Welcome.  Thank you for attending our talk. Today's talk is malware in the micro economy.  First
the agenda.  We'll cover who we are.  The history of scamming and gaming.  Backgrounds for nongamers in the
audience which should hopefully be few of you.  The interesting stats that we got from players.  Looking at the attackers and the techniques and tools they use. Investigating the defenses that Val and some other communities have put in place.  And last forecasts and recommendations for the future.
     I'm Zack, this is rusty.  Just before we begin, I want to make sure that everybody knows this is of our own volition and nothing to do with our employees, yadda, yadda, yadda.
     >> History of scams.  Scams have been around as long as video games have been around.  Diablo 2. Runescape, people still play it.  I stopped when I was 13.  Battlenet and Steam are more prevalent.
     Diablo2.  Interesting scamming techniques.  The D and D scam, the Diablo network database where you could meet with other players to trade, join clans and things like that.  You type D and D.  User name and password. What this means is you put a do not disturb up that responds back to the message which is your user name and password.
     The attacker would message you and they have all your account information.  Simple but incredibly effective and hilarious.  The next is a trade window scam.  Attacks come and say I want to do a trade item. A million gold or whatever it is.  The window would close and they say, shit, I fucked up.  Here is the item, my bad.  But it's a different item and they swap it in.  Last is rush payment.  I'll rush you through all the dungeons here.  Some X amount of gold.  You give them half up front and half when done.  You give them half up front and they go away.
     Run escape.  How to scam people.  You have one buddy.  I'll describe this.  You have one buddy saying
I'm looking for this jug of wine which is two copper. I'll pay 70K.  The second friend says I'm selling a jug of wine for 40K and some idiot connects the dots there to see if they can make money on the item.  Easy money, the way I like it, perfect.
     WikiHow, how to avoid scams on run escape.  How to password save in run escape.  Anyone play eve, spread sheets in space.  CCP and the company that runs eve, they don't regard scamming as a (audio blipped) they say it's part of the game.  They don't allow character cell fraud, impersonation, using a new player's lack of
knowledge or stealing real life assets.  Everything else is fair game in that universe which is fantastic.
     And the last one, the whole point of the talk is the Steam platform.  If you're not familiar with it, you don't belong here.  Steam is awesome.  It started way back in the day when it was totally shitty but now it's good.  It's a digital game store.  You purchase and up load games.  It's a social media platform and there's a marketplace which is ripe for the taking for scammers as well as normal players to buy and sell items together.
     That segs nicely into Steam market.  Nonfunctional cosmetic items were introduced in 2009.  2010 there was an update that allowed players to trade.  Cosmetic hats and weapons.  The hats, they did nothing.  It's like a Christmas tree on your head that is on fire, that is worth $100 for some insane reason.  Since then it's expanded to other games.
     The picture there is of the burning flames team captain.  The most expensive hat to this day.  Worth $4,400.  It makes your characters head catch on fire.  It does nothing useful but someone pays $4,400 for it.  Fantastic.
     This is a Screenshot of the top fen available weapons in the marketplace.  They're all around $400.  So there's dozens of sites dedicated to trading and dedicated to gambling et cetera.  CSO go lounge, and traders, legal legends is interesting.  There isn't a marketplace but you have skin codes and things like email where you can buy accounts that are boosted or have skins unlocked.  Potential attack vectors there.
     And I'll hand it over to Zack?
     >> To sell to everybody how serious these gamers get and how serious the communities are, we wanted to survey the steamer base.  Instead of finding as many places as possible on the internet we went to red it.  CSF two (ph.) to collect stats in terms of anything ranging from inventory prices or if they've been scammed before to age.  To get a general idea of what we're working with.
     Before I begin, the problem with collecting stats on the internet is you make sure that you do form validation for Google docs.  When I opened up the first excel spread sheet I had an ASCII that almost crashed my computer.  My favorite ones is fuck you, talks like this, why DEFCON sucks.
     Good way to start the summer, right?  Okay.  Let's get into stats.
     First one we have here most of these up front, we have a sample set of 1100 people.  This shows the general age range of Steam gamers.  From the gaming sub red its.  Not the again scheme, 90 percent are between 12 to 24 years old.  You can make some inferences there.  Young, impressionable, especially when it comes to scams.  The Runescape scam.  In that post they said this works great for 13 year-olds.  This works great to just scam them.
     In terms of Steam and the online gaming communities being an investment, this one shows the hours per week spent on video games.  Over 56 percent
of people play 20 hours or more on steamer.  It shows how much people invest into these things.  It's not just something where you get on and play a game for 3 or 4 hours, you get on and play a game for 20 hours and go after items that are worth hundreds and thousand of dollars and put their heart and soul into it.
     In terms of the amount spent per month on gaming items, the way this pie chart breaks down is four out of five people that took our survey said they spend at least some amount of money.  People can spend casually one to ten dollars but we have people spending 2 percent of that base, $500 a month on purchasing the end game items and trading with other people.
     We talked a lot about purchasing and having these game items.  We then put out the question, inventory prices?  If you go to all the Steam accounts and take the sum of all the items, how much is it worth.  This is a box plot.  I wanted to show this first because of the out liers, $60,000, that is someone's inventory.  So we went and checked a well-known website for TF2 backpacks, inventories and low and behold there is somebody there verified $55,000, the video game profile is worth on Steam.
     This is the box bot zoomed in.  There is a red square on there that shows the mean.  People say on average about $1,000 worth of items in your inventory.  When you think about these things, it goes to show when it comes to scams, at first Runescape, diablo, game currency is back and forth and now people attach dollar amounts to this.  This is really good targeted for people that want to came because they can steal the items and turn them around.
     Where does this leave us?  This is a funny picture.  Only because this is one of the most expensive [indiscernible] now.  $1,500.  We put this up
and I think we got, yesterday or two days ago, a friend of ours got this as a drop after playing a couple hours after it.  He played the game for 2 hours and netted an item worth $1,500.  We hate him right now.
     Cool.  How did this all start?  I realize this is in the middle of the talk.  This started because we saw a read it post with someone having an imager album of them attempting to be scammed.  This is on the front page of the [indiscernible].  There are lots of comments talking about similar experiences.  Head scammers are targeting gamers.
     The messages say, can you be the plus one as a stand in.  The guy asks do I know you.  Yes, we played a couple days ago.  Sure.  When's the game?  And they trade details back and forth there.  The guy says, hey, you need to download mumble.  I already have mumble.  The scammer says which version.  The player says 1.24.  Shouldn't matter.  The scammer says you need this specific version of mumble to talk to us.  Let me link you to the mumble site.  Mumble software.net.  What is mumble software.net?  It's registered in Russia.  It looks like this.  If anyone downloaded mumble this is not what their website looks like.  It looks reasonable and given how shitty voice gaming software is, this is something I would expect.
     Not only that, it has great reviews.  We have comments and great quality.  Good player feed back.  It's awesome.  So when you download this piece of
software, there is the actual mumble installer but it's bundled with Java script that looks like that.  If you can't read it, it looks like this.  This is the download file from URL file that exists in that Java script file which is eventually called "here."
     There is a download file from URL function called.  The first one grabs a copy of 7 zip from a website called copy.Com.  The second one is a 7 zip encrypted binary, and the third one is a batch script, installed as a service.  Started on start up and [indiscernible].  Basically installed a rat for the scammer to log into your system which is fun.
     This is what a hacker looks like if no one is clear on that.  Cool.  We're going to go through some of the different samples.  We've been doing this about a year now.  The evolution of the scammers and the attackers from a year ago until today is fascinating with the evolution of the complexity and just the TTPs they're using to scam people.
     This is low level.  They link you to curse voice -- beta.Com.  It gives access to the victim's computer.  Straightforward.
     This is a sample -- this is what happened when I tried to detonate it.  It failed to execute the drop JS file which is unfortunate but that's okay.  It's similar to the mumble software.  It drops Java script and executes W script to sleep for 15 or 1.5 million seconds which is like 62 days which is most processes do, they don't.  Steals information from browsers and takes files.  Getting more complex and nastier.
     Your speaks, isn't based on anything real.  So with all the other samples we found it was based on curse, based on mumble, based on Skype and things like that.  This is just something that -- it sounds like it might be a weird voice program that gamers might use which is interesting.  Not trying to do [indiscernible] attacks, just something new.
     This one unhooks some windows functions.  So less of the remote access tools and more of sort of classic malware.  Seeing the evolution there.  This is one of the more interesting ones.  It's got a great low go, POKEY Steam stealer.  The attacker where you knows a [indiscernible] and according to the website, this photo is listed off there, a method of choosing to distribute to victims.
     Creates a file, this QEQ file in users temp which tries to sleep for 60 days.  We have a video with this high quality production value which is fantastic.
     He is dragging the Steam stealer to the middle of the computer.  This is a great techno tract in the background.  Executes the file.  Running cross X explorer like a good citizen.  We can see what it's executing.
     So this is his trade offers that he's sending.  He has to refresh it like 15 times.  One more time.  There we go.  One more.  So close, baby, so close.
     Cool.  Now that was a trade offer that he just made to a mule somewhere and just because he clicked an executable.  That is insane.  Go skins there.  Here is the site.  They believe in quality.  Here is your packages.  They accept paypal and pay coin.  If this isn't the greatest marketing video you've ever seen.  Get it now.
     Perfect.  I stumbled across that video and I had to include it in this because it's production value.  That is the POKEY Steam stealer.  Incredibly effective for -- implementing security fixes.  But the next iteration is Steam stealer which is here.
     This is all C sharp and I'll walk you through this.  This is the main function.  Iterates through all of the windows processes running.  Iterates through anything called Steam and anything that has the Steam [indiscernible] up loading.  Oh suite Jesus which include the Steam guard key and session codes for the login.
     Next reiterate through each of the processes and iterate through the memory.  I don't know if you can see that in the middle.  There is a RegX.  If you think the sex cookies are cool, check this out?
     >> I have a Jack Daniels cookie for you.  What do first time speakers do?  Cheers to DEFCON.
     >> To DEFCON.
     >> Good luck can your talk now.
     >> Once you go Jack you never go black, back, sorry.
     >> I would like to say that DEFCON does not condone anything that was just said.
     >> The last half hour of this talk.  Cool.  The Reg checks in the middle there is a 7 character or 7 digit string that all Steam cookies are preprinted with and the RegX for the rest of the stuff.  Looping through the processes to pull out the session cookie from memory.
     This is crazy advanced from Runescape saying open this room with me and let me steal your shit.  The next part.  For each session cookie because multiple Steam instance can be on the same computer.  We get a list of all the items that are not common.  We want uncommon and rare.
     The bottom two lines there, the first one is get items for Steam ID and then the text there is 570 which is the game code for Dota2.  And the last is filtering out the common items.
     If we look at the request that is being made and you probably can't see this but I'll describe.  The user agent being used is Valve Steam ware client.  The malware is attempting to duplicate the same client to pull the user's inventory from the Steam master server.  That is cool.
     570 is the game app ID for Dota2.  So what does that give you back when you make that request.  This is my account.  A request that I make for a single item.  Counter strike, the app ID is 730.  This is my 57 monkey business.  A suite little 57 with a banana handle.  It's trade able and marketable.  I don't have the rarity on there but it's pretty rare.
     Once we have gathered a list of all the items that the player has in their inventory, then we make a giant list of this so we can trade it to our mule.  We create this divide list.  Can only trade 256 items at a time.  If it goes over that they create multiple requests.  We iterate all the items and prepare them into the format we need to make the request.  The prepare items and the next one is the sent items.
     Prepared items.  The app ID is there.  Context ID.  V mount, the number of items if you want to trade.  The asset ID is the item ID.  So you're creating this list and concatenating all of these together for the trade offer.  The second one is sent items using the Steam API trade offer slash new slash send.  The user ID from the cookie.  The partner is the person you're trading to and you throw your items in there.
     Advanced and crazy.  A step away from the low-level scamming that we saw before into real malware, real value, real production and we'll get into
the interesting web stuff that we saw?
     >> Now that rusty's talked about the evolution of the malware I'm going to talk about the evolution of the different attack methods via web or web TTPs.  The attack websites split into two categories and sometimes both.  We've seen a lot of phishing websites that have taken the Steam community, taking the front page of it, attaching it to another website and logging user names and passwords.
     We have a slide later that shows how it does that.  Malware droppers like we talked about before with the mumble, mumble software.Net on there.  They get a person to connect to the website and take every single link on the website and replace it with a downloadable link.  We've seen websites that especially terribly, you log into the Steam account and it prompts you to say there is no updates, download now.  They get your credentials and get onto your box and pilfer your items.
     In terms of the domain names, those are two categories.  The first is [indiscernible].  Essentially what we saw before with mumble or Ventrillo or curse, think of a website that a gamer on Steam would visit.  A betting website or a regular Steam website or Voigt.  People perform different variations of the brands because they're recognizable to a human but not to a machine.  So it's easy to trick somebody.
     Another type, image websites.  A lot of times they put a lot of time and energy into this hobby.  And what they do is they not only trade items to each other, they sell items for real currency.  [indiscernible] doesn't support any exchange to broker the deal so there are player made ones and paypal.  What a lot of the times, the feed back coming from the traders is in order to prove they have some item or funds, they go and link Giaso or [indiscernible] pictures to the person they want to trade with and this is the proof that I have $500 for this one or this amount of money for a skin.
     What it really is, it's just a JPEG, a.SER file that shows that the file hitter is executable.  This is really, really important because while showing a little bit is we do have websites like Giaso which is trusted and what people are doing is making a fake image website.  Very discernible and easy for the human to say if someone links me, that might be an offshoot of Inger or something that is not good and I'm going to connect to it anyway.  This is effective to get people to click on the links.
     Just to go over the brands.  For people that don't know about betting, it's really, really huge in this community.  There are professional matches.  There are profession mall teams and they compete for a lot of money.  Right now there is a tournament called the international and the prize pool is $18 million.  There is five people per team and the first place team gets $6 million to split among five.  People bet on these games all the time and you can bet different items.  Because they use these and they're engaged in this community and engaged into watching professional matches it's easy to trick somebody into thinking they're visiting these websites.
     In terms of games, the main Steam website, Steam community.Com, you can log into your profile, talk to friends, perform trades.  [indiscernible] still very effective.  If you can trick somebody easily by changing a letter out on one of those brands.
     And lastly, we talked about this but VOIP has been very, very popular as well.  Tricking someone into an outdated version of mumble or need connection to a server to play in a tournament, that is what they use.
     To really sell the point here, the way that evolve and the way these overtime have attacked different people using this platform, this is an inch of the different Steam community holograph and variations that we found.  It's about 100 different domains.  The main domain is Steam community.com all one word.  If you look at this image, they replace an M with an N or M with an R.  Very, very like old techniques.  These are things we've seen in the 2000s and it's still used today.
     [indiscernible] we have 230.  We broke it down a little more.  Before I said there were three main ones but there are a couple that we related to social as well.  The large percentage of the mules that we classified are image variations.  A number in front and image afterwards.  It's tricking people to thinking you're connecting to an image website.  When they connect and download it, they get the executable.  It looks like a Screenshot but when they execute it, they're infected.
     I know we've talked about problems a lot.  It seems like it's the wild west.  We're going to go into how Valve has responded to these.  Unlike traditional gaming companies where their business focus on a micro economy.  They have implemented interesting fixes to combat this.  This is a form post.  It was on January of this year.  And essentially the person posted and said I tried to give a Dota item away and Steam wanted to verify my email address.  [indiscernible] essentially it is turned on any time you make a trade request.  Say I'm giving rusty a gun or -- banana monkey business.  You get an email, here is everything you have that you're willing to trade.  The other person is willing to trade, are you sure you want to do this.  Instead of going and combating the links and getting antivirus and missing platform and educating the users, they threw this in.  Effective.  Really effective because this is a Screenshot from the read it thread of the supposed maker of the Steam stealer.  Steam detached itself for good.  It was fun while it
lasted.  I'm not giving out refunds.  You have to find a different way to scam people.
     We continued to see it afterwards and that is because of this configurable option in the Steam client.  Like I said, the key sentence is the second
sentence of disabled.  Steam supportable is not providing any assistance with items stolen from your account for any reason.  The problem with the fix, it works for a regular user but for the power users that trade a lot and bet a lot, they go and make tons of requests to trade out for a game, they hedge items against certain games and look at certain investments and trends over time and how an item dips or raises in price based on the date.  They need this.
     So a lot of the threads we were looking at, people were turning us off.  It's a nuisance.  And because of that, Steam stealer still works and valve refuses to help them because of that contract there.
     Valve put out another silent patch into the system.  This is an article made on game spot on April 19th that said Steam has decided to limit users
who haven't spent $5 on any game from friendly requesting people and trading people.  So essentially it's increasing the cost.  These different bots.  They do a ton of friend requests and how to respond to the other person and issue a link.  This got rid of that.  Unless the Steam stealer bot net hurters essentially went and spent the $5 per bot they had.
     We went back out to the trading websites and asked them, how many scam friend requests did you get per day before and after the $5 fix.  It's a weird survey.  Talking with the traders, they said they can tell based on a friend request on Steam if the person is a scammer or not.  They judge by account age, number of mutual friends, the name, the messages they send in the friend request.  The whole community said they're good at catching these.
     On the left you have the box bot.  Before the 5-dollar square.  The red is about 19 a day.  There are some out liers.  After the 5-dollar fix the box is significantly reduced.  The mean is reduced by over half and there are still out liers.  It's an effective fix and it's tug of war that you have.  You increase the cost to the attacker and they do something else and you have to pivot and keep doing more and more fixes?
     >> I don't know how many of you were on Steam last week or if you watch twitch or anybody else.  There was a password reset bypass on the Steam platform.  That was awesome.  For three hours all of the major streamers on CS go, GOTA2 were locked out of their accounts because of resetting the passwords.
     This is a gift on how it works.  If you have their account name, you can put the account name and the passive reset field.  You go and it says reset the account [indiscernible] address.  You click that.  You usually have to go confirm the email address which is why it's like F star star star at G star star star.  But you can just hit okay.  And it would take you right past it.  Okay.  Right past it and now I get to reset whatever password I want.  This is live for 3 hours on the Steam platform before it was fixed which is really interesting to hear the streamers take on it [indiscernible] in an uproar about everyone is going to lose their items.
     The steamers didn't care because of all the previous security fixes that Valve put in place.  When the password is reset, you can't trade for five days.  Any time a new device is connected you can't trade for five days.  Basically what that meant is all of the password resets of the attackers hitting the accounts couldn't monetize the fact they were able to log into people's accounts which was a serious tip of the hat to Valve.  Thousand of people were compromised but nothing of value was lost.  I say that in the most non-ironic way possible.
     Which is awesome?
     >> Now they we went over the history this past year of studying this type of malware and type of attacks on Steam and on these different gamers, we're going to implement just a small forecast.  Next 6 to 12 months in the types of malware.  The first point is the image site how many graphs and phishing will be weapons of choice.  Instead of performing a homo graph attack, you take my name is ZACK and replace a letter with it, say the A with a 4, humans can interpret that and knowit's ZACK.  Works great for humans and terribly for computers.
     Since we saw a huge increase on the image sites, 66 percent of the [indiscernible] we found were classified as images, they need a weapon of choice.
It's easier to generate these types of homo graphs.  Different variations of it.  Screenshots are used consistently by traders to verify whatever they need to when performing trades.
     [indiscernible] can be more than just a stealer.  If you go and Google some of the malware families, particularly Steam stealer, they advertise more and more features.  Specifically key loggers.  They have remote access tools.  You have someone with an inventory worth thousand of dollars.  They're probably on a gaming rig that is worth thousand of dollars and something connected to the bank on their machine.  They have a good enough amount of money that it might be worth it to drop something on there like a banking Trojan.  There is more than virtual items.  They can be used as big coin miners.  They have [indiscernible] video cards.  You can really make some money off this more than just the sites.
     Looks like we forgot one animation.  Now recommendations.  Recommendations from us to Valve and from us to the gaming community in general.  Valve has the anti-cheat system called Vec.  They have a security team there and responded within a couple hours to the password vulnerability.  We couldn't find anything they had a platform security team but even as something as text analytics with a Google safe browsing or fish tank [indiscernible] for every URL in a Steam message if it's on this blacklist of URLs don't send it.  It reduces the time for people finding these phishing sites and submitting the request.  Valve comes in.  You report it to Valve, they detect it and remove it and people are saved.
     That looks better.
     So another recommendation is for platform plug ins.  Steam and Valve in general are good in terms of being open with the community in terms of game
development.  There is project green light.  You can develop games and people vote on the game.  If you get votes you get into the Steam platform.  They should have something similar for plug ins.  So you can let the community -- there is a lot of people doing this already.  In terms of taking the fight back to the Steam punks.  And Valve can police the marketplace.  They don't have to let it be the wild west where anybody can submit an app, they can have different guidelines.  Especially a security one that meets some kind of standard.
     Recommendations for the gamers.  In browser there are a lot of plug ins in chrome and FireFox that I use.  Malware bytes has one and they do this blacklist capabilities.  Every time someone clicks on a link whether it's in team speak when you're connecting to a server and the message of the day comes up or a Steam message, it opens in the browser.  Steam has a browser [indiscernible].  You can have plug in and protect yourself from it.  There are people out there that are dedicating time to take the URLs and getting them known in the community.
     [indiscernible] phishing groups as well.  Essentially these are the guys that go out, find the scammers, interact with them, try to get URLs and file samples from there and district them out the community.  They put them in the fish tank.  A dedicated group of people.  They do something above and beyond URLs.  A lot of times scammers are profiled by the communities. Trading communities are tightknit.  They know who is good and who is shady.  And FOG and Steam [indiscernible] they do exactly that.  When you go out and trade.  If you want to go and say you have an item that you randomly got or you want to buy one, go to the websites and look up the user name and you can tell very quickly whether or not this person is trustworthy.
     We didn't have time to do it for this talk, but one thing we're also releasing, it's out now on the chrome extension store is [indiscernible] it doesn't do blacklisting.  It detects homo graph attacks.  Like people's safe browsing, if you use this platform and Steam, look this up in the chrome store and download it.  If there is a detected Homo graph attack or image websites, this detects it and throws you into a Google safe webpage and tell you why and give you options of what to do.  That pretty much sums it up.  I'm Zack and this is rusty.   
     A couple shout outs.  Without them we wouldn't have this awesome data.  There is a guy in Germany that is really cool and fields me URLs.
     >> We have a lot of the samples so if you're interested in looking at the samples, hit me up on Twitter and I'll get in touch with you.  It's been
really interesting seeing the evolution over the past year and I'm glad to have been here.  Thanks.