In a Symantec blog post we find that the company has recently stumbled on a server hosting the stolen credentials of 44 million game accounts.
The article continues on to explain how the owners of the server made use of a botnet to process that mountain of data:
This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass.
So, picture this: you are a bad guy and have created or purchased a botnet. You have targeted online gaming websites and now have 44 million sets of gaming credentials at your disposal.
Now it’s time to turn those gaming credentials into hard cash. But how do you find out which credentials are valid and thus worth some money? Three options come to mind:
1. Log on to gaming websites 44million times!
2. Write a program to log in to the websites and check for you (this would take months).
3. Write a program that checks the login details and then distribute the program to multiple computers.
Option one naturally seems next to impossible. Option two is also not very feasible, since websites typically block IP addresses after multiple failed login attempts. By taking advantage of the distributed processing that the third option offers, you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck’s creators have done.
Most botnets have the ability to download and run files, so why not push a custom piece of malware to each bot? The malware could log on to the database and download a group of user names and passwords in order to check them for validity.
If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password. The attackers can then log on to the database and search for the valid user name and password combinations.
The database in question currently holds approximately 17GB of flat file data. The particular sample we analysed attempted to validate passwords for Wayi Entertainment, but there are credentials for at least 18 gaming websites in the database.
Read the full article over here.
Comments