SECURITY - Online Gaming Firms Targeted by Malware

"'Winnti' Malware Targeting Online Gaming Firms" by Chloe Albanesius, PC Magazine 4/12/2013

News of game-related hacks are nothing new; they have dominated headlines in recent years, from the massive Sony PlayStation Network takedown to the more recent hack of The War Z.

Attacks on gaming firms might not be isolated incidents, however.  Researchers at Kaspersky Lab this week said they uncovered a series of targeted attacks originating in China that are taking aim at Web-based gaming companies.

"According to our estimations, this group has been active for several years and specializes in cyber attacks against the online video game industry," Kaspersky said in a blog post.  "The group's main objective is to steal source codes for online game projects as well as the digital certificates of legitimate software vendors.  In addition, they are very interested in how network infrastructure (including the production of gaming servers) is set up, and new developments such as conceptual ideas, design and more."

Kaspersky started investigating the group - known as Winnti - in the fall of 2011 at a behest of a computer game publisher that detected malware on its network.  The malware was pushed out to users via a standard update, prompting concern that the company was spying on its users.

"However, it later became clear that the malicious program ended up on the users' computers by mistake; the cybercriminals were in fact targeting the companies that develop and release computer games," Kaspersky said.

Once installed on someone's computer, the hackers could control that machine without the user's knowledge.  The malware was "the first time we saw Trojan applications for the 64-bit version of Microsoft Windows with a valid digital signature," Kaspersky said.  Previous incidents of digital signature abuse had only hit 32-bit systems.

The digital certificate in question belonged to South Korea-based KOG, which also produced MMPRG, like Kaspersky's client.  Ultimately, the certificate was revoked, but "over the next 18 months we discovered more than a dozen similar compromised digital certificates."

Kaspersky said that its research suggests that at least 35 companies from around the world have been infected by Winnti malware at some point in time, with a "strong focus" on Southeast Asia.