Microsoft Says Malware Plays Starcraft 2.

Posted: 13 Sep 2010

Starcraft 2 is gaining popularity not only for gamers but also for malware writers. We wrote about Starcraft almost two months ago when it was first released. Now, apparently, it is also being used as part of a social engineering technique by a downloader family called Harnig. Harnig is employed by many other types of prevalent threats (Bubnix, FakeSpypro, Koobface) to download their malware into computers. We’ve seen a Harnig sample that is using the new release of Starcraft 2: Wings of Liberty to get malware-infected counterfeit versions of the game into users’ computers. Included in the Microsoft Malicious Software Removal Tool (MSRT) since October 2006, Harnig is one of the most prevalent malware families. In August 2010 alone, more than 140,000 files were detected as Harnig.gen!P.

The sample that we analyzed (SHA1: b5e2085c4f7554f53a406431aaea942da73d8b9e) uses the Starcraft 2 icon as a bait, as you can see below, to trick the user to click on it.

Once it is executed, it drops two files. One named activa~1.exe arrives as an obfuscated file and is detected as TrojanDownloader:Win32/Harnig.gen!P. The other one is named sc2.exe and is an actual copy of the Starcraft 2 executable.

Once we get through the decryption routines we can easily see that it tries to download additional software from aebankonline.com and bedayton.com, which both point to the same IP address.

A quick look over the registration information for aebankonline.com shows that it was registered in January 2010, by a Chinese registrar (BIZCN.COM, INC.) and it is currently hosted in Russia by madnet.info. Two other domains (agrofee.com and afetroactive.com) resolve to the same IP address as aebankonline.com. Both of these are known to host malware.

Besides Harnig, a few other threats disguise themselves as Starcraft 2 components in order to get into users’ computers. One example is PWS:Win32/PWSteal.M (SHA1: a5fbdbb42488a3bab0687e4e3d7fe5e253c7a8c2). It doesn’t have the same icon as the original sc2.exe file, but nevertheless the idea is similar.

More -
Malware Plays Starcraft 2 - Microsoft Malware Protection Center - Site Home - TechNet Blogs

Posted By: JMH
13 Sep 2010

WiFi Ed

Posts : 240
Windows 7 Enterprise x64 SP1, Ubuntu 11.04 x64

New 13 Sep 2010 #1

Oh man....the Queen of Blades ain't gonna like this...
My Computer
- My Computer
System Manufacturer/Model Number: Dell E520
OS: Windows 7 Enterprise x64 SP1, Ubuntu 11.04 x64
CPU: Core2Quad Q6700 - 2.66 GHz
Motherboard: Whatever the heck Dell put in there...
Memory: 8 Gig Mushkin DDR2 800 MHz
Graphics Card: EVGA NVIDIA 9800GT - 512MB DDR3
Monitor(s) Displays: 2 x 19" ViewSonic LCD
Screen Resolution: 2560x1024
PSU: PCPower & Cooling Silencer 500 Watt
Hard Drives: 1 Intel X25-M 120G SSD, 1 300G VelociRaptor, 1 WD Caviar Black 1TB
Internet Speed: 15/2 Roadrunner Cable
Other Info: NOD32 AV - Malwarebytes
Quote
smarteyeball

Posts : 12,364
8 Pro x64

New 15 Sep 2010 #2

I saw the title and I thought that Malware was a new name for children...
My Computer
- My Computer
Computer Type: PC/Desktop
System Manufacturer/Model Number: Systems by SmartEyeball
OS: 8 Pro x64
CPU: i7 3770K 4.6GHz
Motherboard: ASUS P8Z77 WS
Memory: 16GB G.Skill Trident X 2666mhz
Graphics Card: x2 EVGA 780 Ti Superclocked SLI
Sound Card: SB X-FI Surround 5.1 PRO USB / ATH-AD900 Headphones
Monitor(s) Displays: x3 Dell U2410 / 58" Samsung
Screen Resolution: 5760*1200/ 1920*1200
Keyboard: Topre Realforce // Ducky Shine MX Black // Filco Ninja TKL
Mouse: Thermaltake Theron (Highly Recommended) + Razer Imperator
PSU: Silverstone Strider Evolution 1200W
Case: Thermaltake Level 10 GT Snow Edition
Cooling: Noctua NH-D14
Hard Drives: 2x Intel 520 240GB (RAID 0) * 2x WD Caviar Blacks 2TB (RAID 0) * 2TB WD Caviar Black * Sony Optirac DVD
Browser: IE, FF, WaterFox
Antivirus: MSE
Other Info: GT Extreme V2 Sim Racing Cockpit + 40" LCD and K/B Mouse stand ▼ Fanatec CSR Elite Wheel + Clubsport V1 Pedals + CSR shifter/7G-H ▼Saitek X52 Pro ▼ TrackIR 5 Pro Buttkicker v2 Seat Rumbler with Dedicated 5.1 and Sub Woofer attached to frame ▼ = Bloody Big Grin
Quote

Related Discussions