All Your Creds Are Belong To Us

Presented at VB2016, Oct. 7, 2016, 11 a.m. (30 minutes)

With over 140 million registered users and more than 7,000 games available for download,* Valve*'s multi-OS digital distribution platform offers a myriad of possibilities for gamers looking to enjoy the latest games not only from an always-on cloud-environment, but from one that provides an ever-growing community of like-minded enthusiasts. *Steam* has shown a steady growth in the number of active users registered in the platform, each one using a credit card to buy content, willingly providing personal information, and exchanging items with other network participants via in-game trades or traditional auctions. Security research has tragically ignored gaming malware under the false assumption that no real value is traded there. This blindspot is being abused by cybercriminals right under our noses to steal real money and effect real damage! Organized crews from all over eastern Europe have been paying close attention to *Steam*'s growing user base and the techniques and procedures offered by the company to secure their accounts, patiently waiting for an opportunity to come. *Steam* has been listening to its users and slowly adding new security measures. As always though, the bad guys are one step ahead and always on the lookout for potential vulnerabilities in how trades are being done in the platform and how credentials are stored in the user's system. After all, as a service designed for entertainment, *Steam* has the eternal problem of adding new measures that could protect some users while alienating others not willing to sacrifice their comfort when choosing to enjoy their favourite game. With easy money on their minds, cybercriminals have developed a plethora of credential-stealing malware that recently displayed a clear evolution in terms of quantity and complexity, demonstrating a growing interest in the gaming crowd. Even though there are simply too many samples to choose from, we'll concentrate on the hands-on analysis of a .NET credential stealer made specifically for the *Steam* platform and on how the bad guys are modifying the code in each version to improve their campaign and monetize their creations. As Enrique Pena Nieto said, "behind every crime is a story of sadness". Let's analyse the story behind these malicious credential stealers, their victims, and how organized criminals are making money with these quite profitable schemes.

Presenters:

  • Bart Parys - PwC
    Bart Parys Bart Parys has worked for over seven years in the IT industry and is currently a threat intelligence analyst at PwC. Before joining PwC, he worked for several years in the anti-virus industry at Panda Security as a malware researcher. His main interests range from anything malware-related to psychology and languages (and one does not exclude the other!). Bart is fluent in Dutch, English, French and German. @bartblaze
  • Santiago Martin Pontiroli - Kasperky Lab
    Santiago Martin Pontiroli Santiago Pontiroli joined Kaspersky Lab as a security researcher in October 2013. His principal responsibilities include the analysis and investigation of security threats in the SOLA region (South of Latin America), web application security, the development of automatization tools stemming from threat intelligence studies and the reverse engineering of programs with malicious code. Before joining Kaspersky Lab, Santiago served as Development Leader in Accenture for projects like Site Concept Studio and Avanade Connected Methods, where he supervised all technical aspects of his teams, developed and presented demos on the different platforms, and offered technical support to the sales team. Prior to Accenture, Santiago worked as a consultant for several companies providing support on access control software, system and network administration, server hardening and web application security. Santiago holds degrees in systems engineering and systems analysis from the Universidad Tecnológica Nacional F.R.L.P in Buenos Aires, Argentina. He is fluent in English and Spanish. @spontiroli

Links:

Similar Presentations: