Sign in with
Sign up | Sign in

Ramnit Malware Now Targeting Steam Users

By - Source: Trusteer | B 8 comments

This seems to be a different attack than what's plaguing Konami, Ubisoft and other game-related services.

PC and console gamers alike appear to be the target in an ongoing hacking spree spanning websites owned by Konami, Ubisoft, Crytek and a number of others. These are direct hacks into the website databases to acquire player information like passwords, email addresses and even credit card information. This latest attack on Steam gamers takes a different approach.

Security firm Trusteer, which was just acquired by IBM last week, said it has discovered a new configuration of the Windows-based Ramnit Man-in-the-Browser (MiTB) malware that uses HTML injection to target the Steam Community website. This is the same worm that stole more than 45,000 Facebook login credentials back in January 2012.

MORE: Malware XPocalypse Looms for Windows XP Users

"Win32/Ramnit is a family of malware that steals your sensitive information, such as your bank user names and passwords," stated Microsoft's Malware Protection Center back in 2010. "They can also give a hacker access and control of your computer and stop your security software from running. The malware arrives on your computer via an infected removable drive."

This is why the Steam attack resides outside the current game site hacking spree: it infects individual users rather than break into an entire database. Trusteer reports that once the user is infected and tries to log into Steam through a web browser, Ramnit injects a password request element, pwd2, which allows it to capture the sensitive data in plain text. Typically this username/password info is encrypted using the site's public key.

"While this simple technique is good for overcoming the client side encryption, it also raises an issue – Steam’s server is not expecting to receive this new element (pwd2) when the form is submitted," writes Etay Maor.

Maor points out that many server-side security solutions detect MitB malware by looking for forms with injected elements. As an example, when the user fills out an online login form and the data is sent to the website, the security solution scans for unknown elements that could indicate HTML injection malware. Thus if the login information is received and includes an additional credit card number that wasn't part of the login request, then the site will know that this specific user is infected and will lock the individual out.

But Maor reports that Ramnit avoids server-side detection by removing the injected element before the form is sent back to the website. Maor explains that by using form grabbing, the cybercriminal can easily index the collected data. Ramnit also has a key-logging ability, but this results in a batch of characters that doesn't distinguish between username, password and keystroke junk.

Given this Steam-focused attack is based on infections only, customers may want to keep their client-side solutions up-to-date. As always, don't open emails from strangers or take their candy: you never know what's inside. Even more, don't store credit card information on Steam: simply enter the number each time you make a purchase. That way, hackers aren't making $10K purchases and gifting the codes if they do happen to break into Steam.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 8 Hide
    Pailin , August 22, 2013 12:57 PM
    Pretty Please Tom's - Kill these spammers already ^

  • -1 Hide
    Trialsking , August 22, 2013 1:08 PM
    I hope that single mom who makes $5987968 a week gets her Steam accountshacked!
  • 2 Hide
    aramisathei , August 22, 2013 8:52 PM
    "Even more, don't store credit card information on Steam: simply enter the number each time you make a purchase." Unless you're using a virtual keyboard, this is actually less secure since the exploit they're talking about is also a keylogger.
  • Display all 8 comments.
  • 0 Hide
    ojas , August 23, 2013 5:36 AM
    @arami: depends, a keylogger will also have extra junk keystrokes, plus the expiry date and other info isn't entered via the keyboard.

    local virtual keyboards might be vulnerable to screen-shot based attacks, or even key loggers if they're using STDIN as well.
  • 0 Hide
    ubercake , August 23, 2013 5:44 AM
    The guys at Steam could write some code identifying when the user's browser is attempting to pass the pwd2 form field (or any other unexpected form field/value pairs) when logging into Steam. This would help the users identify whether or not they have this malware running on their machine.
  • 0 Hide
    ubercake , August 23, 2013 5:53 AM
    Quote:
    I hope that single mom who makes $5987968 a week gets her Steam accountshacked!


    :lol: 

    Me too!
  • 0 Hide
    rylt , August 23, 2013 9:10 AM
    @ubercake

    "But Maor reports that Ramnit avoids server-side detection by removing the injected element before the form is sent back to the website."

    from the article.
  • 0 Hide
    ubercake , August 23, 2013 9:18 AM
    Quote:
    @ubercake

    "But Maor reports that Ramnit avoids server-side detection by removing the injected element before the form is sent back to the website."

    from the article.

    Ah. Missed that. Hopefully we'll see some updates to detect this on the client side.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS