Malware Spreading via Steam Chats, Gains Access to Inventory

 Pages 1 2 NEXT
 

Malware Spreading via Steam Chats, Gains Access to Inventory

Be cautious of any URL shortener or else you could be downloading malware from friends and strangers on Steam.

Malware researchers are warning all Steam users to be aware of a .SCR (screensaver) file that appears harmless but will actually steal items from Steam users' inventories.

Security company Malwarebytes said once a computer is infected with the malware, the victim's session ID on Steam and inventory are at risk. In addition, the virus sends further messages to the victim's friends list. The message includes a link to what appears to be a photo. The URL is shortened through bit.ly, with IMG at the start of the full URL and a .SCR extension.

Christopher Boyd of Malwarebytes said, "Just because the name of the file says 'IMG' at the start doesn't mean it's actually an image file. The extension in these cases is the giveaway, and users of Steam should ensure they're not being set up for a harsh lesson in digital shenanigans."

Earlier in the week, Steam users wrote about the malware in the community forums.

Bart Blaze, a malware researcher at Panda Security, looked into the matter further. The link leads to a file on Google Drive and immediately downloads the .SCR file, a screensaver file, with a picture of a woman as the icon.

"Note that normally, the Google Drive Viewer application will be shown and this will allow you to download the .scr file," Bart Blaze wrote. "In this case, the string '&confirm=no_antivirus' is added to the link, which means the file will pop-up immediately asking what to do: Run or Save."

If you have downloaded the malware, you should first exit Steam immediately and open Task Manager and locate temp.exe, wrrrrrrrrrrrr.exe, vv.exe, or "a process with a random name, for example 340943.exe."

Scan your computer with the antivirus you use, and then scan again with a different one. After deleting the malware, change your Steam password and any other sites where you use the same password. You can also enable the visibility of file extensions.

As always be careful when clicking on shortened URLs, even when sent by a friend.

Source: Malwarebytes, Bartblaze

Permalink

I've been getting a lot of friend requests from complete strangers lately, in spite of not playing anything on Steam except Half-Life 2 in the last several weeks. I was starting to wonder if I had some abnormally valuable item in my inventory that I didn't know about, but this seems more likely.

P.S. Thanks

Covarr:
I've been getting a lot of friend requests from complete strangers lately, in spite of not playing anything on Steam except Half-Life 2 in the last several weeks. I was starting to wonder if I had some abnormally valuable item in my inventory that I didn't know about, but this seems more likely.

P.S. Thanks

Well, I don't see anything in your inventory so it might have been cleaned out.

Ever since they introduced the steam wallet I've been waiting for stuff like this to start happening. With how many millions of dollars passing through steam there's bound to be some efforts to compromise the platform. At least this is something that you can see coming: I fear the day when something piggybacks on an update.

I try to never click shortened links, i always observe the link address to ensure i'm going somewhere legit.
Be smart, all these link shortening sites did was create a way to hide useful information from you, if the link is not from your most trusted source, ignore it.

Valve better starts doing something about these scam attempts, this is the second mayor one this year

Dear Russian//Ukrainian friends: ) does not equal ! in the English language. And in this situation, that kind of mistake really reveals where this originates.

But with this malware and inventory breach, previous gifts and trades that are sketchy, and the Earbud Mafia, Valve really needs to do something about some of its Eastern European abusers. Unfortunately Valve Time applies to when we'll see a proper solution.

Worgen:
Well, I don't see anything in your inventory so it might have been cleaned out.

Hmm, apparently it's set to private. So it was almost definitely either people attempting to spread malware, people attempting to phish valuable accounts, or people adding randoms to look at inventories, and not people who specifically wanted something I had. Good to know.

P.S. Thanks

P.P.S. If I'd known it was private, I would've changed it forever ago, in case I ever stumble into something worth more than I realize.

Is this why I received a friend request from {"unassigned}"?

I'd never open anything with the Steam browser anyway, it's a lot slower than copy?pasting it into firefox and there's no antivirus you can put on it.

Well, good thing I keep Steam's functionality to an absolute minimum then, seeing as I already hate it even without malware (unless you count Steam itself, of course).
I'd also appreciate it, if they got around to fixing the receipts at some point.
Man, how I hate having to use it.

Even though a seasoned Netizen will see through these easily, throwing up these PSA's is still a necessity. If you have friends on Steam who are... less than aware of malware, you may want to share this with them.

I have never been so happy to have so few friends . :P

Though I do occasionalkly get friend requests I typically ignore if I don't remember the person or... their account is level 1 or something.

Aha! So, the best method to prevent people from getting lured in by spambots on Steam is to...tell everybody on Steam. Wait a minute...

(But seriously, tell people and nip this in the bud.)

Same as Covarr, I've been getting a lot of friend requests from complete strangers, also I tend to NOT trust private profiles with rabdom names.

NuclearKangaroo:
Valve better starts doing something about these scam attempts, this is the second mayor one this year

They did actually, they added a kind of warning message after clicking ANY kind of URL, very annoying for my friends and I, but kind of necessary nowadays.

I love how they lately started to use pictures of girls as avatars for their bot accounts.

Man, I respond to bots all the time with things like that all the time. My incredible wit is wasted on things that can't appreciate it.

https://www.malwarebytes.org/

This is what I use to get rid of the pesky viruses that often slip through AVG. I recommend it to everyone.

SupahGamuh:

NuclearKangaroo:
Valve better starts doing something about these scam attempts, this is the second mayor one this year

They did actually, they added a kind of warning message after clicking ANY kind of URL, very annoying for my friends and I, but kind of necessary nowadays.

Thank goodness too, the warning message actually saved my computer. I got one of these phony messages recently and tried to close it, but my finger slipped and I ended up clicking on the link by accident. Steam managed to warn me about clicking on untrusted URLs before anything began downloading...

choren64:

Thank goodness too, the warning message actually saved my computer. I got one of these phony messages recently and tried to close it, but my finger slipped and I ended up clicking on the link by accident. Steam managed to warn me about clicking on untrusted URLs before anything began downloading...

Downloading the file should still be safe, you have to run the file for it to do anything. But still, not downloading it is much, much safer.

This popped up on the Dota 2 Reddit a few days ago. I got quite a few "friend requests" myself when I got my hands on a $130 item, all which stopped once I sold it on the Steam Market.

CpT_x_Killsteal:
https://www.malwarebytes.org/

This is what I use to get rid of the pesky viruses that often slip through AVG. I recommend it to everyone.

Malware bytes doesn't actively defend, though.

It's a great scanner, I will give it that, but it can't prevent malware from doing it's dirty work, only remove it, and that's usually after you realize something is wrong. (They do have a premium version that might include a firewall, though I'm not sure).

OT: We are familiar from the school, so entrust in me your inventory.

I have been waiting on steam to help me with a hacked account for 2 weeks now, it takes them 3 or 4 days to respond after I reply to a message they sent. This is totally unrelated to this however, but steam really needs to get it's shit together.

MASTACHIEFPWN:

It's a great scanner, I will give it that, but it can't prevent malware from doing it's dirty work, only remove it, and that's usually after you realize something is wrong. (They do have a premium version that might include a firewall, though I'm not sure).

I believe the premium version does indeed have a Firewall come packaged with it. I love Malwarebytes as a scanner though. I had a virus that had rooted itself deep in my OS, and it prevented new drivers from installing, even via discs. Malwarebytes managed to fix it so that was good for me. I never would have even noticed the problem either if I didn't have a pain trying to install the drivers for the new wireless mouse I had purchases.

ninonybox360:
I have been waiting on steam to help me with a hacked account for 2 weeks now, it takes them 3 or 4 days to respond after I reply to a message they sent. This is totally unrelated to this however, but steam really needs to get it's shit together.

With millions of concurrent users, it's practically impossible to police all the scams and help everyone immediately. In most cases, hacking is easily preventable, and if more people used basic common sense it wouldn't really be a problem. The fact that these half-baked hacking attempts ever work is kind of a shame, and I have a tough time feeling sorry for people who fall for them.

ninonybox360:
I have been waiting on steam to help me with a hacked account for 2 weeks now, it takes them 3 or 4 days to respond after I reply to a message they sent. This is totally unrelated to this however, but steam really needs to get it's shit together.

Do you have email verification enabled?
If not I highly recommend it once you get your account back, I recommend it to everyone with a steam account as the extra layer of security. Even Origin has it.

MASTACHIEFPWN:

CpT_x_Killsteal:
https://www.malwarebytes.org/

This is what I use to get rid of the pesky viruses that often slip through AVG. I recommend it to everyone.

Malware bytes doesn't actively defend, though.

It's a great scanner, I will give it that, but it can't prevent malware from doing it's dirty work, only remove it, and that's usually after you realize something is wrong. (They do have a premium version that might include a firewall, though I'm not sure).

OT: We are familiar from the school, so entrust in me your inventory.

Well yeah, it gets rid of, but doesn't prevent.

SupahGamuh:

NuclearKangaroo:
Valve better starts doing something about these scam attempts, this is the second mayor one this year

They did actually, they added a kind of warning message after clicking ANY kind of URL, very annoying for my friends and I, but kind of necessary nowadays.

well its clearly not idiot proof enough

Honestly, who would fall for this? Especially that type of broken form of communication.

NuclearKangaroo:
Valve better start doing something about these scam attempts, this is the second major one this year

The first scam attempt being Greenlight?

Stg:
Honestly, who would fall for this? Especially that type of broken form of communication.

It's actually not that uncommon for Steam Traders to send out random friend requests if you have some of the rarer TF2 swag in your inventory, and not all of them speak perfect English.

That aside, as surprising as it may be, there are people out there that fall for this kind of stuff.

Gennadios:

NuclearKangaroo:
Valve better start doing something about these scam attempts, this is the second major one this year

The first scam attempt being Greenlight?

greenlight didnt even came out this year so that joke goes nowhere

My friend must have fallen for it (somehow), as he sent me a picture link with the message "Hey, look i won a courier" with a linked screenshot.jpg image called "Picture4u". Of course i already heard about this virus spreading around, but i haven't talked to this friend in a long time and have no idea what a "courier" is. (I assume it's DOTA 2 related).

I looked the hijacked person's account and warned the person i knew who has an insane amount of hours on TF2 and CS:GO. Said he scanned the link he got with a VM and it was something that actually had to be downloaded, but i guess there are different versions of this virus.

Also beware of typos of websites like "sieamcommunity".

Bit LY is kind of a dangerous thing nowdays, but then again so is ignorance as always.

Gennadios:

Stg:
Honestly, who would fall for this? Especially that type of broken form of communication.

It's actually not that uncommon for Steam Traders to send out random friend requests if you have some of the rarer TF2 swag in your inventory, and not all of them speak perfect English.

That aside, as surprising as it may be, there are people out there that fall for this kind of stuff.

Yeah, I got a random friend request and accepted thinking it was a trade request. A quick look at the (mostly empty) profile coupled with the broken english made my response to him saying "a friend was trying to add but couldn't because of error please click this link" a quick "LOL, deleted."

That link actually started as steamcommunity so I'd advise people to be careful of those as well, since it probably won't trigger steam's confirmation.

yeah this was doing rounds for a week. apperently just like with Skype virus, there are so many people that totally fall for this. worst thing is people dont learn. i know a person that fell for skype virus 6 times.

kailus13:
Is this why I received a friend request from {"unassigned}"?

I'd never open anything with the Steam browser anyway, it's a lot slower than copy?pasting it into firefox and there's no antivirus you can put on it.

that unassigned guy seems to be the source of this malware. he is constantly being reported as spreading it.

Steam Browser is useless. on regular browser you got security, addons and faster functionality. I even got steam set up to automatically use Firefox on links.

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here