1
  1. Этот сайт использует файлы cookie. Продолжая пользоваться данным сайтом, Вы соглашаетесь на использование нами Ваших файлов cookie. Узнать больше.
Приветствуем вас,Гость, на форуме IFUD.WS. Обязательно рекомендуется к прочтению правила форума http://ifud.ws/threads/obnovleno-pravila-foruma.7759

SteamStealer - A look into the source code

Тема в разделе "Наши статьи", создана пользователем cristodulo, 9 апр 2015.

  1. TopicStarter Overlay
    cristodulo

    cristodulo

    Регистрация:
    19 мар 2015
    Сообщения:
    17
    Симпатии:
    14
    I've been wanting to take a little bit of a look at the recent SteamStealer malware going around throughout November and December. There's a few different types, mainly being .src executables that once executed connect to a designated domain and drop more stuff. The other more recent type uses a custom crypter with a library containing a RunPE function to inevitably load SteamStealer into the process. In any case, I won't be doing any "on the surface" analysis/removal tips, as it's been nicely done by blogs such as this. I'll instead be taking a look at the source code for a few of these .src files, and talking a bit about them as well.

    So first off, the big thing regarding a lot of these recent .src files is they are obfuscated with Confuser, or its successor known as ConfuserEx. Confuser is a pretty popular free obfuscator mainly because it's one that isn't completely easy to reverse. It's still reversible, just not as easy as many other free obfuscators out there. You can do it with WinDbg which is absolutely gruesome and not really recommended for .NET deobfuscation, as anything really past methods is difficult and time consuming. Alternatively, you can use the wonderful internet world we have to get any slew of tools to decrypt methods, delegate killer, dump, and string decrypt.

    Let's first take a look at what the thumbnails for the samples look like:
    [​IMG]
    As we can see, the thumbnails appear as a Steam inventory with various items.

    Back to obfuscation, if we try to take one of our .src samples obfuscated with Confuser into IDA, here's what we get:
    [​IMG]
    After deobfuscation however, we can successfully take a somewhat broken look at the source code. Near the top of the code you can generally find the following (and hilarious) format:
    Code:
    All of the Steam ID's extracted from various source code samples are all 8 or 9 (mostly 9) digit ID's, implying they're new and not old accounts by any means. With this said, these accounts were of course created for the sole purpose of spamming trades with this malware, and most likely selling valuable items for real money. I wouldn't be surprised if they were purchased or stolen ID's.

    Code:
    Above is an example of one of the many domains used in the malware (purged). You can see it would join the Steam group "csgolounge" and then message users "how much is this karambit knife?" with a link to the malware. This is how it mainly propagated, by joining various Steam trade groups and spamming anyone with public inventories. Mainly "csgolounge" and "dota2lounge" as those were the main games used for the malware.

    Domains used from what I've seen are: prntsrc-online, screen4free, hostingscreen, screenshotyou, etc.

    If we do a lookup on any one of those:
    Administered by a Xuila Pitrov Vasielvis, from Russia once again, from the organization "ScreenPictures". It's the domain name backwards, hilarious. It's registered/administered by/to the email jesus7298(at)mail.ru. Once again, an interesting choice for an email.

    If we now go ahead and look up this email, we can see:
    Code:
    See the pattern? Lots of malicious domains hosted and administered by Russians.

    So right away after deobfuscation you can find the Steam ID of the account the items are ultimately being sent to for collection, and information regarding the domain housing the malware. Of course after we find a Steam ID, we can look that up and find the profile on Steam Community. I won't be posting the Steam ID's publicly even though these accounts were used for malicious purposes, because I'm just here to analyze and that's it. You can probably dig up the profiles if you care enough to report them.
    [​IMG]Right, so we can see that this account is level 1 (new), the only game it has played is Dota 2, and it has joined the Dota 2 group so it can spam the malware. We can see this person was nice enough to leave their Skype, name (possibly fake in some cases), etc. I have blanked it out as I noted I will. Let's take a look at another account:
    [​IMG]

    This account is a bit more active, with 5.9 hours played of Dota 2 in the last two weeks. It's also level 2 as opposed to the previous account which was only level 1. This account is also in two of the usual spam groups, rather than one. With all of the above said, the above account was likely actively spamming successfully more than the first. Either that, or it was just used for spamming with the malware in general rather than prepared to be used for spamming.

    You can see the "view more info" button, which hilariously the user left most if not all of their online credentials and places to find them. One of the links was to a Russian hack forum in which they hosted a thread offering various "services".

    We can see some of the items the malware looked to steal:
    Code:
    The first few are Dota 2 tiers for the rarity quality for an item, and then we branch off to keys, unusual hats, hats in general, etc, and eventually ending up with Counter Strike items. Considering for example that unusual hats depending on the type, effect, etc can go upwards of several hundred dollars, this is a pretty annoying malware for people that aren't aware of it.

    Overall however it's not a very impressive piece of malware by any means, just looks like script stuff. However I don't think it was meant to/supposed to be. It has obviously satisfied its original and intended goal, which was to steal items. A lot of people have had their items stolen, simply because a lot of people aren't aware as I noted above. Although I said I wouldn't go into removal, to avoid this malware other than just understanding how it works

    Source Please login or register to view links
     
    • Like Like x 2
    Метки:
  2. Sp3CeE

    Sp3CeE

    Регистрация:
    7 янв 2015
    Сообщения:
    138
    Симпатии:
    37
    Поч на англиском?Перевести не смог? :D
     
    • Like Like x 2
    • Dislike Dislike x 1
  3. carartem02

    carartem02

    Регистрация:
    6 фев 2013
    Сообщения:
    280
    Симпатии:
    108
    Лень просто было, копипаст всегда легче
     
    • Dislike Dislike x 1
  4. BoberMod

    BoberMod Временно недоступен

    Регистрация:
    11 окт 2013
    Сообщения:
    571
    Симпатии:
    539
    Потому что он иностранец, не?
    Думайте, прежде чем писать!
     
  5. Sp3CeE

    Sp3CeE

    Регистрация:
    7 янв 2015
    Сообщения:
    138
    Симпатии:
    37
    Бл..А ведь да ;c,но зачем дизлайк то ;cc,я не думал,что ты такой нехороший...
    Я думал он скопировал откуда-то,а переводить было лень :)
     
  6. carartem02

    carartem02

    Регистрация:
    6 фев 2013
    Сообщения:
    280
    Симпатии:
    108
    Да ну... Я тоже так думал, но глянул профиль и решил то что русский
    [​IMG]
     
  7. BoberMod

    BoberMod Временно недоступен

    Регистрация:
    11 окт 2013
    Сообщения:
    571
    Симпатии:
    539
    лол, а не подумал, что это переводчик?
    [​IMG]
    [​IMG]
     
  8. carartem02

    carartem02

    Регистрация:
    6 фев 2013
    Сообщения:
    280
    Симпатии:
    108
    Мажет у ниго с рузким все плохо? И вон раньше через переводчик писал и хоть как-то...
     
  9. TopicStarter Overlay
    cristodulo

    cristodulo

    Регистрация:
    19 мар 2015
    Сообщения:
    17
    Симпатии:
    14
    Я не знаю, по-русски, я думаю, что вы заметили. Но эта уязвимость супер трудно, даже если Скопируйте и вставьте. Я скопировал его, потому что это казалось хорошим, чтобы разделить. Также не я не берут на себя авторские права положить источник
     
  10. carartem02

    carartem02

    Регистрация:
    6 фев 2013
    Сообщения:
    280
    Симпатии:
    108
    Where (what) you from?
     
  11. TopicStarter Overlay
    cristodulo

    cristodulo

    Регистрация:
    19 мар 2015
    Сообщения:
    17
    Симпатии:
    14

Поделиться этой страницей

Загрузка...