A Game With No Rules

Kaspersky Lab analysts are currently investigating a series of targeted attacks against computer game publishers. It turns out that cybercriminals are stealing in-game currency, source code as well as digital certificates. In this blog post, you will learn about everything online gamers (and game manufacturers) need to know.

APT (advanced persistent threat) attacks don’t just target government agencies and military secrets; cybercriminals are just as capable of spending their time, money and effort on hacking into an ordinary company if there are obvious gains to be made. This fact was vividly demonstrated in the results of a year-long investigation by Kaspersky Lab experts who uncovered a criminal group that had been spying on the developers of computer games.

Although the cybercriminals exclusively targeted computers owned by gaming companies, the first infections were identified on the computers of ordinary gamers. A mistake by the hackers meant a Trojan made it into an update server and was downloaded to gamers’ computers, where some watchful users detected it. The Trojan immediately caught the attention of malware analysts because it was a full-fledged remote administration tool (RAT) which gave the hackers complete control over victim computers. Besides, it included a driver signed with an authentic and valid certificate, so it could install without any warnings or notifications.

An investigation into how this file could make its way to an update server revealed a full-scale cyberespionage network that wouldn’t have been out of place in a Hollywood action movie. First, phishing messages were used to infect the computers of specific employees at a computer game developer. Having successfully infected a computer, the Trojan dubbed Winnti downloaded a multitude of remote administration modules from C&C servers, and sent a report about the situation. Then, one of the cybercriminals established a manual connection to the computer, assessed the situation and decided whether it was worth continuing to watch the computer. If not, all traces of the spyware were removed from the computer. If it was worthwhile, the cybercriminals collected everything they could access. Priority was given to stealing game source codes and software developer certificates. Once in possession of the source codes, the criminals could then look for vulnerabilities in gaming servers and create mechanisms to build up virtual assets or launch alternative pirate game servers and cheaply sell access to them. As for the certificates, they were used to sign new malware programs and, quite likely, resold to other cybercriminals, as the stolen certificates later emerged in other criminal schemes and used for political cyberespionage.

Since the gaming industry is truly global, with large game manufacturers having vast networks of branch offices all over the world, and different manufacturers closely cooperating for localization and publishing purposes and granting each other access to corporate networks, the cybercriminals could use a single infected network as a foothold from which to penetrate other companies. Although it is still difficult to evaluate the scale of the problem, it is clear that dozens of companies came under attack in Russia, Germany, the US, China, South Korea and several other countries.

Although the criminal group targeted game developers, ordinary gamers will feel the consequences as well – for multiple reasons. First, the game currency and items that are not accounted for by the developers create an imbalance in the game world, all parameters of which, including money supply, are carefully calculated. Second, companies from which cybercriminals have stolen the fruits of many years’ hard work may not be able to cover their development costs because some of the players have migrated to pirate servers. This in turn may have a critical effect on the support of the game as a whole. Third, cybercriminals can use compromised update servers to distribute malware to all the players’ machines. We do not have any proof that the Winnti group is deliberately infecting players via infected companies, but we cannot rule this out either – it could be done as a well-paid assignment from a third party.

To avoid this last threat, you can take a couple of precautions:

• Have a close look at the settings configured for the ‘game’ mode, which is available in many security solutions. As a rule, antivirus products do not display alerts and minimize scanning in the full-screen (game) mode to avoid a negative effect on system performance. Check that a secure action will be performed if an infection is detected – the malicious object should be blocked or quarantined but not skipped.
• Use a fully-functional security solution that includes antivirus protection, behavior control, a firewall and other components. Regularly update the solution and take any alerts seriously, even if they concern files which came from a source that seems to be quite reliable, such as a game update server.
• Kaspersky Lab’s products detect and neutralize the malicious programs and its variants used by the Winnti group, classified as Backdoor.Win32.Winnti, Backdoor.Win64.Winnti, Rootkit.Win32.Winnti and Rootkit.Win64.Winnti.
  Do not support the black market! Do not connect to unofficial game servers.

And finally, the most general piece of advice that can be given to players: do not support the black market. Connecting to unofficial servers encourages cybercriminals to attack game developers again and again. And each attack is another brick in the wall between all of us and interesting new games that somebody has to spend time and effort creating for us.