Win32/PSW.OnlineGames.OUM is a malware that aims to steal credentials for online games. It targets popular titles such as World of Warcraft, Star Wars Galaxy, Lineage 2 or Guild Wars. Active since 2006, it is amongst the most detected threats by ESET, taking the 7th position between January and April 2011. In our previous blog post, we looked at the update process of this malware. Today we examine how it steals credentials from online games.
To get access to the data, Win32/PSW.OnlineGames.OUM injects a DLL in all processes on the system. It achieves this by using SetWindowsHookEx, which allows a function to be called every time a specific type of event occurs. The point of interest is that Windows will load the DLL module containing the hook function if it is not already loaded in the process, thereby making DLL injection possible. The MSDN documentation actually states this as a remark to the SetWindowsHookEx function.
SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If an application requires the use of hooks in other processes, it is required that a 32-bit application call SetWindowsHookEx to inject a 32-bit DLL into 32-bit processes, and a 64-bit application call SetWindowsHookEx to inject a 64-bit DLL into 64-bit processes. The 32-bit and 64-bit DLLs must have different names
By using the value 0 as threadId, all threads are subject to the hook. The hook type is WH_CALLWNDPROC that hooks all window messages. The hook function does not do anything, Win32/PSW.OnlineGames.OUM only relies on having the DllMain function called when the DLL is loaded.
Once the DLL is loaded, Win32/PSW.OnlineGames.OUM checks the name of the process in which it was injected, looking for one of the target game’s process name. Each block of the graph in the following screenshot corresponds to a check for a specific game executable.
This next screenshot shows one of those checks, in this case for the game Dekaron.
When Win32/PSW.OnlineGames.OUM finds itself inside an interesting game process, it proceeds to hook the network functions used by that game. This following disassembly corresponds to the code of the WSASend function. We can see a jump to code located in the nodqq0 module, which is the name the malicious DLL.
Every time this function is called, the malware checks if it corresponds to an authentication request. In the next screenshot, we see that the socket’s destination address is compared to the IP address of an authentication server for the game.
Whenever an authentication request is found, Win32/PSW.OnlineGames.OUM extracts the credentials and sends them to a server under the control of the gang operating this malware. The following screenshot shows the URL used to transmit the credentials (the u and p fields of the URL would normally contain the username and password of the account).
Hooks are also placed in Internet Explorer processes to intercept credentials when a user logs in to specific game’s web portals.
The theft of online games accounts can be lucrative as most games targeted by Win32/PSW.OnlineGames.OUM have a form of virtual currency, which can be used to buy game items. A popular business model for MMORPG (Massively Multiplayer Online Role Playing Game) is to make the game available for free but effectively requires the player to buy game credits in order to be able to progress in the game. The following image shows items that can be bought for the game Dekaron; the exchange rate is 1$ per thousand game credits.
Accounts themselves also have value, especially those with a monthly subscription fee. Numerous sites exist where they can be bought, sometimes for substantial amounts of money. Some underground forums are also selling amongst other things stolen game accounts. In the following screenshot, an account for the game Heroes of Newerth is offered for 8$, which is a good amount of money considering that credit card numbers are sold for as low as 2$.
This concludes our two-part blogs on Win32/PSW.OnlineGames.OUM. As we have seen, this threat uses a custom layer of encryption to hide its updates over the network. It also uses function hooking to intercept and steal game credentials. As always, if you have comments or would like additional information feel free to contact us.
Author Sébastien Duquette, We Live Security