Playing with viruses

Statistics show that many users underestimate the threat posed by malware and cybercriminals.

  • Only 15% of users realise that their computers can become targets for cybercriminals.
  • One out of three users believes that they are unlikely to suffer financial losses as a result of a cyber attack.
  • The vast majority of people think that no one is interested in their personal information.

Gamers, who traditionally do not use anti-virus software since it can slow down their computers, constitute a very specific segment of users that finds itself, along with others, in the crosshairs of virus writers. And these gamers differ both in terms of their skill level and how many “riches” they have acquired—all things that can be stolen and sold.

Who in the virtual gaming world are criminals targeting?

Gamers can be divided into three groups:

  • Hardcore fans and pro-gamers. They possess a significant stash of game items.
  • Ordinary gamers for whom gaming offers relaxation and a distraction from work or problems. Their accounts and computers can be used to mount sophisticated attacks and to extort money.
  • Children and teenagers can be both hardcore and casual gamers. In this case it is the parents and, more precisely their wallets, that suffer the damage from a cyber attack. It is specifically young users who are offered stolen game items "for free".


Teenagers tend to go to extremes; they ignore security recommendations and want to go after forbidden fruit. In this case, using Dr.Web Parental Control, which prevents infection and maintains the integrity of information and game assets, is essential!

Meanwhile, the experience of Doctor Web's security researchers shows that virus threats are real for people who spend their time in virtual worlds.

Вирусы произошли от… игр!

Viruses have evolved from… games!

Strange but true: It was the computer game Pervading Animal—neither a virus nor a Trojan horse—that was among the first malicious programs: the program asked lead-in questions to attempt to guess the animal the user was thinking of .The program initiated the subroutine Pervade that used information about directories the user had access to and copied the Pervading Animal all the directories. The program utilised the resources of compromised computers to replicate itself and performed covert tasks, so it acted similarly to Trojans.


What do criminals steal from gamers?

Hackers direct their attention to wherever it is they can make a profit. They are after game items and accounts—whatever gamers are interested in which can be stolen and sold.

What are gamers interested in?

  • Building a character quickly or purchasing a high-level character.
  • A character with the maximum number of different "skills" and experience points, game items such as armour and mounts (sometimes quite rare ones), as well as the set of skills and professions that are available for that character. The more assets that are available, the greater the account price will be. In some cases, it can exceed USD 500.


  • Purchase, exchange and sell in-game items, sometimes — for real money.

Criminals are after game items and accounts—whatever gamers are interested in which can be stolen and sold.

Given the cost of high-level characters and expensive items, gamers and their assets are among criminals' favourite targets.

How does malware help attackers to steal accounts and in-game items?

An example of a Trojan that steals game assets

Trojan.SteamLogger.1 is designed to steal the assets of Dota 2, Counter-Strike: Global Offensive, and Team Fortress 2. Doctor Web security researchers discovered the Trojan in October 2014.

Once the main Trojan.SteamLogger.1 module is initialised and launched, it will search for a Steam process and check whether the user is logged in under their account. If not, the malicious program will wait for the moment the user is authenticated on the server and then extract information about their Steam account (to determine whether SteamGuard, steam-id, and/or a security token are present) and transmit the data to the criminals. In response, Trojan.SteamLogger.1 obtains a list of the accounts to which game items from the compromised account can be transferred. The Trojan attempts to steal the most valuable in-game items, chests, and chest keys. Trojan.SteamLogger.1 also monitors whether the player is attempting to sell any of the virtual items themselves, and if they do, it automatically removes the items from the sale dialogue box.

All the collected data is sent to criminals' server after which the Trojan checks if automatic authorization is enabled in Steam settings. If the feature is disabled, the malware creates a seperate thread to run the keylogger. Information about logged key strokes will be sent to the attackers in 15 second intervals.

Trojan.SteamLogger.1 is spread via forums or Steam live chat with offers to sell, buy or exchange game items.




How do criminals profit from hijacked accounts?

  • Accounts are sold: in the most primitive case, the criminals will merely sell stolen accounts in their specially created online store.
  • In-game items are stolen and sold too: Hackers can transfer all the in-game items under their account to another one in order to sell them later.
  • Fraudulent loans: The new owners of a stolen account can exploit the trust of their gaming guild compatriots by borrowing some virtual coins or robbing the guild bank. This results in a damaged reputation, a ban on accessing the game server, and psychological trauma (in the case of a fragile child’s psyche, this can have rather unpleasant consequences).
  • Phishing attacks: Criminals can use stolen accounts to distribute phishing URLs, e.g., they can publish a fake announcement about a promo on offer from the game developer that requires participants to sign in with their game login and password on a third-party website or offer them malware in the guise of a program that will help them to enhance their characters' attributes. And this also damages reputations!
  • Extortion Users value their game assets, so criminals block access to user game accounts and demand a ransom.

How do criminals infect gamers' PCs?

The machines are usually infected by Trojans.

Criminals can distribute links to phishing sites in messages sent on behalf of a user whose account has been stolen. For example, they can publish a fake announcement about a promo on offer from the game developer that requires participants to sign in with their game login and password on a third-party website or offer them malware in the guise of a program that will help them to enhance their characters' attributes. Gullible and inexperienced children and teenagers fall for such tricks easily.


If they are after Steam wallets, the attackers also use phishing. For example, Twitch users are offered the chance to participate in a lottery. The supposed prizes include weapons and collectables for Counter Strike: Global Offensive. Global Offensive. Once malicious software gets access to the Steam account, the covertly installed Trojan will secretly take screenshots, add new friends, buy items via Steam and even independently (!) make and accept purchase offers. отправляет и принимает предложения по продаже. The stolen items go on sale on the Steam Community Market at a significant discount—up to 35%.

Criminals take advantage of the fact that regular Twitch visitors have gotten used to proposals of this kind. Twitch has also become one of the most popular live streaming sites among gamers. This enables users to make money from broadcasting. Some broadcasters use botnets to increase their number of subscribers. This is also a kind of shadow business in the gaming world.

An example of malware that makes targeted attacks against the Steam platform

At the end of August 2014, messages from Steam users about missing valuable game assets began to emerge on various gaming forums. Trojan.SteamBurglar.1 was the culprit behind the virtual thefts. Hackers used the Steam chat and forums to distribute the program. They invited gamers to take a look at screenshots displaying weapons and other game assets that supposedly could be bought or exchanged. Trojan.SteamBurglar.1 displayed the images to users of the targeted computers. Meanwhile, the Trojan searched the machines' memory for the process steam.exe to extract information about game items. The malware determined which items were the most valuable and stole them so that they could subsequently be resold. The stolen game assets were transferred to a Steam account used by the criminals:



Intruders set up game servers to distribute malware!

Recently Doctor Web security researchers have learnt that hackers are crafting web pages that mimic Steam’s look and feel: The fake pages look exactly like legitimate ones. Upon selecting bogus games, users are redirected to a page from which they then download malware without realising it.

The next phase of the attack depends on the Trojan's payload. In this way users can download encryption ransomware which is considered one of today’s most severe threats.

Danger: Encryption ransomware!

In addition to the hackers who crafted special malicious programs targeting specific games, other perpetrators lurking on the dark side of the virtual world want to hit the jackpot too. Encryption ransomware that encrypts data and demands a ransom for its decryption has become a major security problem. Trojans of this kind can be distributed with spam or as download links via instant messengers, or infect a machine from a flash drive. The infection process is invisible, and the user will not notice anything until their files get encrypted and a ransom demand appears on their screen.

You can learn more about encryption ransomware here.

According to Doctor Web, the ransomware can encrypt files with extensions used by such popular games as Call of Duty, Minecraft, StarCraft 2, Skyrim, World of Warcraft, League of Legends, and World of Tanks.

Please note that Doctor Web provides decryption free of charge only to owners of Dr.Web commercial licenses. If you get in trouble with encryption ransomware, you should seek assistance from our technical support service.

Virus makers exploit popular games

Criminals are already capitalising on the capabilities of games in order to spread malware.

Typically, when a connection with a Counter-Strike server is established, the client downloads missing components required for the game from the remote host.



In 2001, an examination by Doctor Web's virus analysts revealed the following scheme. A group of attackers set up a Counter-Strike game server, distributing the Trojan horse Win32.HLLW.HLProxy (some time ago, this Trojan horse was spread among fans of Counter-Strike as a "useful" application, so many people downloaded and installed it on their PCs of their own free will).

The Trojan horse distribution mechanism was rather peculiar.: When a user connected to the game server, the player was displayed a special MOTD welcome screen, which could feature server advertising , or any set rules defined by its administrators. The window's contents is an HTML file. The MOTD file created by criminals contains an IFRAME, which was carried to redirect the client to a server controlled by the intruders. From this server, the Trojan horse Win32.HLLW.HLProxy is downloaded and launched on the victim's computer.

The main purpose of the Trojan horse is to launch on a player's computer a proxy server, which emulates several Counter-Strike game servers on the same machine and transmits corresponding information to servers belonging to VALVE. When accessing a game server emulated by the Trojan horse, the client software was redirected to at the real game server controlled by the attackers, from which the player received the Trojan horse Win32.HLLW.HLProxy.

So the number of infected machines increased exponentially.

In addition, the Trojan can carry out DDoS attacks on gaming servers and servers belonging to VALVE, so many of them might be unavailable during different periods of time. We can assume that one of the criminals' goals was to collect money from owners of game servers for bringing in new players, as well as DDoS attacks on "unwanted" game servers.


Malware in the guise of games for Android

Criminals also disguise malicious programs as legitimate applications, including games. For example, Android.Elite.1.origin, is a vandal program that spreads in the guise of various popular applications.


Once Android.Elite.1.origin has been launched, it attempts to force the user into granting it access to the mobile device’s administrative features which are supposedly required to complete the application’s installation properly. If successful, the program immediately commences formatting the available SD card by wiping all the data stored on it. After that, the malware waits for popular messengers to be launched.


In addition to formatting SD cards and blocking communications, Android.Elite.1.origin sends SMS to all the contacts found in the phone book every 5 seconds, so the user's mobile account can be depleted in a matter of minutes or even seconds!

Malware as a weapon against competitors on the game market

Competition among owners of game servers is traditionally high, especially, if the servers are at the gametracker top. In February 2012, several malicious applications designed to bring down GoldSource servers (including Counter-strike and Half-Life servers) appeared in the wild. One of them, added to the Dr.Web virus database as Flooder.HLDS, is a program that emulates a large number of connections to a game server which can make the server freeze and cause errors.

Flooder.HLDS.2 is another malevolent program that sends a certain data packet to the server which causes the server to crash.

Both applications have been spread widely via game-related forums, and the number of attacks on game servers orchestrated using these programs increased significantly in resent months.

Interestingly such programs can cause damage to the systems of intruders who try to bring down game servers. Doctor Web's virus analysts got hold of copies of Flooder.HLDS.2, available on game forums, which when run, infect the system with BackDoor.DarkNess.47 and Trojan.Wmchange.14. The former acts as a backdoor and DDoS bot, while the latter Trojan substitutes WebMoney wallet IDs in the memory of the compromised computer to steal money from the user’s account. Thus, would-be criminals themselves are becoming victims of virus attacks and subjecting their own computers to the risk of infection.


How can gamers protect their computers?

Doctor Web recommends:

Before buying an account on a game server, read the license agreement carefully and comply with its terms.

  • Usage rules on most gaming servers include a disclaimer stating that those administering the server provide no guarantees or compensation with regard to account theft and can block any account at their own discretion—something many players would never expect.
  • When purchasing an account, please comply with the license terms that prohibit purchasing accounts.

Doctor Web recommends:

If you buy a game account, in addition to the password and an answer to the security question, you should also request full access to the mailbox associated with the account.

Most accounts on game servers (including those maintained by Blizzard Entertainment) are associated with email addresses and sometimes with phone numbers too. If an account is stolen, the administration will communicate via that email address with the supposed rightful owner of the account.

Doctor Web recommends:

Don't store scanned copies of your ID on the computer you play games on. That way, a Trojan can’t steal it. This recommendation applies to all users, not just gamers. If an account is stolen, the administration can request that you provide information about your ID, a scanned image of it, or a photograph showing you holding the ID in your hand.

To validate the account owner's identity, the technical support personnel can request that the photo include the owner’s passport as well as a recent issue of a newspaper or a magazine to prove that the photo was taken recently. As a result, the account will be given to the person who will be able to provide such a photo.

If you are unable to do this, the stolen account that was sold to you can be blocked. In any case, the money will remain with the intruders, and the problems will be left to their victims.

To avoid incidents of this sort, Doctor Web recommends:

  1. Never open links unless you are completely sure that they lead to your needed destination.
  2. Download games only from trusted sites, and purchase game items only on trusted 'markets'.
  3. Do not post your personal information on the Internet.
  4. Don't answer security questions used to verify users' identity, if asked to do so by a stranger.
  5. Make sure that all relevant updates have been installed on your computer for your operating system and for all your applications (not only the anti-virus).
  6. Be sure to use the latest version of your anti-virus program! Always update it prior to logging onto a game server.

Thank you for taking the time to familiarise yourself with these materials.