<<<
NEWS FROM THE LAB - Friday, September 12, 2014
>>>
 

 
A Twitch of Fate: Gamers Shamelessly Wiped Clean Posted by FSLabs @ 11:29 GMT

Twitch.tv is a video gaming focused live streaming platform. It has more than 50 million viewers and was acquired by Amazon.com in August for nearly a billion dollars.

We recently received a report from a concerned user about malware that is being advertised via Twitch's chat feature. A Twitch-bot account bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as "Counter-Strike: Global Offensive" items:

items (165k image)

The link provided by the Twitch-bot leads to a Java program which asks for the participant's name, e-mail address and permission to publish winner's name, but in reality, it doesn't store those anywhere.

Those who have fallen victim to this fake giveaway will be shown this message after entering their details:

congrats (17k image)

After this message, the malware proceeds to dropping a Windows binary file and executing it to perform these commands:

  •  Take screenshots
  •  Add new friends in Steam
  •  Accept pending friend requests in Steam
  •  Initiate trading with new friends in Steam
  •  Buy items, if user has money
  •  Send a trade offer
  •  Accept pending trade transactions
  •  Sell items with a discount in the market

This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry. It even dumps your items for a discount in the Steam Community Market.

Previous variants were selling items with a 12% discount, but a recent sample showed that they changed it to 35% discount. Perhaps to be able to sell the items faster.

code_sell_discount (67k image)

Being able to sell uninteresting items will allow the attacker to gather enough money to buy items that he deems interesting. The interesting items are then traded to an account possibly maintained by the attacker.

Victims have reported in forums.steamrep.com that their items were being traded to this Steam account without receiving anything in return:

steamaccount (113k image)

All this is done from the victim's machine, since Steam has security checks in place for logging in or trading from a new machine. It might be helpful for the users if Steam were to add another security check for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold. This will lessen the damages done by this kind of threat.