But what am I specifically supposed to fear about Steams security? What are the ramifications? Eager to know where you are coming from here...
Worst case, custom-created malware (which would initially avoid detection by AV scanners) to hijack your system, with the ability to (a) monitor keystroke and mouse movements to
capture bank login details or (b) ransomware as mentioned previously.
More common uses for compromised systems include spamming and HTTP/DNS relays for "bulletproof" (typically spamvertised) websites, but this activity would be easily detectable and less profitable than the first two.
With Valve claiming to have
over 65 million active accounts, anyone compromising their systems could have a malware bonanza. Since Valve have yet to come clean on the cause of their
2011 compromise (the only info I've found is a
"we're still looking" update), it seems a fair bet that "responsible disclosure" isn't part of their vocabulary.
I run steam using Sandboxie, which sandboxes the app. Steam only has limited access to my system like that, and when one day I tire of it - I need only delete its sandbox and all traces of it will be gone forever.
For normal applications, Sandboxie is a valid approach. But Windows services have full access to the system and could, at least theoretically, bypass Sandboxie and other security software.
Services, drivers and any process allowed physical (low-level) memory access can disable or bypass security software (which itself relies on services and drivers) so one aspect of having a secure system is keeping programs that access these to a bare minimum. Any that applies triply to any with network access since they offer the chance of a remote compromise.
