Chun Feng Microsoft
download slides (PDF)
Malicious software that targets online games has become increasingly prevalent over the past couple of years. Research into the cause of this trend has uncovered a thriving underground black market driving this malware's development and distribution.
The marketplace is organized to sell four different 'black products' to a variety of buyers. These products include 'envelopes' (stolen account information), 'stalls' (online spaces used to collect stolen account information), trojans (malware used to steal account details), and 'trojan generators' (used to generate customized trojans).
This paper explores the organization and operation of the black market and sheds light onto the clandestine relationships between the four products.
In particular, this paper presents a detailed analysis of the trojans and trojan generators sold on the black market. These products, designed by underground workshops, have been developed to include the features of both legitimate and illegitimate (i.e. malware) software products. As malware, they are deliberately designed to avoid detection and hinder removal; they also feature anti-protection mechanisms, advanced stealth functionality and often evolve through hundreds of variants. Similar to more traditional, legitimate software products, they have their own product-testing methodologies, sales channels, and support, maintenance and upgrade offerings.
Beyond doubt, there is an escalating fight between the anti-malware vendors/online game vendors and the operators of the black markets. However, the growth of this market poses considerable challenges, not just for those directly involved in the associated industries of AV and gaming, but for users, businesses and law-makers alike.