By Franklin Zhao & Jason Zhou

This is an impressive and first-time experience in my anti-virus career. I chatted with a hacker while debugging a virus. Yes, it’s true. It happened when the Threat team were researching key loggers for Diablo III while many game players playing this game found their accounts stolen.  A sample is found in battle .net in Taiwan, China. The hacker posted a topic titled “How to farm Izual in Inferno” (Izual is a boss in Diablo III ACT 4), and provided a link in the content which, as he said, pointed to a video demonstrating the means.

Below is the ‘Video’. It’s a RAR archive actually containing two executable files. These two files are almost the same except the icon.

The malware will connect to a remote server via TCP port 80 and download a new file packed by Themida.

That’s very simple Downloader/Backdoor behavior and we are only interested in looking for key logging code for Diablo III so we didn’t pay much attention to it.

But an astonishing scene staged at this time. A chatting dialog popped up with a text message:

(Translated from the image below)

Hacker: What are you doing? Why are you researching my Trojan?

Hacker: What do you want from it?

The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby.

We felt interested and continued to chat with him. He was really arrogant.

(Translated from the image below)

Chicken: I didn’t know you can see my screen.

Hacker: I would like to see your face, but what a pity you don’t have a camera.

He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.

We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.

Regarding this malware, no Diablo III key logging code was captured. What it really wants to steal is dial up connection’s username and password.

It sounds like a movie story, but it’s real. We are familiar with malware and we are fighting with them every day. But chatting with malware writers in real time doesn’t happen so often. Next time, I will be on the alert.

The malware and its components are detected by the AVG as Trojan horse BackDoor.Generic variants.

Franklin Zhao & Jason Zhou

SOURCE