Trend Micro recently released an urgent OPR due to the increase in infection count from PE_LOOKED variants on Trend Micro’s Business Units. There is also a notification delivered which recommends blocking of the following IP addresses:
- h t t p://218.83.155.72
- h t t p://218.85.132.212
- h t t p://220.247.158.178
- h t t p://221.231.138.85
- h t t p://221.231.140.223
- h t t p://59.34.197.251
- h t t p://60.190.222.233
- h t t p://61.152.116.22
- h t t p://61.162.230.130
These are the download addresses found from the variants of PE_LOOKED. A simple Whois query of the said addresses reveals that these IP addresses are hosted mostly in China and in Taiwan ISP. Well, that leads us to, in a way; conclude that there are several zombie machines in China and Taiwan compromised by malicious hackers, probably from China.
It is also noted that the PE_LOOKED file infector downloads spyware trojans which aims to spy on user credentials on the on-line game, LINEAGE. The stolen credentials can be used by the malicious hacker to access the compromised users’ game and do whatever he wants… Well IMO, taking over someone else’s game is not the main objective of having this spyware trojan created. In this game, there are items and other things that make someone’s game character strong and these are the target of the malicious hacker. The hacker can then profit from these compromised users by selling to other lineage players what he got. Yes, it all boils down to money. :) Below is a snipped example of a website which offers Lineage items,accounts and others for a certain price.
This PE_LOOKED malware is not just for file infection but is also being used as a means for gaining profit. From a general view, it is now evident that malware authors aims for money these days and compared to the old malwares where they were created to probably achieve fame or for fun.