Playing with shadows - exposing the black market for online game password theft
Chun Feng Microsoft
download slides (PDF)
Malicious software that targets online games has become increasingly prevalent over the past couple of years. Research
into the cause of this trend has uncovered a thriving underground black market driving this malware's development and
The marketplace is organized to sell four different 'black products' to a variety of buyers. These products include
'envelopes' (stolen account information), 'stalls' (online spaces used to collect stolen account information), trojans
(malware used to steal account details), and 'trojan generators' (used to generate customized trojans).
This paper explores the organization and operation of the black market and sheds light onto the clandestine relationships
between the four products.
In particular, this paper presents a detailed analysis of the trojans and trojan generators sold on the black market.
These products, designed by underground workshops, have been developed to include the features of both legitimate and
illegitimate (i.e. malware) software products. As malware, they are deliberately designed to avoid detection and hinder
removal; they also feature anti-protection mechanisms, advanced stealth functionality and often evolve through hundreds
of variants. Similar to more traditional, legitimate software products, they have their own product-testing
methodologies, sales channels, and support, maintenance and upgrade offerings.
Beyond doubt, there is an escalating fight between the anti-malware vendors/online game vendors and the operators of the
black markets. However, the growth of this market poses considerable challenges, not just for those directly involved in
the associated industries of AV and gaming, but for users, businesses and law-makers alike.