MSRT cleans 2 million PCs of game password-stealing software

June 24, 2008

Microsoft's Malicious Software Removal Tool (MSRT) - a program that detects and removes viruses and other malware from Windows machines - removed game password-stealing software from more than 2 million PCs in the first week after it was updated to detect these programs on June 10. One password stealer, called Win32/Taterf, was detected on 700,000 computers in the first day after the update. That's twice as many infections as were spotted during the entire month after Microsoft began detecting the notorious Storm Worm malware last September. Between June 10 and June 17, Microsoft removed Win32/Taterf from about 1.3 million machines.1

Password stealers such as Win32/Taterf are among the most common types of malicious software on the Internet. That's because there's big money to be made selling the virtual currencies used in online games for real-world cash. Once a criminal learns a gamer's username and password, he can log into the game and sell the victim's virtual possessions for virtual gold coins. Those coins are then handed to another character in the game who sells the gold for real-world dollars at an online exchange.1

In last year's Symantec's Internet Security Threat Report Volume XII (reported previously here on rationallyPARANOID), one of the emerging trends that they believed would become prominent over the next six to twenty-four months was malicious code targetting virtual worlds. They had stated that:

"These markets (also referred to as secondary economies) are currently unregulated and are still too small to attract serious attention from law enforcement and securities regulators. Symantec believes that these characteristics could allow criminals to use them for illicit activities. For example, because of the anonymity offered by PVWs (persistent virtual world), in which all identities are virtual, criminals may be able to launder money through the use of RMTs (real-money transactions)"2

These transactions can be conducted worldwide without the oversight that typically accompanies international bank remittances.2 Estimates vary wildly, but some analysts put the world-wide real-money trade in virtual assets at more than $2 billion, most of which changes hands in South Korea and China.3 Given the anonymity, lack of regulation of the market, difficulty in auditing, and lack of attention from law enforcement, its an effective method of money laundering.

Win32/Taterf spreads by copying itself to the root of all fixed or removable drives on the infected system and ensures it gets executed by creating an 'autorun.inf' file in there too. The autorun.inf file is instructed to execute the worm, whenever the directory is viewed using Windows Explorer. So every time someone plugs that USB drive in a computer, it'll be infected. If you plug that drive into a computer connected to a network, it'll be infected, and so on. If you've mapped an infected drive over the network, that'll infect it too.4

Gamers can make easy targets for criminals given their tendencies to disable antivirus software to boost gaming performance, while others download free "cracked" versions of games, which can contain malware.1 Once infected, the malware is used to obtain account information for one or more of the following Massively Multiplayer Online Games and affiliated products:

* Rainbow Island
* Cabal Online
* A Chinese Odyssey
* Hao Fang Battle Net
* Lineage
* Gamania
* MapleStory
* qqgame
* Legend of Mir
* World Of Warcraft5

Rounding out the top five countries for detections were China with 529,003, Taiwan with 279,428, Spain with 235,381, the U.S. with 213,374 and Korea with 184,306.4

1. "Microsoft Security Fix Clobbers 2 Million Password Stealers", PC World, June 20, 2008

2. "Internet Security Threat Report Volume XII", Symantec, September 2007

3. "QQ: China's New Coin of the Realm?", The Wall Street Journal, March 30, 2007

4. "Taterf - all your drives are belong to me!!!1!one!", Microsoft Threat Research & Response Blog, June 20, 2008

5. "Win32/Taterf", Microsoft Malware Protection Center, June 24, 2008