Tracking the increasingly common use of PC games as an infection vector, researchers at the Microsoft Malware Protection Center (MMPC) discovered a couple of malicious programs making the rounds on torrent and file sharing sites.
Social engineers are disguising their malware by labeling it as the beta-versions of unreleased games or upgrades to popular ones. With the following files, “dota 2 Betakeys.txt.exe” and “diablo3-crack.exe”, attackers prey on gamers anxious to test out Defense of the Ancients 2 (a custom scenario map for Warcraft III) and Diablo III, respectively, which aren’t slated for release until later in 2012.
In the first case, users attempting to snag a beta version of Defense of the Ancients 2 are actually just downloading the Pontoeb malware (detected as Backdoor:MSIL/Pontoeb.J). Once executed, Pontoeb begins gathering critical system information with the ultimate goal of morphing the computer into part of a zombie network. It eventually installs a backdoor through which attackers can communicate to execute various commands.
In the second case, the Fynloski remote access tool (detected as Backdoor:Win32/Fynloski.A) is installed. Fynloski is a backdoor trojan that gains access to nearly all the information and resources within a given computer, logging keystrokes, downloading and running arbitrary files, and disabling security settings. The MMPC wrote an interesting follow-up piece detailing Fylonski’s obfuscation techniques, which can be found here.
The MMPC recommends visiting the official Defense of the Ancients and Diablo websites if you want to securely try out the actual beta versions.