Recent news stories report that a Chinese student in Japan named Wang Yue Si was recently arrested after making an estimated 150 million yen (around 1.3 millon dollars U.S.) auctioning off World-of-Warcraft items online. He was arrested for violating the terms of his student visa, after a bank teller became suspicious of his frequent transactions (sending money back to China), and alerted local police.

I suspect there is more to the story, however. Obviously a single person, spending time in WoW gathering weapons and gold is not going to be able to amass enough in order to make that kind of money. We’ve heard stories about Chinese sweatshops where the workers play WoW and other MMORPGs in order to sell the virtual items to western players, an occupation known in the RPG world as gold farming, leveraging the vast differences in cost-of-living between east and west in order to eke out a living.

But there is an even more evil underside to the growing market for virtual goods, that involves outright stealing of MMORPG characters and possessions by means of trojan-horse backdoors. Ordinarily this isn’t the kind of thing that affects corporations on a large scale. However, recently, a worm known as W32/HLLP.Philis.bq has been spreading on corporate networks by brute-forcing Microsoft password shares. The worm is reported to be initially introduced via the MS06-014 exploit, meaning a single unpatched workstation where the user browses with Internet Explorer can serve as a launching pad for the worm to spread throughout the enterprise, even if the other machines are up-to-date on their patches (but lacking adequate password security).

Is Wang Yue Si behind the Philis.bq worm? Certainly nothing can be ruled out until the Kumamoto police finish their investigation, but there are a great many other individuals engaged in the same type of activity. China does seem to be the center of both the gold farming and MMORPG-trojan universe. One thing we do know is the damage this worm causes is mostly in vain, as those most affected (large corporate networks) are the least likely to have MMORPG software installed on their systems. If the targeted game program is not present on the system, the trojan payload has no effect. However, the time spent chasing down the worm on the network should serve as a wakeup call to those (hopefully few) organizations who still don’t feel the urgency in keeping their systems up-to-date and hardened against attack.

This entry was posted on Friday, December 1st, 2006 at 12:00 pm.

Share This Information | Virtual Gold Fever SlashDot | del.ico.us | Digg it | Technorati | Reddit

Other SecureWorks Blog Categories: General (24) Links (7) Phishing (3) Research (61) Spam (1) Trojans (4)