JMH
Banned
- Local time
- 3:31 PM
- Messages
- 6,448
More -Starcraft 2 is gaining popularity not only for gamers but also for malware writers. We wrote about Starcraft almost two months ago when it was first released. Now, apparently, it is also being used as part of a social engineering technique by a downloader family called Harnig. Harnig is employed by many other types of prevalent threats (Bubnix, FakeSpypro, Koobface) to download their malware into computers. We’ve seen a Harnig sample that is using the new release of Starcraft 2: Wings of Liberty to get malware-infected counterfeit versions of the game into users’ computers. Included in the Microsoft Malicious Software Removal Tool (MSRT) since October 2006, Harnig is one of the most prevalent malware families. In August 2010 alone, more than 140,000 files were detected as Harnig.gen!P.
The sample that we analyzed (SHA1: b5e2085c4f7554f53a406431aaea942da73d8b9e) uses the Starcraft 2 icon as a bait, as you can see below, to trick the user to click on it.
Once it is executed, it drops two files. One named activa~1.exe arrives as an obfuscated file and is detected as TrojanDownloader:Win32/Harnig.gen!P. The other one is named sc2.exe and is an actual copy of the Starcraft 2 executable.
Once we get through the decryption routines we can easily see that it tries to download additional software from aebankonline.com and bedayton.com, which both point to the same IP address.
A quick look over the registration information for aebankonline.com shows that it was registered in January 2010, by a Chinese registrar (BIZCN.COM, INC.) and it is currently hosted in Russia by madnet.info. Two other domains (agrofee.com and afetroactive.com) resolve to the same IP address as aebankonline.com. Both of these are known to host malware.
Besides Harnig, a few other threats disguise themselves as Starcraft 2 components in order to get into users’ computers. One example is PWS:Win32/PWSteal.M (SHA1: a5fbdbb42488a3bab0687e4e3d7fe5e253c7a8c2). It doesn’t have the same icon as the original sc2.exe file, but nevertheless the idea is similar.
Malware Plays Starcraft 2 - Microsoft Malware Protection Center - Site Home - TechNet Blogs
My Computer
- Computer Manufacturer/Model Number
- LAPTOP. HP Pavilion dv7-4010TX .
- OS
- Win 7 Ultimate 64-bit. SP1.
- CPU
- Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6MB Cache.]
- Memory
- 8 DDR 3 RAM. 1066MHZ
- Graphics Card(s)
- ATI 1024 MB. DDR3. Radeon HD5650
- Monitor(s) Displays
- 17.3" High Definition Brightview LCD. LED Backlit.
- Screen Resolution
- 1600 x 900.
- Hard Drives
- 640GB
- Case
- Laptop / notebook.
- Mouse
- Logitech Anywhere mouse. MX.
- Internet Speed
- ADSL [ but too slow ]
