I’m all for a spot of Lovecraftian tentacled horror coming down from the sky and laying waste to all and sundry, but not when that same unfathomable horror is doing the same thing to my PC like in the below example.
Somebody put a lot of effort into this so-called “Steam Cracker” that – somewhat optimistically – claims to give the user “all games for free”. They gain 10 “I see what you did there” points for the following comment on their Youtube page:
“1. Disable Your anti-virus and firewall (In-case it tries to block it and then will detect it as a virus but do not worry it is a false positive.”
Oh dear. The file in question is a fake Steam client, which uses aspects of the real thing but just falls short of being 100% convincing (file size, file and of course the fact that this file isn’t digitally signed unlike the real Steam executable):
The file won’t run on XP (unlike the real thing), but assuming the end-user has Vista or above and fires it up they’ll be presented with a fake Steam client that for all intents and purposes looks genuine. There’s an installer screen, the real subscriber agreement and all the other things you’d expect from a Steam install.
The creator even includes real store(dot)steampowered(dot)com pages inside the user interface:
Clicking the green button takes you to the genuine Playstation Network ID login page:
While we should probably be thankful they didn’t build phishing pages inside the application, it doesn’t really matter given the rampant amount of attempted data theft about to take place behind the scenes. Taking a peek at the code reveals all sorts of clues as to the intent of this particular creation:
The above section of code can be seen on this gaming forum, where someone tries (and fails) to swipe some game serials along with numerous other bits and pieces. The fake Steam client wants the serials of games galore along with more general programs such as design packages, movie players, system defraggers, code tweakers, iPod converters…you get the idea.
Above, you can see references to the Predator Pain keylogger, along with references to smtp where it occasionally decides to log your keystrokes then send back to base. Below, you’ll see more pain references related to Predator – Core FTP stealer, Flash FXP stealer and Pidgin Stealer:
It’s not exactly everything bar the kitchen sink, but it isn’t far off. VirusTotal currently has this file pegged at 22/42, and we detect it as Trojan.Win32.Generic.pak!cobra.
Christopher Boyd (Thanks to Jovi, Matthew and James for additional information)
Leave a reply