post Thursday. The worm steals gaming credentials either through keylogging or by injecting itself into game clients and reading memory.
The MSRT, released on the second Tuesday of each month, checks computers running Windows Vista, XP, 2000 and Windows Server 2003 for infections by prevalent malware and helps remove infections.
The second most detected and removed malware family this month is Frethog, another PWS, which MSRT cleaned off 316,971 machines in one week, Wu said.
Jamz Yaneza, a threat researcher with anti-malware firm Trend Micro, told SCMagazineUS.com that the motivation behind these threats is financial. Many online games have in-game currency or “game gold.” Portals to convert these various game currencies into real world cash have been available for some time.
Stolen game login credentials are similar to stolen banking passwords, since game currency can be turned into real cash, Yaneza said.
For several years, China and Korea have been the predominant locations where these threats have cropped up because games such as “Legends of Mir” and “Lineage” have large user bases there. But as of this month, the United States is the most prevalent region for PWS threats, with the most infected systems identified here.
Yaneza said this is because the rest of the world has caught up to the quality of online games produced in Asia in terms of graphics and story lines, which has prompted United States and Europe-based servers to be installed and development to increase to cater to these growing markets.
Taterf and Frethog were added to the MSRT detection list last June. Since then, Taterf has remained in the top five every month and Frethog only dropped off the list during November and December, Wu said.
Because of this, PWS threats appear to be more resilient than other threat families -- including rogue security software. The Win32/FakeSecSen rogue security software topped the MSRT list in November, then dropped in the rankings to number 20 the next month. Another threat in the rogue security software family,Win32/FakeXPA, hit number one in December then fell to number nine the following month, Wu said.
“Malware authors are busy updating Taterf and Frethog to make these threats highly polymorphic and to distribute variations of the same codebase to multiple criminal groups,” Wu said. “This month we still saw 17,070 different Taterf and 26,420 different Frethog files.”