`Spot the Differences

Online “spot the differences” games, particularly popular with children, challenge computer users to scour two nearly identical images for tiny variations. But we found a big difference in a Chinese-language flash game – a Trojan. It plays with your computer while you have fun scouring images for mismatching moustaches, ladybugs and misplaced shadows.

.

Fig. 1 Two samples of the same Flash game that discreetly carries a Trojan

First and foremost, the malware connects to a domain where it downloads an XML configuration file from. The file contains a comprehensive set of instructions, including the next actions to be performed on the victim’s computer. Just as instructed in this file, it overwrites the "%SystemRoot%system32driversetchosts"file in order to block a series of sites that seem to offer Flash content tracking services. More than that, the browser’s start page will be hijacked and the browser’s bookmarks will be overwritten with a number of ad and malware-serving pages.

Every time a new machine is infected, it receives a unique identifier set that is stored in the Registry and is sent to the attacker every time the Trojan connects to a specified address. This identification set is probably used to measure the success rate of the infection and track the “efficiency” of each infected machine.

If the game is stopped, the malicious activity stops as well. Every time the game runs, the malware bundled with it will update the settings by reading the remote XML file, bringing in fresh domains and eliminating those that have been suspended for abuse between runs. As long as the game is not restarted, the settings remain unchanged. This way the user will never suspect that the game is the source of nasty traffic.

We noticed a peculiarity about Trojan.PWS.Game.D in that it is not designed to add itself at startup, as most malware does. Is it because the cyber-criminal was sure that users will want to play the game more than once? Or an oversight by the scammers? Drop us your thoughts via the comment form below.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.