Trojan Author Includes Integrated Chat, Challenges Security Researchers Digging Through His Code

from the paying-attention dept

Here's a fascinating story, found via Boing Boing, of some malware (a password stealing trojan targeting Diablo III players) that included some sort of integrated chat function, which the researchers at AVG only noticed when the hacker reached out to them while they were searching through his code. Imagine their surprise when up popped a dialog box asking them what they were doing:
Hacker: What are you doing? Why are you researching my Trojan?

Hacker: What do you want from it?



The AVG folks continued to chat with the guy for a little while, which is how they realized just how powerful the trojan was and how much it could do. The guy controlling it demonstrated this to them by remotely shutting down their machine after talking to them for a little while.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    PopeyeLePoteaux, Jun 27th, 2012 @ 1:09am

    Wow...just wow...

    Thank Tyrael I never NEVER NEVER open any link sent to me by strangers.

    I play Diablo 3 and this news is quite disturbing but useful at the same time, even when I recieve a link from my closest friends regarding Diablo 3 or any other game that requires a password to play, I ALWAYS text my friends to confirm if one of them sent me a link otherwise I ignore it completely.

    Thanks for the news, keep up the good work here at TechDirt.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    surfer (profile), Jun 27th, 2012 @ 1:10am

    Innovation at it's finest.

    and the MAFIAA thinks they can affect the internetz with legislation, lulz.

    they are slightly outnumbered..

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Alana (profile), Jun 27th, 2012 @ 1:11am

    Do you SEE that trojan over there? Let us cleanse it from this land!

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 1:15am

    Trojan? Wait, isn't that a horse there?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 1:15am

    I've wondered many times why the antivirus companies don't just hire virus writers who've wriiten especially clever viruses/trojans etc... And many times I've come to the same conclusion. It would be bad for business. They thrive on fear, and the fact that clever, smart kids constantly outfox them. They never seem to fully secure any computers, there's always the risk of being infected even if for only a few days as the antivirus companies catch up to the virus writers.

    This whole back and forth is what keeps people paying their yearly antivirus bill. I've thought for many years that the AV companies more than likely release their own viruses into the wild just so they can claim to be the first to say they can protect you from it. Would not surprise me at all. Kind of like the stories Mike posts here about the FBI creating their own terror plots just so they can say they foiled the plot.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    PopeyeLePoteaux, Jun 27th, 2012 @ 1:16am

    Re:

    LOL @ Enchantress quote.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    surfer (profile), Jun 27th, 2012 @ 1:30am

    Re:

    if you do some research you will find that Microsoft started this practice back in the '80's., build incomplete or vulnerable code, like, cut you then sell you a band-aid.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 1:33am

    Re:

    ???

    Antivirus companies actually hire a lot of hackers and so do other tech companies, which is a waste of time, the reason being that those hackers are very specialized on one area or another they don't know the ins and outs of every system because there is nobody on earth capable of knowing them all, this is why problems happen all the time and keep popping up, no matter how big a company is, humanity is bigger and have more eyeballs looking at the code than any company does or even government can.

    A thousand researchers can patch and make a system strong in a thousand points they all know very well, but a million hackers will find a million flaws in that system.

    Is not a question that the companies hire dumb people is that they can't hire every capable person who can do something.

    Security in IT is like putting a door in a house without walls and trying to secure that door hoping nobody notice that there are no walls.

    Some programs have millions of lines of code, use thousands of libraries and interact in unexpected ways with thousands of other programs, there is not a chance in hell that a human being will be able to chart all the possibilities, I doubt a group of people can do it and I base that on our own failure to predict the weather, there are too many unknowns and variables for anybody to be able to make sense of it all at this point in time.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    The eejit (profile), Jun 27th, 2012 @ 1:44am

    Re: Re:

    I would argue that it's much closer to an actual ecosystem than most people think. Consider the above: there's no doubt that there will be an evolution in detection now. However, if the hacker then changes the code to remove the vulnerability in detection, then it can go undetected again.

    This is, in some ways, remarkably similar to the HIV's chameleonic qualities.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 2:29am

    Re: Re: Re:

    Exactly, it evolves, systems evolve trying to adapt to new parameters and they behave in unexpected ways, with unknowns the unpredictability is real and maybe somebody comes along and throws in a mathematical proof of why there will never be a secure system in the world.

    The thing is, I am starting to have an issue with statements like "why don't they hire more smarter people?", the reason is simple there are no smarter people to hire, there is not an infinite resource to hire anyone who has ever found a problem and most people who find those problems are one off, they probably never find another bug in their lifes after they discovered that big one, that one time. The same goes for politics the problem is not the people they are not dumb, they are smart people in their own single interests what they are not is smart in all fields.

    This is why we need mechanisms to allow "evolution" to happen, no amount of "smart" people will fix an issue that is not about how smart you are, but how smart the system is, how flexible it is and how friendly to change it is.

    Monopolies are the dumbest thing ever, but somehow very smart people believes IP is a good thing although it undermines the mechanism by which "evolution" of the system occurs, in that same vein stating "why they don't hire smarter people" shows that people are looking at the wrong issue, there are nobody smarter to hire, one smart guy about one subject will be dumb on the next subject just like a programmer can't do surgery or do astrophysics, or know about chemistry. Anybody ever tried to build a computer from scratch? is hard, is not that easy, there are literally billions of components in each computer today, granted they are small but those are billions of components, with thousands of connections trying to run million line code operating systems that control video, audio, electrical buses, interruptions, execution stacks, memory, network equipment, connections, heck just in the video stack people found an infinite source of PhD dissertations, the same occurs to the other areas of computing, so I can't understand why people keep saying that "it is just a matter of hiring the hackers" when it is not, smart people are not the problem, the system cannot ever be secured, not because it is flawed, but because unpredictability can never be removed from that system ever we don't have that capability and probably never will have unless we become God's, which I doubt will happen in my lifetime, so saying "just hire the hacker" shows that people don't understand even the basics of the problem, the problem is there are more people hacking the programs than there are people working to fix them, to change that you need an open platform, so people building the system becomes more numerous than the number of people trying to destroy it, so the number of bad hackers are outnumbered by the number of good hackers and we keep moving forward(evolving).

    Also I see a threat to the "evolving" part in IP law which is a tool to exclude others from some field, which undermines the openness needed to create the right environment where good things happen more often than the bad things.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Mr. Applegate, Jun 27th, 2012 @ 2:35am

    Re: Wow...just wow...

    Um... The link wasn't in an email it was in a forum post for a 'how to'... "-- it had been originally posted to a Diablo III forum, masquerading as a how-to video --"

    Do you ever click on a link on the internet? If not how do you get here?? If so you ARE at risk!!! In fact if you computer is connected to another computer it is at risk.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Mr. Applegate, Jun 27th, 2012 @ 2:35am

    Re:

    I haven't PAID for an anti-virus solution for a home computer for, well NEVER! I do at work, but not so much for the anti-virus, but for the central control and management of application access and firewall.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    explicit coward (profile), Jun 27th, 2012 @ 2:54am

    Is this the next bubble crushing economy in the future?

    Well, this is what happens when you artificially create monetary value: Someone will try to profit from it by illegitimate means.

    Diablo III differs on one essential point from its predecessors: It has no single-player-mode worth to be called such. Sure, you can play it alone, but you are forced to be always online, as the game has a client-server structure, where the client is on your machine and the server on ActiBlizzs own BattleNet-Servers.

    Apart of being a quite effective DRM-measure (so far) it has been done to ensure a hack- and cheatfree environment - an essential requirement if you want to enable players to trade ingame-items for real money (while getting a share of the profit).

    The trading of ingame-items for real money is nothing new, it has been done for years now over ebay and the likes. But this is the first time that the company developing the game also creates a trading-environment, effectively legitimizing and encouraging such trade. Suddenly gold- and item-farming aren't a shady business anymore but in time could become respectable professions. At the same time the value of these ingame-items becomes more tangible - or at least it feels more tangible, because it's value is supported and endorsed by the company responsible for it's "creation".

    While I support the creation of new business opportunities I am troubled by the fact that ingame-items are becoming more and more a "respectable good", especially when these items ain't nothing but the product of a programmed chance-algorithm. The client-server-structure may hold hackers and cheaters off for now, but the more data they gather from the communication between client and server, the more likely they will find ways to deceive the system. It also makes the hijacking of anothers account (like with the trojan mentioned in this article) more valuable.

    I don't like this development. Not at all.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 3:28am

    Re: Is this the next bubble crushing economy in the future?

    Those goods will be "respectable goods" until people realize, in 5-10 years, that Blizzard won't be around forever, and that the investment is completely lost when Blizzard shuts down the servers for good.

    This, much like the "real economy", will only be good for the crooks, who will pull off some profits and bail out before the scheme comes crumbling down.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 4:09am

    Re: Re: Wow...just wow...

    Drama queen. The internet is safe if you understand it. You just need to learn how to browse it, like everything else.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Ninja (profile), Jun 27th, 2012 @ 4:17am

    Re: Re: Wow...just wow...

    Indeed. I have scripts fully blocked just in case. The link was supposedly innocent.

    Now I'm starting to understand why that many users were hacked...

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Ninja (profile), Jun 27th, 2012 @ 4:29am

    Re: Is this the next bubble crushing economy in the future?

    Fortunately I got my copy via World of Warcraft Annual Pass promotion otherwise I'd ask for a refund. The fact that you must be connected to play ALONE is incredibly annoying (specially with the lag spikes most seem to experience).

    I understand why wow has to be online only and if Blizzard decides to shut it down I've had my fun already but Diablo? This (DRM, whatever the form) is the reason I'm moving away from gaming. In the end it's good for me as I'll have more time for other stuff.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    NoBody IVY, Jun 27th, 2012 @ 4:46am

    Stick to the matter at hand

    @ Ninja,
    Whiney comments off topic by you get no sympathy. Always the same "waa waa, DRM, waa waa, servers shut down, waa waa, I'm moving away from gaming..."
    A broken record. Good. Go. Leave the gaming to those wanting to have fun.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    explicit coward (profile), Jun 27th, 2012 @ 4:57am

    Re: Re: Is this the next bubble crushing economy in the future?

    Actually, this is what most people do not realize: When they buy ingame-items they are not buying goods (as property) - they buy a time-limited license to use certain ingame-items. It is more like renting than it is buying: Ownership with an undetermined expiry-date.
    The value of said items is bound to decrease over time. Either because the game loses it's appeal or it's popularity or because new, more powerful items become available (for instance with an expansion). Sooner or later their actual market-value will be exactly 0.

    We can only hope that it remains a niche market, because otherwise it may become a real economical problem.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    explicit coward (profile), Jun 27th, 2012 @ 5:04am

    Re: Re: Is this the next bubble crushing economy in the future?

    To me gaming is my prefered form of entertainment (I wonder if the MPAA ever considered that decreasing sales might be caused by a shift of preferences...).

    Up to Starcraft II Blizzard was my favourite game-producer and I bought every game unseen and untested. But with Diablo III this has changed. While the game per se is good there are too many things like the always-on-requirement, the real-money-auction-house and a few smaller complaints that changed my mind.

    With the release of Diablo III Actiblizz has lost a lot of it's most valuable asset with me: reputation.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Chris Rhodes (profile), Jun 27th, 2012 @ 5:22am

    Re:

    GLORIOUS!

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Pangolin (profile), Jun 27th, 2012 @ 6:09am

    I don't get it

    A trojan writer creates a trojan and it's clever.

    Why is this on techdirt?

    Did he enforce a copyright claim against AVG?

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    ChrisB (profile), Jun 27th, 2012 @ 6:11am

    Re: Re: Re: Is this the next bubble crushing economy in the future?

    > We can only hope that it remains a niche market, because
    > otherwise it may become a real economical problem.

    Failure is not an economical problem; it is the foundation of capitalism. Parting fools from their money is a good thing, because then the smart people can do something useful. Bailing out idiots is what causes problems.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 7:05am

    Re: I don't get it

    Geez, that's priceless.

    Can you imagine if a malware/trojan/worm writer actually tried taking an antivirus company to court for reverse engineering and implementing sections into their product for detection purposes? Better yet, add DRM to the malware too and claim they are breaking the DCMA or similar laws.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    explicit coward (profile), Jun 27th, 2012 @ 7:31am

    Re: Re: Re: Re: Is this the next bubble crushing economy in the future?

    The problem arises when what once was seen as an idiocy becomes common practice. One step to make an idiocy common practice has been taken by Actiblizz by creating the real money auction house. The next step will be someone setting up a stock rated company which professionally farms items and/or gold. Further down the line banks will start to invest in such companys - until the bubble implodes...

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Ninja (profile), Jun 27th, 2012 @ 7:33am

    Re: Re: Re: Is this the next bubble crushing economy in the future?

    Hah, I have a thing or two to say in agreement but it's gonna turn into a totally offtopic discussion. So I'll avoid that but go read the last patch comment section, should be enlightening ;DD

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    DogBreath, Jun 27th, 2012 @ 7:36am

    Re: Stick to the matter at hand

    The only ones having fun are Blizzard, and the fun they are having is parting fools from their money by turning "legitimate purchases" into "buggy rentals".

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Vanye (profile), Jun 27th, 2012 @ 7:38am

    Re:

    Lancelot, Galahad, and I will jump out of the rabbit...

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    Ninja (profile), Jun 27th, 2012 @ 7:38am

    Re: Stick to the matter at hand

    Aw, I'm flattered you are aiming your troll-blaster at me. I do agree the comment was kind off topic considering the article but not if you consider the comment I replied too (which was pretty much on topic).

    Also: Pot, meet Kettle. "waa waa IP theft, waa waa Pirate Mike, waa waa I dunno why I still visit techdirt!"

    Cheers. And happy trolling ;)

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Ninja (profile), Jun 27th, 2012 @ 7:42am

    Re: I don't get it

    Indeed you don't get it. Techdirt is about tech related issues. They do focus on the impact on ppls lives and how the law reacts to technology more than the rest but it's their blog anyways, they can talk about hot-dogs if they want..

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Eponymous Coward (profile), Jun 27th, 2012 @ 8:06am

    Re: Re:

    Who leaps out of the rabbit, Bedivere?

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    Eponymous Coward (profile), Jun 27th, 2012 @ 8:13am

    Big Brass Ones

    Serious stones on the creator here. It's one thing to bury a pseudonym signature in the code, quite another to enable real-time taunting of the infected.

    This level of communication/access could potentially allow the creator to modify his trojan in real-time. Imagine a face-off between black and white hats, furiously coding to outwit the other. It's like all the shitty "OMG, hackers!" scenes in tv shows, only for real.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Chris Maresca, Jun 27th, 2012 @ 8:23am

    Who "researches" malware w/an internet connected machine?

    Amateurs.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 8:41am

    Re: Who "researches" malware w/an internet connected machine?

    Well of course it's connected to the internet; how else do you expect them to get a clear picture of what the software does when it's on a machine in the wild?

    Just because the testing machine is connected to the internet, doesn't mean AVG has mission critical (or even trivial) data on it (or any other machine/device connected to it).

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Howard, Jun 27th, 2012 @ 8:48am

    Re:

    Your defenses are NOTHING!

    /malewiz

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    DCX2, Jun 27th, 2012 @ 9:32am

    Re: Re: Is this the next bubble crushing economy in the future?

    You don't have to leave gaming. Valve still respects their customers.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    Jeffrey Nonken (profile), Jun 27th, 2012 @ 10:02am

    Re: I don't get it

    "Why is this on techdirt?"

    Because Mike decided to blog about it. Sorry if he did it without your permission. ... Oh wait, I'm not sorry. Forget I said that.

    You know what I do when Mike writes an article I don't find interesting? I write comments whining about it and complain that it's not relevant and try to explain why Mike owes me a better blog. ... Oh wait, no I don't. I STFU AND MOVE ON TO THE NEXT DAMNED ARTICLE.

    Mike and his minions will occasionally write an article you don't care for. Just pick up the broken pieces of your shattered life and move on.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    Pangolin (profile), Jun 27th, 2012 @ 11:02am

    Re: Re: I don't get it

    I expected a few flames from the post. I actually agree with Tech Dirt on most everything and find the blog enlightening and insightful. Even this post. I tried humor. Maybe it's why I'm not a comic. At any rate, the initial part was the "setup" and the "punch line" was the copyright issue. Why wouldn't a malware author go after an Anti virus company for copyright infringement? Illegal Activity? That aspect hasn't stopped some people in the past. It was meant to be slightly sarcastic and funny. Guess I missed the sarcasm tag.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    KelvinZevallos (profile), Jun 27th, 2012 @ 12:38pm

    Re:

    Your flaws are revealed!

    /malemonk... And possibly this Trojan.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Jun 27th, 2012 @ 12:40pm

    Re: Re:

    The problem is that operating systems have gotten much much more complex. Back in the days operating systems were much simpler, it was much more difficult for viruses and malware to hide because there wasn't very many places to hide. Now operating systems and software suits are so huge and humongous and they drop files and create changes in so many places there are a ton of places for stuff to hide in.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Jun 28th, 2012 @ 7:38am

    Re: Re: Who "researches" malware w/an internet connected machine?

    wat?

    No wonder it's so easy for them to stay ahead of us. If they can't understand what a program is trying to do without being connected to the Internet then maybe they are in the wrong business.

    *kicks the grass*

    Kids these days....back in my day, we looked at the logs and read the packets and we liked it!

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    KelvinZevallos (profile), Jun 28th, 2012 @ 12:48pm

    Re: Re: Re: Re: Re: Is this the next bubble crushing economy in the future?

    There is a section in the RMAH ToU that disallows anyone to use the RMAH as a "Investment avenue" (11.B.iii of the ToU).

    Source:
    Diablo 3 - RMAH ToU

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, Jun 28th, 2012 @ 11:00pm

    This is new? Bullshit when I was kicking it on d2 my clans goal was similar. We infected people and stole their account,email,paypal and anything else of value. "Yeah this was years ago" I was young and bored. We could see infected computers webcam,screenshot, and log their keys plus a bunch of other little tools.

    The screenshot option was kinda shitty for one reason back then dialup was still popular lol so taking a bunch of screenshots would have been a slow process.

    Playing with the webcam was my favorite thing to do lol.

    Me: Stop scratching your head ffs.
    Victim: "Looks around like wtf?"
    Me: Stop looking around I can see you from outside.
    Victim: "Terrified look"
    Me: I'm gonna get you! Turn around one more time! I dare you!
    Victim: "Still too terrified to type anything yet."
    At this point I was laughing so hard and the look on their face made me feel bad so I ended it.
    Me: I'm just kidding.. You downloaded my virus in a duping program.
    Me: I'm not watching you from outside lol.. I'm spying on your webcam. I was gonna rob your account but the entertainment you provided me made me decided against it.
    Victim: Really? "Still pretty confused looking"
    At this point I was dumping shit into a mule. Yeah yeah I know I am a pushover lol.
    Me: Open your d2 and log to this account.
    So I see d2 popup and a min or two later he replied.
    Victim: OMFG! Why...
    Me: I felt bad that I shook you up so bad.
    Victim: You can fuck with me every week if it turns out like this.

    At that point I was laughing uncontrollably again >.

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Clueless, Jun 30th, 2012 @ 8:58pm

    Re: Re:

    ALL YOUR CONDOMS ARE BELONG TO US!!!

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Ilfar, Jul 5th, 2012 @ 10:31pm

    Re: Re: Re:

    If you're using a meme that old, you've got less use for them than they do... :P

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This