The online gaming industry has matured into a serious business with revenues running into the billions of dollars. As we know, once something gains popularity on the Internet and is profitable, it becomes an attractive target for hackers.

In the early days, game crackers spent quality time breaking cd protection or gaining secret codes to unlock hidden weapons and levels. With the advent of both Online Games and Massively-Multiplayer Online Role Playing Games (MMORPG), official gaming networks now require legitimate cd keys and/or registered accounts to logon and play online. Virus authors responded by unleashing a rash of trojan horse programs masquerading as game cheats or trainers in order to steal cd keys of Online Games. To get a victim to run these trojans, these files were posted on bulletin board systems, internet relay chat channels or on popular gaming site forums. But the intended victim still had to download and execute the trojan for the ploy to work.

So the obvious question was “How to make a self spreading game cd key stealer?” Sdbots and Gaobot with multiplying capabilities via exploits and weak passwords were readily available at that time. It wasn’t long before a module was written and introduced in the bot code to steal game cd keys of popular online games from Electronic Arts, id Software, Red Storm and Valve. Fortuneately most of the bots in the wild these days have dropped this functionality as the popularity of some online games has waned recently.

Massively-Multiplayer Online Role Playing Games like Lineage, World of Warcraft and the Final Fantasy series rule the gaming world today with an insane number of hardcore
gamers competing against each other in the virtual world. Everyday, McAfee Avert Labs receive numerous malware samples designed to steal game account information targeting popular game titles. And in a shift away from trojan horse programs masquerading as game cheats, we are seeing a trend where virus authors are writing old school viruses like W32/Bacalid, W32/Detnat and W32/Philis that target popular role playing games.

Are these guys doing it for the love of the game? Nope.. sounds too good to be true. Underground RMT (Real-Money trading) groups thrive in dealing with stolen game accounts and operate mostly out of Asia. And with a player’s stolen account information, their virtual assets can be transferred to another players account or simply auctioned off and sold for real money. This phenomenon is currently region specific but could easily reach menacing proportions similar to the threats plaguing online internet banking.

Saw an insteresting bit of news today, on a tactic I wish could be used to confuse the criminal elements out there into stopping their garbage-spewing.

“Wait. Am I sending unsolicited, usually commercial, e-mail to a large number of addressees, or am I engaging in services to avoid or suppress unsolicited e-mails?”

Plus, bonus amusement points for overuse of the phrase “spicy ham”.

Today Microsoft patched 26 vulnerabilities, a record high since their monthly patch cycle started. Among the patched vulnerabilities are the 0-Day vulnerabilities in Word and PowerPoint that have been used in targeted attacks against large enterprises. The vulnerability in the WebViewFolderIcon ActiveX object that allows for Internet Explorer drive-by-install and drive-by-download attacks, has been patched as well. None of today's patched vulnerabilities has been tagged as a worm candidate.

The anticipated remediation of the vulnerability in the DirectAnimation.PathControl ActiveX object in Internet Explorer did not see the light yet.

The update of our graphs of last month is found below. The graphs show that Microsoft has continued the trend of patching a large number of critical vulnerabilities each month.

I’m here at the booth at VB2006 skipping lunch to write some thoughts and observations from lovely Montreal, where the weather, at least today, is very much reminding me of home back at Portland, Oregon .

The conference is a three-day affair again this year, and was preceded by a day of meetings by various industry and user consortia and groups. We began by discussing new testing and certification methodologies designed to go beyond the standard approach of “scan a static collection and count how many were detected.” It’s probably not apparent to most people exactly how much thought, planning, effort and careful interpretation goes into running a scientific, valid, repeatable and meaningful test of a security product.

A big topic seemed to be how to test security products (and behavioral products to a degree) against running malware. Do you exclude rootkits or not (because they can render the measurement techniques invalid)? Do you install the security product after the machine is infected, or do you install it before, but disable the on-access scanner? How do you count legitimate third-party libraries? Harmless images and text files? How do you ensure the malware doesn’t start or stop installing some other piece of code midway through the test? We have our own answers for testing our software, but trying to get agreement among a huge array of vendors is a job I’m glad I don’t have. It probably also explains how bad reviews happen.

Actual talks began late morning yesterday, and were kicked Off by Mikko Hyponnen’s review of malware history from the early days to today. Our own Allysa Myers presented on the possibilities around bot herders using IM to perform command and control functions, and Igor Muttik on scanning of HTTP-borne threats without killing performance. There have been some excellent talks on anti-rootkit techniques, botnet monitoring, some of the subtleties of the spyware landscape and a sort of point-counterpoint discussion of the effectiveness of user education vs. technological solutions. In general, some differences seem apparent generally about the industry this year. There are fewer talks on botnets and rootkit techniques than last year, it seems, and more discussions of behavioral technologies and mobile threats. Spam is also more prominent this year, and this broadening of the technological landscape seems to be paired with a broadening of the vendor and customer organizations represented here this year. It seems so far like the conference is mimicking the malware world today.

This week we received a sample of a variant of W32/Backdoor-DJC.

W32/Backdoor-DJC is a standard targeted backdoor trojan. It steals information from your computer and sends it back the attacker. Instead of using email to send back the stolen data, this variant uses SMS.

Using SMS to transfer stolen information. Malware authors are branching out in their communication methods. Not really innovation. System administrators have been able to monitor their machines via SMS for quite a while. This is more an example of malware authors turning legitimate methods and tools to their purposes.

Previously we've seen similar information stealing trojans on mobile phones. SymbOS/Pbsender swipes your phone and contact info and sends it out via Bluetooth.

Bluetooth is not as effective as email or SMS for sending information. Consider some of the difficulties involved:

• receiving anything requires user interaction, you can't let it sit in your inbox
• you need to be within range, if you're not there you don't get the message

On the other hand with SMS:

• your messages end up in the inbox
• range is not an issue, you can even be in a different country
• your phone does not even have to be on

Once a tool or communication method has been proven effective legitimately it is common for us to see them integrated into malware. So it's no surprise that SMS has now reached this stage.

Well, more accurately from my hotel room here in Montreal, because the floor is full of people moving chairs and taking down booths . Rob Lemos asked me yesterday why so much of the data presented here at VB seems dated, which is not really surprising as papers are due months before the show for editing and printing, etc. That being said, there is a certain amount of self-censoring that goes on – you don’t want to show all your cards to either the competition or the malware authors. But I thought today was a fascinating display of just how relevant the conference was this year.

This morning, Infoworld’s Paul Roberts (http://weblog.infoworld.com/techwatch/archives/cat_security.html) reported on a notice sent from the UK Metropolitan Police (responding to information discovered by Avert staff in Europe) to 3000 British citizens informing them that their computers had been compromised including passwords, credit card numbers, etc. The show today ended with a panel discussion on fighting cybercrime that included representatives from the FBI, several security vendors and a large corporate customer. While most agreed that the trend is getting worse, everyone was in favor both of more information-sharing between vendors and law enforcement, but also more reporting from affected corporations and individuals to law enforcement. While cybercrime is a significant priority at the FBI (after counter-terrorism and counter-intelligence), the more data that law enforcement has, the better their funding opportunities.The real goal here is to increase the risk:reward ratio. Right now cybercrime is so lucrative, so cheap to carry out, and incurs such a low risk of capture (much less of significant penalties depending on the jurisdiction), that it is neither surprising nor unexpected that it is growing.

The other somewhat surreal coincidence was between Randy Abrams’ presentation on Microsoft and competition with the AV industry, and the announcement that MS will be making changes in Vista to reduce EU and Korean concerns over competitive or antitrust issues (http://biz.yahoo.com/rb/061013/microsoft_eu.html?.v=7). Randy’s conclusions, based on his having worked at MS and an AV vendor, was that Microsoft is essentially playing fairly on a technical level, but that their mere presence will affect large AV vendors, like McAfee and Symantec more than the smaller players. He also believes that Microsoft’s success will be largely dependent on the quality of the software and support provided by OneCare and ForeFront. Having watched a number of markets go away after Microsoft’s entry, I am more cynical, and would expect both their sheer ownership of the platform and integration points, if not their access to technical information, to have some non-trivial effect. It sounds like the EU and Korea agree, but time will tell I guess. What is not up for debate is that there is another kid on the block and he’s bigger than all of us put together.

For a good few weeks we’ve been watching the pharmaceutical and wrist-watch spammers using name server host names in the style “ns1.ns1.some-domain.tld.” (normally they are ns1.domain.tld, a simple hostname without the subdomains). This is a pretty unusual thing to do and we can only presume the spammers have their own devious or misguided reasons for doing so. The domains registered against these name servers also exhibit another interesting feature, they are registered with the name servers in an invalid (or at least very unusual) way, and furthermore these domains fail in whole bunch of other simple test cases that are not found in clean sites. With streaming updates we are able to protect against these campaigns, often ahead of the spam campaigns starting.

Patch Tuesday refers to the second Tuesday of each month when Microsoft releases security updates for its products. As a matter of policy, Microsoft releases patches only on Patch Tuesday. (One recent exception to this was an out-of-cycle patch for the Internet Explorer VML vulnerability.)

The researchers at McAfee Avert Labs follow Patch Tuesday with interest: Microsoft’s products are used by the lion’s share of industry and home users, and un-patched vulnerabilities in Microsoft’s products can often have an impact on global security.

Back in July 2006, Patch Tuesday fell on July 11. On July 12, a Trojan, Exploit-PPT.b, was released. This Trojan exploited a previously-unknown Microsoft PowerPoint vulnerability.

An exploit for a new vulnerability follows a Patch Tuesday. A one-time event?

This month, on 12 October 2006-two days after the October Patch Tuesday-we discovered a zero-day exploit in the wild for a new Microsoft PowerPoint 2003 vulnerability, CVE-2006-5296. Microsoft has said on its TechNet blog that this exploit could carry out code execution on the victim’s machine.

Security expert Bruce Schneier has commented that exploits might be released to follow a Patch Tuesday to maximize the “window of exposure”-the time until next month’s Patch Tuesday arrives with security patches for the new vulnerability.

Is Zero-Day Wednesday (or Thursday) going to become a trend? We’ll be watching.

Today’s mass mailers are often seeded from thousands of zombie drones connected to botnets. Time on a botnet can be bought, for the right price, to launch the next mass mailer variant. Then when these zombies are instructed to download and execute a worm, a mini outbreak can be created when thousands of machines over the internet simultaneously start mailing copies of the worm. However, these artificial outbreaks die by themselves when antivirus vendors come out with updated detection for the worm.

By using enticing subjects and message bodies and spoofing the ‘from’ address to appear from trusted sources, mass mailers have traditionally depended on social engineering techniques to get a victim into executing a malware attachment. Given that mass mailers seem out of vogue these days with malware authors focusing on more effective infection vectors like operating system or browser vulnerabilities, it’s nostalgic when we see a new “old” kid in town.

W32/Stration is a mass mailer that has been around since August this year and is one of the few active and evolving mass mailers in recent times. Very typical of the mass mailing variety, W32/Stration harvests email addresses from an infected machine and mails a copy of itself using some convincing message bodies.

A sample spoofed email message is as follows:

“Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses. Please install updates for worm elimination and your computer restoring.”

Leaving out the poor grammar, such a dire message appearing to come from the administrator of your company could be stunningly effective in getting uninformed users to take the bait.

W32/Stration uses a self updating mechanism to keep itself going. Infected machines connect to a hard coded url in the body of the worm to download possibly a newer version of the worm and execute it. This ensures that worm remains undetected for an extended period of time and ensures a longer shelf life in the wild.

The author seems to be investing considerable time and effort into unleashing newer variants of W32/Stration on to the internet. But it’s surprising that no lucrative payloads like adware or password stealing trojans have been seeded onto infected machines. One can only wonder about the objective behind developing and releasing newer variants of this worm. Is the current wave being used to build a massive pool of infected computers for a larger scale of attack on the internet? Sadly, the motive behind unleashing this worm is still unknown at the time of writing this blog. McAfee Avert Labs continues to keep a close eye on future developments of W32/Stration.

As timescales compress in computer security, research organizations feel increasing pressure to be first to report on a threat. It’s hard to perform lengthy fact checking in hours time. In the last couple of months we heard about two different 0-day attacks from two different major security vendors, neither of which were 0-day attacks. This week analysis was posted on a “new” anti-virtual-keyboard technique used by a password stealing trojan; only problem is that technique is at least 3 years old. And this week an IE 7 0-day vulnerability turned out to be more than 5 months old.

Of course the irony is that other researchers have to chase the claims, which reduces the amount of time available for fact checking prior to release for the issues they’re trying to report on; so it’s a vicious cycle. Additionally, people who report on such issues are often excited and anxious to spread the news, not to mention the competitive aspect of all of this.

Generally speaking, the largest organizations tend to lean towards lengthy validation cycles, taking a long time to react, while smaller shops may only do a quick check to validate their claims.

Personally I think either extreme is not good and a balance needs to be found. Part of that balance should include going with what you know at the time, allowing for terms like ‘under investigation’ or ‘believed to be’, while reserving absolute statements until after due diligence has been given.

Maybe that’s just me?