x
ETF2L is looking for new Staff to recruit! Are you interested in supporting the league? Then click here for more details on what we can offer and how to apply! 

Forum

An explanation of SteamStealer aka "Ebola.scr"

Created 21st December 2014 @ 14:38

Add A Reply Pages: 1 2 3 Next »

Flow.

Nein

Hey there fellow gamers,
as the stupid malware, known in this forum as Ebola.scr is still spreading among Steam users I wanted to explain to you what it actually is and what it does. Yesterday a friend of mine again got the dubious message in Steam with the, by now, well known link to the website that forces your browser to download the .scr file. I had some time to spare so I went on to disassemble this file and tried to reverse-engineer it. The guy who wrote the program did not put a lot of effort into anti-reversing mechanisms so after 3-4 hours I had the complete source code of the program named “SteamStealer” by the creator (I read this in the source code). Since I now know what the malware is capable of I wanted to share it with you, because many of you may have underestimated this. In fact this is not just a “digital slap in the face”  or a “bad joke”. Just fyi, I already reported this to the Valve security team but I am still waiting for a response.
Here is (briefly) explained what SteamStealer does when you run it:

It uses your Steam client for authentication with Steam community. (SteamGuard does NOT help you in that case, i will explain that in the tech part)

Then it fakes the Steam client browser agent and communicates with the service to catch all your groups and friends and sends the infection message to all of them.

After that it checks your Steam inventory for the following things:
– (440) Team Fortress 2 — Unusuals, hats, keys, tools
– (570) Dota 2 — Basically all the stuff
– (730) Counter-Strike: Global Offensive — Basically all the stuff
– (753) Trading cards (?) — Gifts

When it finds what it is looking for, it creates a trade offer to a middleman account which is hardcoded into the program. I am currently checking their backpack for new TF2 items so I can track the IDs and the new owners in order to find the real “hacker’s” account. So far there are over 300 CSGO and over 150 Dota 2 items.

As far as I know SteamStealer does not copy itself to your system or anything. It is just working as long as the victim runs it once.

Why SteamGuard doesn’t help you at all: SteamGuard prevents unauthorized computers to log in into your Steam account. In this case the malware uses YOUR computer which is authorized and already logged in. It is NOT a keylogger, it catches the cookies of the Steam user agent which are used to log you in when you browse the store or the community.

Well, I hope that does help you guys understand this stuff a bit more.
I would like to know if you want me to break down the source code in detail, so I made a poll.
Link to poll: Vote here!

Peace out! :)

Yggdrasil

Fe |

goood work, im definetly interested in more tech details.

CHERRY

Quoted from Flow.

Great job flow.
So it doesn’t send sentryfiles to a remote server?


Last edited by CHERRY,

Flow.

Nein

Quoted from CHERRY

So it doesn’t send sentryfiles to a remote server?

From what I can tell, it only uses http requests with steamcommunity.com and kernel32.dll to search the memory of the Steam process. So no key logging or uploads to a remote server. Maybe I could use wireshark to log the network traffic to be sure about that, but if I was able to fully de-obfuscated the code, there are no signs of sending files.

CHERRY

Quoted from Flow.

[…]
From what I can tell, it only uses http requests with steamcommunity.com and kernel32.dll to search the memory of the Steam process. So no key logging or uploads to a remote server. Maybe I could use wireshark to log the network traffic to be sure about that, but if I was able to fully de-obfuscated the code, there are no signs of sending files.

I guess he didn’t want to risk it getting traced to him?

Casual

prtyboiz
T⑨

Quoted from CHERRY

[…]
I guess he didn’t want to risk it getting traced to him?

Sending trade offers to a specific account totally helps to keep yourself anonymous :)

CHERRY

Quoted from Casual

[…]

Sending trade offers to a specific account totally helps to keep yourself anonymous :)

Why not? It’s not like he was saving those items, he probably traded them between accounts fast and sold fast for stuff like xbox live codes or w/e.


Last edited by CHERRY,

Tseini

Damn!
Chuds

its amazing how much you can do with computers if you know how stuff work.
good job,hopefully you end up finding out the real “hacker” and he gets what he deserves ^^.

CHERRY

Quoted from Tseini

its amazing how much you can do with computers if you know how stuff work.
good job,hopefully you end up finding out the real “hacker” and he gets what he deserves ^^.

Blame the game not the player :)

hr

Quoted from CHERRY

[…]
Blame the game not the player :)

I’m not sure what the law is but this guy is stealing virtual items that people have paid real money for, presumably thousands of dollars worth. That’s fairly serious no?

jx53

http://pastebin.com/6nEjPUa2


Last edited by jx53,

Flow.

Nein

Quoted from jx53

[…]

This paste is from September 29th and you said Steam patched it already once. The version I got on December 20th, differs much from the old version, so we can tell these people update their code. Also the way they get the Steam auth cookies does not seem different at all but there are still many people who get infected by this stuff. How did Valve patch this!? Also I don’t know if it is wise to post this stuff in public, because when it still works, some script kiddie will make copy-pasta out of this :D

CHERRY

Who the fuck writes a virus in C#?

CHERRY

Quoted from hr

[…]
I’m not sure what the law is but this guy is stealing virtual items that people have paid real money for, presumably thousands of dollars worth. That’s fairly serious no?

It is, I just wanted to point Valve’s fault in it.

Flow.

Nein

Quoted from CHERRY

Who the fuck writes a virus in C#?

Apparently somebody, who obfuscates the code with a bad open source packer. I guess this stuff is patched together from several code snippets. I don’t complain at all, because they just made my work easier. I only had to de-obfuscate to get to the source instead of reading a lot of stuff in my debugger xD. But writing it in C# doesn’t mean it’s less harmful…

Add A Reply Pages: 1 2 3 Next »