Virus over steam. Let's take a look.
-
So, this random contact wants to trade with me on Steam.
:fill(white):strip_exif()/f/image/nfentRgNfdKHkLW69uBnoPFi.png?f=user_large)
But... why is he talking in English to me? As far as I remember, he's Dutch. And why so poor English? While we're at it, why does he want to send me a screenshot through an obscure Russian site instead of through the Steam interface? You saw it coming: the 'screenshot' is a file called IMG_wossname.scr.
I downloaded it anyway because
I want a new screensaver for my Win95 boxI'm a curious kind of person. To my surprise, NOD32 didn't catch it. VirusTotal learns me most wouldn't.:fill(white):strip_exif()/f/image/GTrsUssnFKZqGUaxj2rKclsh.png?f=user_large)
Looking around a bit on the net, I found out this kind of trojan is popping up since late August 2014 and infected quite some people already. I'm always slightly amazed when I get hold of a kind of manual for such a thing. Funnily, the closed hacker forum with the manual is cached in Google. Probably you can just register to get access too though.
tl;dr, what does the virus do? Basically, it installs a remote administration tool on your PC: DarkComet. Then, some of your Steam files are copied to the attacker's Steam. If by any chance you had "Remember password" on like 99% of the users, then they can access your account now and take your precious virtual items. Personally, I wouldn't care about the latter - I'd be more worried about their backdoor into your system ;)
I'd love to see the code actually. I might later have a look to see if that .scr can be reversed. Once I was at a security conference in Vegas where I saw the original source code of a few viruses and I was impressed at how nicely they were made - better commented even than most enterprisy apps.
-
Sadly, this isn't exactly a new thing on Steam.
Incidentally, you can report hijacked accounts on their profile pages.
-
Once I was at a security conference in Vegas where I saw the original source code of a few viruses and I was impressed at how nicely they were made - better commented even than most enterprisy apps.
That's hardly surprising, when you think about it. The programmer is dictating it, not Corporate.
-
Yeah this has been going on in Steam for... well years. I get probably 1-2 a week of these.
-
better commented even than most enterprisy apps.
It sounds like you are trying to use the bolded 'even' to add emphasis, which works in some places but is awkward here. The other point is that I don't think I've ever seen a well commented enterprisy application.
-
Sadly, this isn't exactly a new thing
on Steam.
The only difference between this and all the stories floating around in 2002 is this is Steam, and in 2002 it was MSN Messenger. And in the 90s, it was IRC.
-
And even today, it's on
MSN MessengerSkype
-
And of course, it's been going on via e-mail ever since Jesus went to Glastonbury
-
First time I see it on Steam though. And my accounts is almost 10 years old I think. Or it's my second account after a rage quit once ^^
-
You rage-quit... Steam?
Not, like, a particular game you were playing on Steam, but Steam itself?
-
Well, other types of attacks used to be more common on Steam, but Valve has slowly been changing the trading system to block those.
Thus, account hijacks are the current way to go.
-
I get people who randomly add themselves to my list in the hopes that I will give them my trading cards and/or hats. I just ignore them.
-
Like my Steam profile says, I won't add people if I don't recognize them from somewhere else.
-
Y'all forgot about Napster and ICQ. But they were annoying viruses back then. Oh wait. BackOrifice comes to mind. I might have ejected someone's cdrom too.
-
In hindsight this sounds pretty stupid. But yeah. Older and wiser now. And much more games (300?).
-
Ooh, ICQ, I haven't thought about that in a long time. I have a 7-digit number. I know a couple of people with 6-digit numbers.
-
I think it's safe to say, if there's a way for two people to contact each other over the Internet, it's been used to distribute malware and hijacks ;)
-
You rage-quit... Steam?
I think he said you couldn't change the IM font or something. Really drove him crazy.
-
-
Mine was 775498. Haven't used it in like a decade or more though.
-
I hate that. It can be done, but it's hard and breaks any time there's an update.
If I were to add anyone here on Steam, I'd have to make sure to explain that my display picture is of some cartoony bald guy.
-
Mine was 775498. Haven't used it in like a decade or more though.
Nice; one of the 6-digit people I know was above that, one a little lower; 600K range, I think.
-
VirusTotal learns me most wouldn't.
Weird how it has a different name in every product. You'd think they'd have some agreement. Windows Defender (why does VirusTotal not have that one?!) finds it and calls it "Win32/Anaki.A!plock".
@YellowOnline said:Funnily, the closed hacker forum with the manual is cached in Google.
Here's a more permanent link:
https://archive.is/rESeOOnce I was at a security conference in Vegas where I saw the original source code of a few viruses and I was impressed at how nicely they were made - better commented even than most enterprisy apps.
Really? I suppose the "high end" malware must be good, but judging from the stuff you find in forums like that, I'd guess there's a whole lot of things out there patched together in .bat files and VB6 by some n00b.
-
Nice one. The linked tutorial is amazing.
-
I like how Whorgi quoted the entire post, forcing additional scrolling.
