On Tuesday, Symantec reported on their blog that they have found yet another variant of Stuxnet’s relative “Duqu”. Symantec lists 15 variants in their Duqu Whitepaper(PDF). This version is different as it uses a new infection technique. It installs via a loader file that executes on reboot. The loader file then decrypts and installs the remaining Duqu code from the hard drive.
With a compile date of February 23, 2012, it seems that the Stuxnet creators are still alive and well.
On Wednesday, Symantec discovered a server that contained a flat file with 44 million stolen gaming credentials. The credentials were from online gaming sites and also game hosting servers.
Hackers turn around and sell the stolen game credentials for cash. But, knowing that unused or closed accounts are of no value, these hackers wrote an intelligent process to check to see if the accounts were valid. Using the processing power of a botnet, they ran a process that validated each and every one of the 44 million game credentials. Symantec calls this process the Trojan.Loginck:
Most botnets have the ability to download and run files, so why not push a custom piece of malware to each bot? The malware could log on to the database and download a group of user names and passwords in order to check them for validity.
If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password. The attackers can then log on to the database and search for the valid user name and password combinations.
Some of the credentials found in the file were from the online games World of Warcraft, and Aion. A list of affected game publishers can be found on Symantec’s website. Symantec recommends that you make sure your virus definitions are up to date and also to change your online game passwords to defend against this attack.