360 Security Guard · 2015/08/22 9:20

0 x00 overview


Gathering Number Game Center is a popular board and card game platform, which contains more than 100 popular recreational games, such as fighting landlord, horse racing of The Three Kingdoms, Hong Kong Style Five pieces, killing niu Niu, fishing master, etc. 360 Internet Security Center recently captured a large number of fake installation packages disguised as the game platform, these installation packages are preset with Trojan virus, and adopt a variety of technical means to combat the detection and killing of anti-virus software, this paper will conduct a comprehensive analysis of its promotion channels, countermeasures and Trojan behavior.

0x01 Promotion Channels


The following three characteristics can be summed up in the spread of trojans disguised as “Assembly Game Center” :

  1. In view of the domestic mainstream search engine, take the bidding ranking promotion, making the false game center web page with Trojan horse in the front of the search results, easy to be downloaded by game players search;
  2. Trojan horse author highly imitates the official website, the ordinary netizen cannot distinguish the true and false website completely;
  3. From the Trojan horse sample analysis, Trojan horse author has a relatively rich experience in killing soft confrontation, should be black production “veteran”;

In the process of analysis, the testers found that not only the first page of the search results for “Gathering Number Game Center” had multiple Trojan links, but also similar keywords such as “Jiji number Game Center” would be fooled. Click the link to enter the page, you will find that the fake page is almost the same as the official website (www.jjhgame.com), and some domain names are also highly similar to the official website, such as www.jjhgwame.com, www.jjhgtame.com, www.jjgqne.com, etc. Can see, Trojan fell many capital for promotion. As shown in Figure 1 below:

Click the second result in the image above, www.jjhgqne.com, and the page is redirected to jjhgames.jjhgqne.com:81, as shown in Figure 2 below. The redirected page is a phishing page with exactly the same style as the official website (see Figure 3), but all the links on the page point to itself (href= ‘#’). Only the Internet cafe version, compact version of the button pointing to the download of the repackaging Trojan installation package

At the same time, it was found on the official website of Rally that a large number of fake pages appeared in Baidu search recently, and users were advised to recognize the official website address http://www.jjhgame.com to prevent being cheated. As shown in Figure 3 below:

The test found that the contents of the phishing pages registered by the Trojan author were almost identical, and the Trojan blunting techniques in the repackaged installation package were similar, suggesting that all the phishing pages were created by the same author. The author registered a large number of domain names similar to the official website JJHgame, and forged the same page to spread promotion Trojan.

0x02 Confound confrontation


Next, we download the official installation package and a number of Trojan installation packages for comparative analysis, through the analysis of Trojan authors in different installation packages to use a variety of methods to fight, trying to avoid anti-virus software killing, summary mainly includes the following four countermeasures:

1 Hijack the download. DLL in the original installation package, change the original download. DLL to the game. DLL name, and reload the game. DLL in the malicious download. DLL. As shown in Figure 7 below:

Download. DLL was created on July 27, 2015, indicating that the author of the Trojan is still active. DownloadService (CreateDownloadService) is the same function as game.dll. This DLL function is loaded and called at gameplaza.exe. Figure 8 shows the download.dll hijacking:

Figure 8-download Hijacking methods

2 use StudyPE to add a new import entry gamejjH. DLL. In this way, StudyPE will add a. Newimp section to the PE structure, write the DLL and its function strings into it, and add the corresponding import entry to the IAT table. The original GamePlaza. Exe was not imported into gameJjH. DLL. The main program of Gameplaza.exe after modification is shown in FIG. 9 and 10 below:

Figure 9- Import directory

Figure 10- Adding section information

3 modify comservice. DLL, Inline Hook DllEntryPoint function entry, force JMP to the end of the TEXT section, where DLL(false msvcrt8.dll) load.

Figure 11 below shows a screenshot of the Trojan forcing a jump to its malicious code:

Figure 11- Loading malicious code

4 By slightly modifying the original gameupdate. exe, autoupdate. exe, login.ini files, Patch the upgrade path of the original game center, fight against the killing. The content of the login.ini file of the original official version is shown in Figure 12:

Figure 12- Official configuration file (login.ini)

The login.ini file in the Trojan installation package after repackaging is shown in Figure 13 below:

Figure 13- Virus profile (login.ini)

UpdateIp is used in both GameUpdate and AutoUpdate. On the one hand, the author of the Trojan changed the reference of UpdateIp in GameUpdate to UphostIp to make it work properly. On the other hand, Nop will drop the MessageBox function in AutoUpdate and make it silently download update.iiibbbvv.com.

In addition to the above four methods, the test also found a number of other methods, which are similar to the above methods, such as modifying the IAT table of the zip. DLL file, inject d3DX9_53.dll; Hijacking NetworkService. DLL, etc.

0x03 Trojan Analysis


1 Download. DLL Id theft Trojan

The Trojan was launched by hijacking the normal download. DLL program of the Assembly Game Center. The original file was 284KB, and the virus program was 309KB. After the DLL is started, the common. DLL file is loaded and its ifconfig function is called. Then the special bytes are searched from gameplaza.exe and propertyModule. DLL, and the account password processing function is hooked. The program code is shown in Figure 14 below:

Figure 14- Number stealing Trojan horse

The following screenshots show the hook account input process in sequence:

1) The Trojan horse searches feature string 0FB6D085D27422C7 from address space 0x401000, locates the corresponding address and saves it; See Figure 15 below:

Figure 15- Search feature string

2) Hook the code corresponding to the address searched in the previous step, after obtaining the input account, call the Trojan horse’s own function get_account, which internally sends the account to the Trojan horse author server; See Figure 16.

Figure 16 – hook function

Search for the corresponding bytes and find the corresponding location in GamePlaza. Exe as shown in the following figure, you can see that this is the GamePlaza account login handler function: Figure 17.

Figure 17- Login function

2 Common. DLL the back door

DLL to load this DLL, call its ifconfig function; The program is a Gh0st rewrite of the back door program, from the cloud to obtain configuration information, monitor local port, register services, add self-start, detect anti-virus software, etc.;

Figure 18 – Gh0st back door

0x04 Other Information


According to analysis, these fake game center phishing sites are using fake personal information for domain name registration, change frequently, no practical significance. The investigation found that the black production of virus Trojan gang in addition to the assembly number game platform launched an attack, but also to the market of all kinds of game center using similar tactics to attack, such as Chen Dragon game center, 906 game center. In addition, the gang will also develop a variety of plug-ins, tools, such as phoenix game, jixia love and other games plug-ins, so it can be speculated that the gang developed a variety of theft numbers, remote control Trojan may also spread through its development of plug-ins.

As shown in FIG. 19, we searched Chenlong Game Center in Baidu again. The first item was the official website, and then three consecutive pages were all phishing pages.

From the first and second searches, it is clear that the Trojan author is still using the old method to register similar domain names (official website cl059.com, phishing sites cl0579. Zj, cl0559. Aliapp) to fool users, forging pages exactly the same as the official website.

Figure 19- Chenlong Game Center search results

0x05 Preventive Measures


In casual games such as online board and card games, although cash transactions may not be officially allowed, real and in-game currency can be exchanged through third-party transactions. This kind of game contains gambling components inside, and even some of itself is gambling, easy to let players indulge in them, cannot extricate themselves, so a lot of Trojan gang hit the idea of this above.

Trojan author buys a large number of domain names, and the similarity of official chess game is extremely high, and promotion through search bidding ranking, very confusing to ordinary players. Our advice to gamers: Don’t trust search results! Check the domain name of the official website before visiting. Do not download the installation package from a third-party website. At the same time, the computer should pay attention to open the security software and clear the Trojan horse according to the prompt when meeting the danger alarm. Otherwise, it will not only damage the security of the game account, but also the computer may be completely controlled by the criminals, which may cause more serious consequences.