Steam is one of the most popular online gaming outlets, offering a range of fare including blockbusters like Garry's Mod and Half-Life 2 (and soon, Half-Life 3). It also has a chat message capability—which has now apparently been hijacked by malware pushers.
Gamers should be wary of any chat messages inviting them to click on a link, but especially a new one that’s being spread between Steam users saying 'WTF?????' linking to what appears to be a JPEG image file.
“However, if you click on the link you will actually find yourself downloading a .SCR Windows executable file, containing malicious code,” said Graham Cluley, independent security researcher, in a blog. “If you have seen a message similar to this then, in all likelihood, one of the contacts on your Steam friends list has had their computer infected by the malware and is spamming you and everyone else on their contacts list with the WTF????? message.”
Those that download the attachment, and then open it, will be infected, perpetuating the spamming ring but also potentially allowing hackers to steal Steam credentials. Often, nefarious types will use the credentials stolen from one service to brute-force the accounts of other services that may use the same screen name and password—services that will give them access to much more sensitive information than Steam’s gaming history.
Cluley pointed out that the problem of malicious .SCR files spreading across the Steam network is sadly not a new one. For instance, back in September researchers at MalwareBytes warned of a similar threat, which retrieved the current session ID of the Steam user, gained access to the user’s inventory/ backpack, and saved items onto an “offer list” for selling later. And in 2011, a massive breach compromised 35 million accounts.
At press time, the VirusTotal service is showing that less than half of available antivirus products are detecting the malicious file (25 out of 56).
As far as avoiding issues, Cluley advocates the tried and true safety approach. “My advice? Be very careful about the links that you click on via Steam chat – even if they appear to have been shared by your online friends,” said Cluley.