Spyware Games
Posted in The Situation:
Just caught this over at Timeless Prototype’s blog and I have long been an opponent of spyware, this incident, if true, is truly revolting.
The Problem:
“You know it’s a sad time we live in when keyloggers are detected in games targetted at kids.
Yesterday (Saturday) I saw Wall-E at the movies with friends and family. Much anticipated, very impressed and I loved it. Next task was to check out the Wall-E game. Bonus, there is a game demo for the PC to download, here’s the link BUT DON’T CLICK IT - http://wall-e.playthq.com/. “
Given the Sony rootkit debacle, (for those with long memories), nothing is out of the question.
The Damage:
The Wall-E game was loaded with Spyware.Ardakey. It comes in two flavors (lite and regular) and it is a recorder of keystrokes. The program may perform the following functions:
-Keystroke logging
-Log transferring via email
-Log transferring via FTP
-Hiding and Unhiding its tray icon using the Ctrl+Alt+Del+H key combination
The infected file, assuming we rule out a false positive (which can happen) comes from a canonical domain owned by CacheFly. They specialize in hosting downloads and streaming media delivery. They serve some big names like Pluck, iolo Software, Cerulean Studios, Betanews.Com and Ars Technica. Basic traffic analysis shows quite a bit of exposure to the various sites (two domains reside on the box)
Three Basic Questions:
a) Is this a false positive? I tend to think that is unlikely given the unique thumbprint (see some below), but I haven’t performed a full dive. However it makes no sense to load a keylogger into a commercial game. There is simply no business case for this.
- %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Help.lnk
- %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk
- %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk
- %ProgramFiles%\NSK\AKV.exe
- %ProgramFiles%\NSK\license.txt
- %ProgramFiles%\NSK\menu.gif
- %ProgramFiles%\NSK\NSK.002
- %ProgramFiles%\NSK\NSK.003
- %ProgramFiles%\NSK\NSK.004
- %ProgramFiles%\NSK\NSK.005
- %ProgramFiles%\NSK\NSK.006
- %ProgramFiles%\NSK\NSK.007
- %ProgramFiles%\NSK\NSK.chm
- %ProgramFiles%\NSK\NSK.exe
- %ProgramFiles%\NSK\qs.html
- %ProgramFiles%\NSK\tray.gif
- %ProgramFiles%\NSK\Uninstall.exe
- %ProgramFiles%\Ardamax Keylogger\AKL.exe
- %ProgramFiles%\Ardamax Keylogger\kh.dll
- %ProgramFiles%\Ardamax Keylogger\il.dll
- %ProgramFiles%\Ardamax Keylogger\AKV.exe
- %ProgramFiles%\Ardamax Keylogger\Uninstall.exe
- %ProgramFiles%\Ardamax Keylogger\license.txt
- %ProgramFiles%\Ardamax Keylogger\qs.html
- %ProgramFiles%\Ardamax Keylogger\tray.gif
- %ProgramFiles%\Ardamax Keylogger\menu.gif
- %ProgramFiles%\Ardamax Keylogger\AKL.chm
- %ProgramFiles%\Ardamax Keylogger\akl.001
- %ProgramFiles%\Ardamax Keylogger\akl.002
- %ProgramFiles%\Ardamax Keylogger\akv.ini
B) Was the poisoned file a result of internal sabotage? This can happen- an insider or a ticked off employee.
C)Â Were the Cachefly servers compromised and/or during that time was the legitimate file swapped out with the logger?
I really cannot say, and I am sure more will to light as this is really too large to ignore– knock knock paperghost grab a 9-iron.
(Yes - I know there are other scenarios, but three questions seem enough. )
ADDENDUM:
Cachefly has responded to me via e-mail.
“I can confirm that our servers were not compromised, beyond that I can’t offer much else.”
and a follow-up e-mail:
Obviously we’d like to be as helpful as possible, but since it’s related to customer data we’re rather limited in what we can discuss. I’ve opened a ticket to make THQ aware of this, and we can/will work them on tracking stuff down if we need to (we do have a history of all versions of a file w/ filesizes/md5 checksums, and the dates/times/src ip of all revisions).
So they are now aware and the md5 checksums should prove definitive. Hopefully they will release these to the security community. (hint)
Timeless Prototype has uploaded some more pictures and Bill Pytlovany, maker of the highly regarded WinPatrol, and security expert checks in via Twitter.
Popularity: 10% [?]
[...] Updated: Wayne Porter received a quick response from Cachefly, see under the addendum on his blog entry. [...]
[...] Sandi Hardmeier, Microsoft Security MVP, has made an interesting observation about the current WALL-E download spyware business. [...]
[...] Wayne Porter contacted Cachefly (who manage the servers the game is downloading from), and they said [...]
[...] here is the final- we think–Â wrap-up to the Wall-E Spyware madness… From Sandi’s blog: Well, for what it’s worth, I haven’t been able [...]
i was wondering: is using keylogger legal or not?
There are tons of spyware games or even worse worms and virus that will copy or damage our data online these days. Finding a site that is free of this kind of threat is not easy. Each day, new worms and virus written. It is good to have best protection for our PC and our children from online threats.
Yes, In hope so. I really didn’t expect this from Spyware games. Many people are using it almost everyday and if this kind of problem occurs repeatedly, it wont be good for them.
There’s this new spyware out called PIFTS.EXE, made by Symanetc. Symantec made a big lie about it, but it’s a rootkit they’ve been covering up for a year and banning anyone who mentioned it in their forum for a year.