Recently, we’ve seen similar activities being performed by different malware that monitor online Korean applications. Mostly, the applications they monitor are card games, such as those in Figure 1.
Figure 1: Examples of online Korean games that are being monitored. (Source: http://www.hangame.com)
The following applications are monitored if found running on the system:
- LASPOKER.EXE
- highlow2.exe
- baduki.exe
- duelpoker.exe
- HOOLA3.exe
- poker7.exe
- FRN.exe
The first malware is Trojan:Win32/Urelas.C. Written in Delphi, this malware uses a typical spying technique. It takes screenshots of a user’s gaming activity by looking for the processes listed above at certain positions on the screen; these screenshots could then be used to observe the gaming behavior of the compromised user. It sends copies of the screenshots it captures to a remote server in JPG, TIFF, or BMP picture format and also gathers other information from the compromised system, such as the computer name and user login details.
The second malware is Trojan:Win32/Gupboot.A. This malware takes things a step further, introducing a bootkit component and reusing code from Urelas to overwrite the MBR (which we detect as Trojan:DOS/Gupboot.A). Part of this malware’s payload is to allow kernel-mode hooking to hide the malware process and its suspicious activities from the user, making the system run in a compromised state.
Like most malware that overwrites the MBR, the main intent is to use the malware’s 16-bit loader to execute the payload. The malware uses its own copy of explorer.exe (dropped as temp1234.dat) written on the physical sector and redirects execution of the system’s original explorer.exe to the malware copy (see Figure 2). This type of behaviour is also discussed in the Bitdefender LABS blog "Plite bootkit spies on gamers"
Figure 2: Portion of Trojan:DOS/Gubpoot.A written on disk with intent to replace C:Windows\explorer.exe execution
Also found in the body of the malware code is a zip archive that contains an executable detected as Trojan:Win32/Gupboot.A.
The third and last malware is Backdoor:Win32/Blohi.B. The malware is compiled in VB and usually arrives disguised as a game bundled in an NSIS installer with names such as Plants vs. Zombies, StarCraft and others. Once installed, it pings http://blog.naver.com/PostView.nhn, a very popular Korean search engine, to test for an internet connection. It logs keystrokes, monitors the processes listed above (if they exist) and has predefined backdoor commands that can modify the process list, take screenshots and uninstall the malware. It can also display a fake blue screen (see Figure 3) - possibly to force the user into rebooting their computer so that the Blohi malware can install other malware.
Figure 3: Fake blue screen
We also observed that these threats are most prevalent in Korea compared to other geographical locations, as seen from the following reports for the month of November 2012.
Table 1: Urelas infection
Table 2: Gupboot infection
Table 3: Blohi infection
The aim of the malware authors is to gather information, for example:
- User login details
- Credit card details - used for purchasing game money and avatar upgrades
- Korean ID - similar to a social security number, required for registration and verification purposes
- Screenshots - taken to observe the gaming behavior of the user and possibly to provide an advantage to the authors if they choose to play with the user
MMPC strongly recommends users be cautious with files downloaded from the internet. Always verify that it comes from a reputable source before executing the binary. In the case of Blohi and other malware posing as installers, instead of playing a full version of the game, you might end up getting played by malware authors.
Marianne Mallen
MMPC