Malware spreading via Steam chat

[Aerosol]

Today I was brought to the attention of a Tumblr post - apparently there's malware doing the rounds making use of Steam chat, (adding Steam friends and) spamming Steam users.

Example message:

Onyx is right, the link's indeed phishy and uses bit.ly (a URL shortener) to trick users into clicking it. Remember the worm that spread via Skype and Messenger last year? (reference here and here) This is a similar campaign.

Setup

Someone adds you on Steam, you accept and immediately a chat pops up as similar to above.

Alternatively someone from your friends list already got infected and is now sending the same message to all his/her friends.

The bit.ly link actually refers to a page on Google Drive, which immediately downloads a file called IMG_211102014_17274511.scr, which is in fact a Screensaver file - an executable.

The file is shared by someone named "qwrth gqhe". Looks legit.

Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file. In this case, the string "&confirm=no_antivirus" is added to the link, which means the file will pop-up immediately asking what to do: Run or Save.

(and in some cases download automatically)

At time of writing, the file is actually still being hosted by Google Drive. I have reported it however.

Afterwards, you're presented with the screensaver file which has the following icon:

Opening the file will result in installing malware on your system, which will steal your Steam credentials.

Technical details:

IMG_211102014_17274511.scr

Meta-data

=======================================================================

File: IMG_211102014_17274511.scr

Size: 1031168 bytes

Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

MD5: 138ec432db0dd6b1f52f66cc534303db

SHA1: 7d0575a883fed7a460b49821c7d81897ae515d43

ssdeep: 12288:HX24H8aUg/YGX5mYL/s8n2XtK8XXSTbVqbUFp6F7PdpECZ9dVIN:3n8DgQSpk8n2d9STgQFpO7VykbVIN

Date: 0x5460FA18 [Mon Nov 10 17:47:04 2014 UTC]

EP: 0x4bb1fa .text 0/3

CRC: Claimed: 0xfdcdb, Actual: 0xfdcdb

VirusTotal: link

Resource entries

=======================================================================

Name RVA Size Lang Sublang Type

--------------------------------------------------------------------------------

RT_ICON 0xbe0e8 0x42028 LANG_NEUTRAL SUBLANG_NEUTRAL data

RT_GROUP_ICON 0x100110 0x14 LANG_NEUTRAL SUBLANG_NEUTRAL MS Windows icon resource - 1 icon

RT_VERSION 0x100124 0x44c LANG_NEUTRAL SUBLANG_NEUTRAL data

Sections

=======================================================================

Name VirtAddr VirtSize RawSize Entropy

--------------------------------------------------------------------------------

.text 0x2000 0xb9200 0xb9200 7.978522 [sUSPICIOUS]

.reloc 0xbc000 0xc 0x200 0.101910 [sUSPICIOUS]

.rsrc 0xbe000 0x42570 0x42600 6.429023

Version info

=======================================================================

Translation: 0x0000 0x04b0

LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.

Assembly Version: 6.0.6000.16384

InternalName: wrrrrrrrrrrrr.exe

FileVersion: 6.0.6000.16384

CompanyName: Windows ® Codename Longhorn DDK provider

Comments: Office Licensing Admin Access Provider

ProductName: Windows ® Codename Longhorn DDK driver

ProductVersion: 6.0.6000.16384

FileDescription: LICLUA.exe

OriginalFilename: wrrrrrrrrrrrr.exe

Connects to:

185.36.100.181

Downloads and executes:

temp.exe

Meta-data

=======================================================================

File: temp.exe

Size: 4525568 bytes

Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

MD5: d0f8b90c85e5bedb691fca5c571a6794

SHA1: cd9b3bf5c8d70e833b5c580c9b2fc1f3e5e4341e

ssdeep: 98304:seRaRLOvFLHpNeV/riwz58R42is6e3RXjOWDucCnp1DA9sv7o2s2kbsUOEGx4VKm:zRaidjjqPdDsDbsU0akJyxL405+fiX

Date: 0x5460F588 [Mon Nov 10 17:27:36 2014 UTC]

EP: 0x8522b6 .text 0/3

CRC: Claimed: 0x0, Actual: 0x4564dd [sUSPICIOUS]

VirusTotal: link[/ul]

Resource entries

=======================================================================

Name RVA Size Lang Sublang Type

--------------------------------------------------------------------------------

RT_VERSION 0x4540a0 0x234 LANG_NEUTRAL SUBLANG_NEUTRAL data

RT_MANIFEST 0x4542d4 0x1ea LANG_NEUTRAL SUBLANG_NEUTRAL XML document text

Sections

=======================================================================

Name VirtAddr VirtSize RawSize Entropy

--------------------------------------------------------------------------------

.text 0x2000 0x450384 0x450400 6.884893

.rsrc 0x454000 0x4c0 0x600 3.689538

.reloc 0x456000 0xc 0x200 0.101910 [sUSPICIOUS]

Version info

=======================================================================

Translation: 0x0000 0x04b0

LegalCopyright:

Assembly Version: 1.0.0.0

InternalName: vv.exe

FileVersion: 1.0.0.0

ProductVersion: 1.0.0.0

FileDescription:

OriginalFilename: vv.exe

Remediation

What if you clicked the link and executed the file? Follow these steps:

• Exit Steam immediately
  
• Open up Task Manager and find a process called temp.exe, wrrrrrrrrrrrr.exe, vv.exe or a process with a random name, for example 340943.exe
  
• Launch a scan with your installed antivirus
  
• Launch a scan with another, online antivirus
  
• When the malware has been disinfected or deleted, change your Steam password - if you use the same password for other sites, change those as well
  
• Verify none of your Steam items are missing
  
• 
  

Prevention

• Be wary when someone new adds you on Steam and immediately starts sending links
  
• In fact, don't click on links someone unknown sends to you
  
• If you did, don't open or execute anything else - just close the webpage (if any) or cancel the download
  
• By default, file extensions are not shown. Enable 'Show file extensions' to see the real file type.
  
• Read how to do that here
  
• Add the IP 185.36.100.181 to your host file or block it in your firewall. In the host file, add:
  
• 127.0.0.1 185.36.100.181
  
• Follow the tips by Steam itself to further protect your account:
  
• Account Security Recommendations
  

Conclusion

• Never click on unknown links, especially when a URL shortener service like bit.ly is used. (others are for example t.co, goog.gl, tinyurl, etc.)
  
• Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.
  
• 
  
• Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and it's (in this case) a screensaver file.
  
• 
  
• For checking what is really behind a short URL, you can use:
  
• http://getlinkinfo.com/
  
• 
  
• For checking whether a file is malicious or not:
  
• https://www.virustotal.com/
  
• 
  
• Follow the prevention tips above to stay safe.
  

Source

Edited November 19, 2014 by Aerosol

[tuxiqul]

Vreau si eu softu care trimite automat mesaje pe steam