Malware Masquerades as Pirated Starcraft II Wings of Liberty

Legitimate software products are often at the core of malware spreading tactics, with Starcraft II Wings of Liberty already abused by attackers in order to infect the PCs of unsuspecting victims.

Earlier this summer, just as the second iteration of Starcraft was launched, Microsoft warned that fake Wings of Liberty .EXE files were compromised by malicious code and used in schemes designed to compromise the computers of gamers looking for a free ride rather than paying for the game.

At that time, the company informed that it had come across two malware samples: VirTool:Win32/VBInject.gen!DM and Worm:Win32/Rebhip.A.

At the end of the past week, the software giant warned that attackers are using Starcraft II in order to spread more malware.

“It is also being used as part of a social engineering technique by a downloader family called Harnig,” explained Andrei Saygo and Francis Tan Seng, from the Microsoft Malware Protection Center.

“Harnig is employed by many other types of prevalent threats (Bubnix, FakeSpypro, Koobface) to download their malware into computers.

We’ve seen a Harnig sample that is using the new release of Starcraft 2: Wings of Liberty to get malware-infected counterfeit versions of the game into users’ computers.”

According to information shared by MMPC, only in August 2010 there were over 140,000 files detected as Harnig.gen!P.

The MMPC members explained that Harnig is one of the most prevalent examples of malicious code spreading in the wild.

Microsoft analyzed a sample (SHA1: b5e2085c4f7554f53a406431aaea942da73d8b9e) which is set up to trick users into thinking that the malformed file is connected with Starcraft 2, by using the game’s icon.

This is of course a classic case in social engineering, in which attackers are leveraging a powerful incentive, in this case the promise of running a pirated version of Starcraft 2 free of charge as bait, while instead spreading malware through the infected files.

“Once it is executed, it drops two files. One named activa~1.exe arrives as an obfuscated file and is detected as TrojanDownloader: Win32/Harnig.gen!P. The other one is named sc2.exe and is an actual copy of the Starcraft 2 executable,” Saygo explained.

Once Harnig compromises a machine, it attempt to download additional malware by connecting to various malicious domains including: aebankonline.com, bedayton.com, aebankonline.com and bedayton.com.

In addition to Harnig, PWS: Win32/PWSteal.M (SHA1: a5fbdbb42488a3bab0687e4e3d7fe5e253c7a8c2) is another piece of malware that uses Starcraft II in social engineering attacks.

“The PWSteal.M malware is an AutoIT script compiled into a stand-alone executable that will drop and run various tools that gather credentials stored locally on your computer."

“Once it has gathered Steam account credentials, and user names and passwords from Internet Explorer, Firefox, File Zilla or MSN Messenger, it will email them back to the attacker."

“The social engineering method employed by these threats - using familiar programs as a lure for users to click and execute the malware - is not uncommon."

“We recommend that you make sure that the origin of your installer or add-ons is reputable and legitimate to avoid becoming victims of these kinds of malware,” Saygo explained.