Kaspersky Lab Analyses Active Cyberespionage Campaign Targeting Online Gaming Companies Worldwide

News provided by

Kaspersky Lab

Apr 17, 2013, 06:52 ET

ABINGDON, England, April 17, 2013 /PRNewswire/ --

Cybercriminal Organisation "Winnti" Compromises Gaming Companies' Systems, Steals Intellectual Property and Digital Certificates for Malicious Use

Today Kaspersky Lab's team of experts published a detailed research report that analyses a sustained cyberespionage campaign conducted by the cybercriminal organisation known as "Winnti."

According to Kaspersky Lab's report, the Winnti group has been attacking companies in the online gaming industry since 2009 and is currently still active. The group's objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects.  

The first incident that drew attention to the Winnti group's malicious activities occurred in the autumn of 2011, when a malicious Trojan was detected on a large number of end-user computers across the globe. The clear link between all of the infected computers is that that they were used to play a popular online game. Shortly after the incident, details emerged that the malicious program which had infected the users' computers was part of a regular update from the gaming company's official server. Infected users and members of the gaming community suspected the computer game publisher was installing the malware to spy on its customers. However, it later became clear that the malicious program was installed on the players' computers by accident, and the cybercriminals were actually targeting the video game company itself.

In response, the computer game publisher that owned the servers which spread the Trojan to its users asked Kaspersky Lab to analyse the malicious program. The Trojan turned out to be a DLL library compiled for a 64-bit Windows environment and used a properly signed malicious drive. It was a fully functionally Remote Administration Tool (RAT), which gives attackers the ability to control a victim's computer without the user's knowledge. The finding was significant as this Trojan was the first malicious program on a 64-bit version of Microsoft Windows that had a valid digital signature.

Kaspersky Lab's experts began analysing the Winnti group's campaign and found that more than 30 companies in the video industry had been infected by the Winnt group, with the majority being software development companies producing online video games in South East Asia. However, online gaming companies located in Germany, the United States, Japan, China, Russia, Brazil, Peru, and Belarus were also identified as victims of the Winnti group.  

In addition to industrial espionage, Kaspersky Lab's experts have identified three main monetisation schemes that could be used by the Winnti group to generate an illegal profit:

  • Manipulate the accumulation of in-game currency, such as "runes" or "gold," that's used by players to convert the virtual money into real money.
  • Use the stolen source code from online game servers to search for vulnerabilities inside games to augment and accelerate the manipulation of in-game currency and its accumulation without suspicion  
  • Use the stolen source code from servers of popular online games in order to deploy their own pirated servers.

Currently the Winnti group is still active and Kaspersky Lab's investigation is ongoing. The company's team of experts has been diligently working with the IT security community, online gaming industry and certificate authorities to identify additional infected servers while assisting with the revocation of stolen digital certificates.

Kaspersky Lab's products detect and neutralise the malicious programs and its variants used by the Winnti group, classified as Backdoor.Win32.Winnti, Backdoor.Win64.Winnti, Rootkit.Win32.Winnti and Rootkit.Win64.Winnti.

About Kaspersky Lab

Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for consumers, SMBs and enterprises. The company currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at http://www.kaspersky.co.uk.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2011. The rating was published in the IDC report "Worldwide Endpoint Security 2012-2016 Forecast and 2011 Vendor Shares (IDC #235930, July 2012). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2011.

© 2013 Kaspersky Lab. The information contained herein is subject to change without notice. The only warranties for Kaspersky Lab products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for technical or editorial errors or omissions contained herein.

Follow us on Twitter

http://www.twitter.com/kasperskyuk

Like us on Facebook

http://www.facebook.com/Kaspersky

Editorial contact:
Berkeley PR    
Ella Thompson    
[email protected]    
Telephone: +44(0)118-909-0909    
   
1650 Arlington Business Park    
RG7 4SA, Reading    

Kaspersky Lab UK
Ruth Knowles
[email protected]
Telephone: +44(0)871-789-1633

Milton Business Park
OX14 4RY, Oxford

SOURCE Kaspersky Lab