Freely available software tools can be bundled with malware designed to steal data, including account credentials, according to a Microsoft researcher who discovered and analyzed a password stealer bundled with an online gaming tool.
A password stealing Trojan called USteal was detected in a gaming tool used to customize Dota2, a Valve Corporation online battle game. A third-party distributed the software to users who wanted customize the gaming experience, wrote Alden Pornasdoro, of Microsoft's Malware Protection Center team.
"It is important to be aware of this risk, and understand just how easy it can be for malware authors to create malicious software bundles," Pornasdoro wrote in his analysis of USteal.
[Related: Top 10 Malware Threats To Microsoft PCs]
USteal writes, compresses and encrypts the usernames and passwords it steals. The Trojan was detected in March and is closely related to Ruffar, a keylogging Trojan design capture user keystrokes, including passwords and credit card information. Pornasdoro traced the malware to a Russian-based online, automated malware building tool that could be rented to create Trojans. The tool enables an attacker to customize the malware capabilities by simply clicking checkboxes.
"Once a Trojan is created with the builder, an author can choose to bundle the malware with legitimate tools, software or images," Pornasdoro wrote, adding that distribution is up to the malware's creator. "It could be as simple as uploading the file to a free hosting site and freely spam the link on forums, as comments or as instant messages. The distribution method depends on an attacker's target."
Russia ranked the highest for USteal malware infections with more than 60,000 of them, followed by the United States with more than 11,000 infections. Microsoft recommends users download software directly from the software maker's official website. Avoid links from forum posts because they can lead to repackaged, malware-laden software, Pornasdoro said.
Version 13 of the Microsoft Security Threat Report highlighted the technique of bundling malicious software in legitimate software applications. The technique has been popular with adware designed to send system data and an individual's browsing habits to an aggressive ad network without the victim's consent.
OpenCandy, an adware program, was detected running with some third-party software last August. DealPly, another program that displays search results based on a user's browsing habits, was labeled adware by Microsoft. It was being bundled with third-party applications as an browser add-on.
Mobile devices are also not immune, with freely available versions of legitimate mobile applications sometimes packaged alongside mobile spyware. Microsoft warned Android users earlier this year that a rootkit was detected bundled in a legitimate Android application. Gingermaster, a threat detected with certain clean applications, apparently contained a malicious image file that could root the device. A Google update now blocks the attack. The notorious DroidDream infection was also detected embedded in otherwise harmless applications.
PUBLISH MAY 28, 2013