“Winnti” Attacks on Online Gaming Servers Dissected

Kaspersky Lab has completed a detailed analysis of “Winnti,” a group of Asian hackers who target servers hosted by gaming companies, copying their source code and surreptitiously stealing money or virtual goods over time.

In findings published April 10, the security firm said it had completed the latest phase of its eighteen-month investigation. A more detailed account of an actual attacks was published separately (PDF).

Winnti has attacked two gaming companies in North America, two in Germany, two in Russia, and fourteen in South Korea. Although the Winnti group has been around for years, it first came to light in 2011, when Trojans began appearing on the PCs of users playing MMORPGs, online computer games which usually require a monthly subscription. Those Trojans, which included RAT (Remote Administration Tool) functionality, had been “signed” with the digital certificate of KOG, a South Korean gaming company.

In the course of its investigation, Kaspersky discovered that the gaming companies (which often share resources, partner, and subcontract out work to one another) had provided an opportunity for the Winnti team to secure access to otherwise legitimate digital certificates, which could be used to sign malware. Malware signed by Japanese gaming company YNK Japan was used to attack the servers of social networks Cyworld and Nate in South Korea in 2011.

But those were apparent exceptions. “Members of the Winnti team are patient and cautious,” Kaspersky wrote. “Cybercriminals have affected the processes of the online games from the infected companies and stolen money from them for years, but they have found ways of doing this without attracting attention to themselves.”

The Winnti group sets out to accomplish three things: the unfair accumulation of in-game currency/“gold,” and the conversion of those virtual funds into real money; stealing source code from online-games servers, in order to search for vulnerabilities in games; and using stolen source code to deploy their own “pirate” servers. The group also has a mercenary bent, apparently selling certificates to other groups to use in attacks, such a March 2013 attack on Uyghur and Tibetan activists.

Its strategy with virtual currency is pretty straightforward: slice off just a tiny amount of virtual cash—not enough to disrupt the game’s balance, diminish its popularity, or attract attention.

During the investigation, Kaspersky said it identified more than a hundred malicious programs, each individually compiled to attack a particular company. Separate command-and-control (C&C) domains were often assigned to each targeted company. Virtually all the C&C domains were arranged as follows: a second-level domain was created without a DNS A-record—meaning that there was no IP address assigned to it—and that some of the second-level domains had names similar to those of the target. The malicious users’ domain was resolved to the same IP address used by the Website of the real gaming company, making them even harder to detect. Thirty-six unique C&C domains were discovered, Kaspersky said.

What to do? Kaspersky provided a list of suspected certificates and IP addresses from which the C&C activity was suspected to originate. But the Winnti group is quiet and patient, and represents a threat to the servers hosted by any online gaming company.


Image: Flickr/gruntzooki