Skip to content

Social Attack on Gamers Leads to a Drive-By Diab-load


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A Rube Goldberg-esque confidence scheme to infect computers with malware, targeting players of the popular online game Diablo III, has resulted in the alleged theft of a number of high-ranking players’ rare armor and other loot, as well as complaints to the game’s operator, Blizzard.

We found out about the scam in Blizzard’s own forums — the message board where players of several of Blizzard’s games hang out, share information, talk trash, and trade. What grabbed my attention was the detail with which people described the execution of the scam itself, which involved both technology and a gentle social grooming technique, in which the alleged scam artist befriends his target in the course of the attack.

Here’s how several alleged victims described the con: They teamed up with a random, friendly, affable, and capable player, who helped them fight through some tough battles. Afterward, the stranger and victim exchanged Skype contact information, and proceeded to text chat over that service. In the course of the text chat, the stranger and victim discuss armor and weapon loadouts, and send one another links to screenshots of their various characters taken from within the game, posted to various free image hosting services. Only, one of those links was not like the others: The target eventually received a link from the stranger to a page that appears, at first glance, to be just another hosted image, but instead pointed to a purpose-built, bespoke replica of an ImageShack page, hosting a malicious Java JAR application, instead of a photo.

That was just the beginning of what turned out to be a surprisingly complex, but also (by the time I got to it) devastatingly broken, infection process.

The malicious Java code initially received a clean bill of health from VirusTotal, but that may have been a result of the fact that it could not actually carry out its mission, which was to download and execute a Trojan executable on the victim’s Windows computer. After 24 hours, only one AV vendor detected it.

The JAR file was tiny, just under 5kb in size. I poked around on the server and found a total of five different, unique JAR files. Inside was some malicious code as well as some truly bizarre text.

Most of the code inside the JAR file seems to focus on transforming a large data array into something else. Researchers frequently see this kind of structure in malicious Javascript code; The array of data looked like a bunch of random letters and numbers, with each character delimited by punctuation marks.

Using the free JD-GUI Java Decompiler, I copied out the source into a tool where I could clean up the array data a bit. It turns out that it was criminally easy to decode.

The array was just a long string of hexadecimal characters; Paste that into the right tab in the handy-dandy Malzilla utility, and the contents reveal themselves to be a URL pointing to a file hosted on a two-month old file-hosting service called

The Java code reassembles the URL, then attempts to retrieve the file at the other end of the URL.

Four of the five JAR files also contained this line of text:

“Did you hear about that java. io or how .tmp dir pooped or how the user found his .home or how the APP DATA was found? I also have an .exe and a little //”

No, I didn’t hear about that. Don’t fret, malware man. It’s not about the size of your // — it’s how you use it.

Problem #1: The JAR failed to get its payload. On the testbed, the applet just quit, with no resultant payload delivered. I took a look at DeepSee to find out why. The error code delivered by up2x’s server seemed a bit strange but led to the answer.

The server returned an Access Denied error with some gibberish about “your browser’s signature,” and then I realized: the site had profiled my browser based on the User-Agent, and because the file request was coming from Java’s User-Agent (which differs from that used by a “normal” browser), up2x refused to deliver the executable. Chalk one up for common sense on the part of up2x’s operators, but it’s a kludge that will work only until the JAR’s creator can figure out how to forge a User-Agent string.

Problem #2: The Trojan executable payloads are still hosted on up2x. I simply browsed over there with Firefox and picked them up. The programs all use a generic icon and share a common naming convention (nine numbers, a period, the word “Protected,” two more numbers, and the .exe file suffix), and size range (between 224KB and 225KB).

They also have distinctive file properties (all three use the same version number of, and amusingly, two use the phrase Made at home in the Company Name properties field). They’re also notable for having been created in the malware-atypical Visual C# for .Net programming language. You don’t see a whole lot of that.

Problem #3: I don’t have Diablo installed on the testbed. No problem!

Once executed, the Trojan exhibits dropper behavior — it delivers a second unique executable, 10KB-11KB in size, to the Templates folder under the current user’s profile path, then executes the dropped app. Needless to say, this alone is red-flag behavior; Nothing executable should ever run from the logged-in user’s \Templates directory. The dropped payload describes itself as a Diagnostic ER Module, made by Microsoft, but the code isn’t digitally signed and can’t be validated.

The initial Trojan then moves a duplicate copy of itself in the user’s \Local Settings\Temp folder, executes it, and sets a Run key in the Registry to start it up after a reboot. It also sets off a firestorm of changes to the Windows Firewall, which involves adding Microsoft’s .Net application loader executable to the Firewall’s exception list. A short while later, it performs a geo-IP lookup using the free ipinfodb service. No Diablo, so there’s nothing else to do here. So that’s as far as it went. Or is it?

If the names on the domain’s WHOIS record aren’t bogus, that poor person has horrible, mean parents. The address used in the domain registration is real, though; It’s an apartment building in the San Fernando Valley, north of Los Angeles, and its telephone number is also in the correct 818 area code for that location. Real WHOIS record information is not unusual; We see falsified WHOIS records, referencing real street addresses in the US, all the time. But there’s some interesting correlation between this physical location and some intriguing traffic that crossed the wires during testing.

During the course of the investigation, there were several bursts of communication between my infected testbed PC and a computer in the 67.49.29.x subnet.

Upon closer examination, it appears that, while I was examining the files left in the \Temp directory by the Trojan, the Trojan was transmitting images of my testbed’s desktop to that IP address, at first small 29kb thumbnails, then later, larger 58kb screenshots, at a rate of two frames per second.

The IP address geolocates back to the Adephia cable ISP NOC in Chatsworth, California. That’s just a few miles from Panorama City, the location in the domain’s WHOIS record. Might be a coincidence, might not. Who knows?

So, what should Diablo III fans do if they meet a new friend in the game? Well, besides offering them lots of free loot and help gaining questing experience, carefully scrutinize the links people send you over IM; Our perp’s MO is to lull the victim into a false sense of security. Don’t just blithely click anything someone you just met sent you. In at least one instance, the potential victim didn’t fall for this trick, and even called it out. The person who posted this chat log handled this perfectly. Anonymous gamer, I salute you.

Next, be aware that security warnings pop up in your browser for a reason. In order for this attack to have worked, victims had to intentionally bypass legitimate security warning dialogs to run the Java applet. Pay attention to those messages, people — more attention than you would pay to inane AI character dialogue when you complete a quest. Use Firefox with NoScript, please, and when in doubt, click Cancel, not Run.

Finally, know that attacks such as these are not mere cons, but they tear at the carefully maintained social fabric of this online community. When the inevitable parasites invade online worlds, those communities of players — and the game itself — can be driven to extinction. The level of mistrust this kind of activity sows among MMO worlds is destructive to social interaction in the game. Quest with strangers, but behave as you would if you just met a nice group of strangers while you were out clubbing for the evening. The victims found themselves virtually roofied. Don’t let the same thing happen to you.Solera blog stats

Comments are closed.

%d bloggers like this: