A hack investigator working for AVG Technologies posted a blog entry about his recent encounter, via live chat, with a Chinese hacker. The researcher was investigating a piece of malware embedded within a Diablo III strategy video, debugging the trojan code within it, when the author of the program contacted him, in real time, via a chat window within the program.
This is an impressive and first-time experience in my anti-virus career. I chatted with a hacker while debugging a virus. Yes, it’s true. It happened when the Threat team were researching key loggers for Diablo III while many game players playing this game found their accounts stolen. A sample is found in battle .net in Taiwan.
The hacker posted a topic titled “How to farm Izual in Inferno” (Izual is a boss in Diablo III ACT 4), and provided a link in the content which, as he said, pointed to a video demonstrating the means.
So the trojan is being spread via that, a video that claims to demonstrate Diablo III item farming on Izual. It’s not that, and apparently there’s no video at all, just an .exe file, so you’d have to be pretty noobish to fall for running it. This is the same thing as those emails that used to show up saying they were nude pictures of Anna Kournikova, or whoever. Diablo III is just the medium to trick people into running the program and infecting their machine.
This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.
We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.
Regarding this malware, no Diablo III key logging code was captured. What it really wants to steal is dial up connection’s username and password.
The real irony is there at the end. Despite the hack giving the hacker almost total control of the infected machine, there wasn’t a Diablo III keylogger on it. In fact, it was being used to capture user names and passwords for dial up ISP connections. Does anyone playing Diablo III even have such a thing? That seems a bit like robbing a bank only to steal all the nickels, but I’m not a hacker so what do I know.
At any rate, let this be a reminder to you guys not to run janky software just because it promises some special super secret info. The vast majority of hacks and trojans are installed via “social engineer” which can be roughly translated as, “using greed to trick people into doing something very stupid.” The same technique fuels almost all these sorts of things.