Diablo III Targeted by Malware

I am one of the fans who had been eagerly awaiting Diablo III for more than ten years and now I am consumed in my attempts at the Inferno difficulty level every night. As one of the most highly anticipated games this year, it was only a matter of time before malware authors began targetting it and W32.Gammima.AG was first to step up to the plate. One of the features in the game is the ability for players to trade their items and gold for genuine money on the Real Money Auction House. Although the malware itself does not target the service directly, it is likely an avenue the attackers will pursue in order to monetize their operation.

Today I identified a new W32.Gammima.AG variant that steals Diablo III communications.


This malware is not brand-new. We have encountered it several times before, so this is just a slightly improved version targeting Diablo III as well as the following games:

  • Arad
  • Lineage
  • MapleStory
  • The Kingdom of the Winds
  • World of Warcraft

The game’s developer, Blizzard Entertainment, has included some security protection, such as a one-time password authenticator and account locking, so that gamers can prevent their items and gold being stolen.

Symantec detects this malware as W32.Gammima.AG. To stay safe, please ensure that you have the latest patches installed on your system and keep your antivirus definitions up to date.

OSX.Macontrol Back at It Again

Contributor: Joseph Bingham

If you were to compare the percentage of Mac users with the percentage of Windows users, the Windows user base still eclipses the Mac user base by a large margin. At the time of this blog post, one usage statistics aggregator reports on its website that the Windows market share is a commanding 84.13 percent of the population compared to Macintosh at 14.80 percent. However, statistics vary by research firm and this particular data was collected within the United States only.

So, what does all this have to do with malware you ask? In essence, the theory that operating systems other than Windows are safe from being compromised by malware has already been proven incorrect. From a malware author’s perspective, being able to exploit a large user base will provide a greater install base for various reasons. The increased popularity of the Mac platform and the potentially less mature state of Apple security practices have made it a viable target. This has led to more attacks on the Mac platform than ever before.

Let’s think about the statistic of 14.80 percent for a second. The estimated population of the United States is currently around 309 million. Assuming everyone in the U.S. owns a computer, it is around 43 million users who are potential victims.

For the first half of 2012, we have seen an increase in the number of Mac based threats. Earlier this year, we saw a new variant of OSX.Flashback appear in April (first seen in 2011), and a newly discovered threat, OSX.Sabpab (first seen in April 2012).

Most recently, we have come across a new variant of OSX.Macontrol (first seen in March 2012). This current sample appears to spread through targeted email and has a low distribution rate. The binary [md5 - e88027e4bfc69b9d29caef6bae0238e8] is small in size (75 KB) and provides little functionality other than a back door to a remote host ( The Web server appears to be a custom HTTP command-and-control server that can collect and modify system settings. HTTP command-and-control allows the attacker to evade detection by sending commands that appear to be clean, normal Web traffic.

OSX.Macontrol has the ability to:

  • Close the connection to the remote location and end the threat
  • Collect information regarding the compromised computer and send it back to the remote server
  • Send the process list of the compromised computer to the remote server
  • End processes
  • Fork running processes
  • Retrieve the install path of the Trojan
  • Delete files
  • Run files
  • Send files to the remote server
  • Send user status and information to the remote server
  • Log-out the current user
  • Put the compromised computer to sleep
  • Restart the compromised computer
  • Shut down the compromised computer

It has the ability to open a shell:


It sends an encrypted GET request to receive communication:

/h.gif?pid =113&v=130586214568 HTTP/1.
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive


Figure 1. Various calls used to obtain data about compromised systems

During the course of our research we noticed activity from the address, beginning around February 2012, with multiple unique versions of malware coming from this IP range. Our data confirms that this IP address is not just serving Mac Malware, but Windows malware as well.

To ensure that you are protected, please make sure your antivirus definitions are always up to date. Also, please do not download or open attachments from senders that you do not recognize.

Note: We were able to connect with Apple and they stated that they updated their OS X malware definitions recently to address this version of Macontrol.

Defunct Copyright Troll Seeks Resurrection

Photo: Doug Wildman/Flickr

Copyright troll Righthaven, which famously went defunct last year after an epic failure in trying to make money for newspapers by suing sites that reposted even parts of news stories, is seeking a second life.

Righthaven’s former chief executive wants a judge to resurrect the firm in order to appeal a court decision that found it was not infringement for an individual, who had no profit motive, to re-post an entire story online.

The copyright dispute is one of great importance in today’s digital world: whether reposting of an entire article, without permission, can amount to fair use of that work.

A Nevada federal judge ruled last year that a citizen’s re-posting of the story in an online forum was fair use in a decision that, in part, led to the unraveling of the Las Vegas-based trolling operation. Righthaven was ordered to pay legal fees and expenses in the case that amounted to more than $60,000, which the firm has refused to pay.

Without an appellate ruling affirming the fair-use decision, the opinion is not binding on other courts. Fair use is a copyright-infringement defense when a defendant reproduces a copyrighted work for purposes such as criticism, commentary, teaching and research. The defense is analyzed on a case-by-case basis.

Steve Gibson, Righthaven’s former chief executive, said if Righthaven prevails on appeal it could “return to a going concern” and satisfy its debts. But Gibson needs the court-appointed administrator of the company to allow the appeal to the 9th U.S. Circuit Court of Appeals.

Unfortunately for Gibson, the administrator won’t authorize it, arguing that Righthaven should pay its debts — more than $200,000 — instead of litigating further.

“Attempting to prevent the appellate process from coming to full fruition is not a just goal and hardly within the realm of equitable action,” Gibson wrote (.pdf) a Nevada federal judge Monday in demanding permission. “The right of appeal is a fundamental linchpin of our democratic structure.”

Gibson added that none of Righthaven’s assets are being used to pay for the appeal.

Righthaven borrowed a page from patent trolls in 2010 and was formed with the idea of suing blogs and websites that re-post newspaper articles — even snippets of them — without permission. But along the way, the Electronic Frontier Foundation and others began to chip away at the business model.

The case Gibson wants to appeal to the San Francisco-based appeals court concerns Vietnam veteran Wayne Hoehn, who prevailed in a Righthaven copyright lawsuit seeking up to $150,000 in damages for posting the entirety of a Las Vegas Review-Journal editorial to a small online message board.

The lawsuit against Hoehn, one of hundreds of Righthaven’s lawsuits, accused him of unlawfully posting all 19 paragraphs of a November 2010 editorial. Hoehn posted the article, and its headline, “Public Employee Pensions: We Can’t Afford Them” on medjacksports.com to prompt discussion about the financial affairs of the nation.

Nevada Federal Philip Judge Judge Pro ruled that the posting was fair use of the article, and ordered Righthaven to pay attorneys fees and costs.

Among other things, to satisfy the debt, Righthaven auctioned its righthaven.com domain for $3,000 and the company, now defunct, was ordered to fall under the direction of a receiver.

Righthaven initially was winning and settling dozens of cases as defendants paid a few thousand dollars each to make the cases go away.

Righthaven’s clients included Stephens Media of Las Vegas and MediaNews of Denver, both mid-size publishers of dozens of daily newspapers.

But Righthaven never prevailed in a case that was defended in court.

Ironically, Righthaven sought — as payment — the domain names owned by the people it was suing, and now it has lost its own domain name and any other available assets in the process.

Contracts between the companies and Righthaven showed that Stephens Media and MediaNews granted Righthaven permission to sue over the newspaper chains’ content in exchange for a 50 percent cut of all the settlements and jury awards. Most important, the agreement did not grant Righthaven license to use the content in any other way.

The EFF called the arrangement a “sham,” and judges hearing Righthaven cases agreed, saying Righthaven had no legal standing to sue.

Gibson also contends that, since Judge Pro found that Righthaven did not have a right to sue Hoehn for infringement, Pro should not have declared Hoehn’s posting fair use nor granted legal fees.

Relentless Zbot and Anti-emulations

A couple of months ago, Microsoft took out some Trojan.Zbot servers across the world. The impact was short-lived. Even though for a span of about two weeks, we saw virtually no Trojan.Zbot activity, relentless Trojan.Zbot activity has resumed—with some added new social-engineering techniques as well as some new techniques to help Trojan.Zbot avoid antivirus detection.

The following is an example of a recent Trojan.Zbot variant released on June 14, 2012, that implements a new anti-emulation technique in order to avoid detection.

Figure 1. Anti-emulation technique to avoid detection

Prior to executing its malicious code, the Trojan checks whether it is being executed for analysis in an emulated environment before deciding to execute or to abort its malicious actions. There are several ways of checking for the presence of emulators and this one is a new implementation from a new Trojan.Zbot variant.

The technique consists of checking code that is located in a particular Application Programming Interface (API). For instance, the Trojan may check code inside Kernel32.dll for the ReadFile API.

First it retrieves the opcode (operation code) from the ReadFile. This code specifies the operation to be performed. Then it compares that opcode to what is expected to be in a genuine Kernel32.dll ReadFile.

The expected opcodes that the Trojan looks for are 8B, 6A, and 55.

In most environments, 6A is the most expected opcode that will be found. This is true for Windows 7 and Windows XP where the Kernel32.dll code starts as follows:

Figure 2. Genuine Windows 7 Kernel32.dll ReadFile first opcodes

But a question arises: why also 8B and 55?

Most Microsoft APIs start with a direct prologue beginning with the usual PUSH EBP, which has an opcode of 55. In addition, many APIs also start with MOV EDI, EDI as reserved space for hot patches from Microsoft, and this instruction has the opcode 8BFF. Both of these are now taken into account by the Trojan.Zbot authors to ensure an accurate detection of emulators should all of these checks fail.

The effort that has been made by the Trojan.Zbot malware writers is not limited to one, or even a couple of techniques. In most malware variants there are many simple or complicated techniques to help avoid detection, like the following API or critical file names manipulation:

Figure 3. Manipulated API and library names

In an attempt to avoid detection, the malware authors have deliberately misspelled the stored "Kernel32" and "VirtualAlloc" strings, instead spelling them as "hhernel32" and "hirtualAlloc".

At a later stage, when the string is needed to get the address of the actual VirtualAlloc API from Kernel32.dll, the malware patches these strings in memory before using them correctly. This is illustrated in the following figure:

Figure 4. Correcting the misspelled "kernel32" and "VirtualAlloc" strings by memory patching

So basically, the malware ensures that the "kernel32" and "VirtualAlloc" strings are correctly spelled before using them.

These techniques are part of ever-evolving malware techniques, especially from professional malware writers who invest a large amount of time researching new techniques to evade antivirus detection. Symantec customers, however, can rest assured this malware and its techniques are effectively detected in Symantec products.

We have published the following paper in the "Journal in Computer Virology" for further reading about these anti-emulation techniques:
Anoirel Issa, Journal in computer virology, 2012, 10.1007/s11416-012-0165-0