MITB Ramnit Malware – New Version Now Attacking Steam Users

Now Trusteer, which last week announced that it is to be acquired by IBM, has discovered a new variant of the Ramnit malware using MITB techniques to targets users of Steam. No longer are financial institutions the sole target for MITB, says Etay Maor, fraud prevention manager at Trusteer: “Dating, eCommerce, hospitality and travel sites are also being attacked – as is the gaming industry... Trusteer’s security team recently identified a new configuration of the Ramnit malware that uses HTML injection to target Steam, which is the largest digital distribution platform for online gaming.”

The Steam games platform, he explains, has more than 50% of the market, with more than 2000 games titles and 54 million active users – and is an attractive target for cyber criminals. “Phishing attacks and credential stealing malware have been targeting Steam users for several years now,” he explains. “However, Ramnit uses much more advanced techniques to collect data as well as evade detection.”

Trusteer will be posting details on its site on Wednesday this week, but a draft version seen by Infosecurity explains how the new malware variant seeks to circumvent Steam’s security. The Steam platform login system encrypts the user’s password with the server’s public key. “To overcome this client side encryption,” explains Maor, “Ramnit injects a request for the password which allows it to capture the data in plain text.” The captured data is then sent to the attacker.

A second layer of security often used by servers is to examine the received logon details and look for anything strange that might indicate an injected attack. “To avoid detection,” he adds, “Ramnit simply makes sure the server never sees the injection. To do so, prior to the form being sent to the website, Ramnit removes the injected element.”

Maor also explains why the attacker uses the injected form approach rather than simply installing a keylogger and capturing everything. “The answer is simple,” he says; “by using form grabbing the cybercriminal can easily index the collected data. When a key logger is used, there is no indication of which characters are the username, which are the password and which ones are just irrelevant keystrokes – instead someone needs to manually separate the wheat from the chaff.” However, with a keylogger, Ramnit “can also capture all the data and then if you want credit cards, all it takes is writing a simple script that extract any 16 digit interval,” Maor told Infosecurity.

Chris Boyd, an expert in consumer security and a senior threat researcher for ThreatTrack Security, told Infosecurity why the games market is so attractive to the attackers. “The games industry is rich pickings for scammers,” he said, “with the lure of costly digital downloads and additional content for ‘free’ being too good to resist. If they're not going after the games developers themselves along with the vast amount of data stored in their servers, they're targeting the players with fake games, cracks and bonus content which often dovetails into social media exploits.” And now, according to Trusteer, sophisticated MITB techniques.

Boyd has today published details of a separate but more typical games attack. “We recently found a site offering up the hugely popular Surgeon Simulator 2013 for free,” he told Infosecurity, “yet after installing numerous pieces of ad supported content the ‘game’ is revealed to be an old, outdated promo designed to get the title on sale in the first place.”

What’s Hot on Infosecurity Magazine?