Presentation is loading. Please wait.

Presentation is loading. Please wait.

Online Game Trojan SecurityLabs.websense.com Hermes Li.

Published byTimothy Doyle Modified over 8 years ago

Similar presentations

Presentation on theme: "Online Game Trojan SecurityLabs.websense.com Hermes Li."— Presentation transcript:

1 Online Game Trojan SecurityLabs.websense.com Hermes Li

2 Contents Why game trojans is so popular 1 The underground market operation 2 Analysis of an online game trojan 3 How to protect against trojans 4 Download link http://ifile.it/7qmt3u8 (deepsec)

3 Internet Status in China  Total internet users in China  485 Milion, 36.2% amone total population  Internet users encounter with the Trojan  217 Milion, 44.7% amone Total internet users in China  Affected users  121 Milion, 24.9% amone Total internet users in China once lost there account by trojan's attack Data from CNNIC, up to Jun 2011

4 Online Game Players in China  Online gaming market  More than RMB 34.9 Billion (EUR 4 Billion)  Total number of game players  311 million. active player: more than120 million  Personal spending for online game  Representative cost on average RMB 99 per player per month

5 Normal Online Game Market Inside Game Outside Game

6 Virtual Goods Selling AD ADs screen shot (in Chinese character)

7 The Underground Market Operation Game Player Account Retailer Trojan Buyer Trojan Writer Major target: Massive Multiplayer Online Role Playing Games like World of Warcraft 1 Trojan = 100RMB 1000 account = 500RMB 1 top leavel sword> 10,000RMB

8 personal Server Cracked Software Social Network Malicious Websites Cheating Program Where Are Game Trojans From

9 How Trojan Installed Compromised site Bad guy Black SEO Social networks IM chats Email Victim Client Trojan Downloader Victim DB Account Data Crafted website Trojan

10 Analysis of a Game Trojan Framework  How to generate a trojan  The work process of the trojan  Source code of module component

11 Detection Rate Example http://www.virustotal.com/file-scan/report.html?id=b2ddf6556b34879f57bed99ecca4620ebb5827afe3c05736b3cf803f617a0628-1318214118

12 Generate Trojan Packed trojan file Stolor.dll IMEHost.dll AddNewSection.exe Generator.exe to pack with upack DllHost.dll

13 C:\windows\System32 Work Process Run Injected system files comres.dll ddraw.dll dsound.dll dbr01021.ocx dbr99005.ocx winnt.com stolor.dll IMEhost.dll dllhost.dll Trojan.exe C:\windows32\fonts\dbr01021.ttf

14 3 Modules to Monitor Game Infect Infect system dlls (dsound.dll,ddraw.dll, d3dx.dll, comres.dll) under System folder, add a new session IME Release a fake font file as config file Register a fake Input Method and set to default Hook Call API CreateRemoteThread or SetWindowsHookEx. Hook game exe file’s process and append trojan dll thread.

15 Module Component (Hook) SetWindowsHookEx (DllHost.cpp)

16 Module Component (Hook) CreateRemoteThread (Funcs.cpp)

17 Module Component (IME) Append fake IME to system and set as default (IMEHost.cpp)

18 Module Component (IME) Export Function (IMEHost.cpp IMEHost.def)

19 Module Component (Infect) Kill game process and Infect system dll file (StoreMain.cpp)

20 Module Component (Infect) Infect and encrypt new added session (Infect.cpp, Pecrypt.cpp)

21 Special Functions AntiAV (AntiAV.cpp)AdjustPrivileges (Func.cpp)

22 Special Functions Grid Authentication Crack (KickProc.cpp)

23 Grid Authentication Crack  grid card screen shots

24 Special Functions Grid Authentication Crack (CapPic.cpp)

25  Type of trojans  Advanced hidden technology  Anti-Detection technology  Prediction solution More About All Trojans

26 Type of Trojans Act in Advanced Persistent Threats Trojans to steal bank account directly, real money damage Back door program to monitor IM, Email or other accounts, or remote controller APT Trojan Bank Trojan Game Trojan Common Trojan Hackers use this to steal game account and sale out to get money

27 Advanced Hidden Technology Hide file Monitor system API ZwQueryDirectoryFile, remove itself from files list. API Hook Modify result lists (Root kit) Hide process Hook processes list API EnumProcesses, remove itself from result.

28 Anti Detection Tech Corecodes encryption Packer Obfuscation

29 Prediction Solution for Enterprise Real-Time Security Scan(both content and URL) IP Overblock / Domain Overblock Outbound and Inbound traffic scanning Reputation score Advanced Detection

30 websenselab@gmail.com

Download ppt "Online Game Trojan SecurityLabs.websense.com Hermes Li."

Similar presentations

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
TrustPort Net Gateway Web traffic protection. WWW.TRUSTPORT.COM Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
Online Game Security - Quake III and its Hacks - (related paper: A Systematic Classification of Cheating in Online Games, Jeff Yanand and Brian Randell.

Online Game Security - Quake III and its Hacks - (related paper: A Systematic Classification of Cheating in Online Games, Jeff Yanand and Brian Randell.
Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.

Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
It’s more than a game, it’s your life On?. Aims for this Safer Internet Assembly: ‘virtual lives’To create awareness of our ‘virtual lives’ – what does.

It’s more than a game, it’s your life On?. Aims for this Safer Internet Assembly: ‘virtual lives’To create awareness of our ‘virtual lives’ – what does.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.

AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
Safe IT – Protect your computer and Family from unwanted programs viruses and websites.

Safe IT – Protect your computer and Family from unwanted programs viruses and websites.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
From AV to Internetized Security Solution 马杰 Jeffrey Beijing Rising Tech. Co., Ltd. --- The Analysis Report of Malware Technology in China in 2005.

From AV to Internetized Security Solution 马杰 Jeffrey Beijing Rising Tech. Co., Ltd. --- The Analysis Report of Malware Technology in China in 2005.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the common cold of modern technology. One e-mail in every 200 containing.

Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One in every 200 containing.

Similar presentations

Ads by Google