This popped up on MMO-Champion today and I am passing it along to our members and visitors:
Trojan successfully hacks Authenticator Protected Accounts
A new virus spawned on the Internet a few days ago and seems to be the first trojan capable of hacking a WoW account protected by an Authenticator. It was confirmed by Blizzard a few hours ago.
Originally Posted by Kropacius
|
Basically, what the virus does is fairly simple after you're infected :
- The next time you log in World of Warcraft, the game asks for your Authenticator code.
- The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
- The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.
How to check if you're infected
Just search for a file named "
emcor.dll" on your computer, it is most likely located in "
C:\Users\(Your user name)\AppData\Temp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.
To be honest, if you found this file your account is probably already compromised.
What does it mean exactly?
- Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
- It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
- Get a decent anti-virus, buy an authenticator, you'll be safe.
Thanks to Boubouille over at MMO-Champion for this alert.
MMO-C News post HERE
This is further proof that hackers will not stop trying attack your accounts. While this is only piece of malware, you can expect more to come. Currently this only affects Windows based systems, however Mac and Linux users should not be complacent. Linux users running WoW may be susceptible via Wine so be careful!
- Make sure you have a good Anti-virus/Anti-spyware set-up that is installed, enabled and updated on a regular basis.
- Make sure your OS is updated. All modern OSes offer easy an easy update process such as Windows Update, OSX's Software Update and the various Update/Package Managers for Linux distros.
- Do not use Internet Explorer 6. Always run the latest released version of your browser. For greater security, if your browser can run AddOns that enhance your security, use them!
- Make sure your Flash Player is updated. You would be surprised at the number of people who still use the version of Flash that was included with Windows XP. This also goes for Adobe Reader. Flash is particularly important to keep updated as holes within Flash can be exploited on all platforms that Flash is available for.
- Be wary of any "strange" files. If you download something from the Internet, SCAN IT!
- Do not download documents attached to email unless you know the sender AND you are expecting the file. This also goes for files downloaded from IM networks and IRC.
- If you get a request to "authenticate" on your OS and you are not running an installer or making changes that you are aware of, deny the authentication and scan your system.
- As mentioned, even though this attack does affect Blizzard Authenticator protected accounts, you are still better off using the Authenticator to protect your account as you are protected from attacks that don't originate from your system (this attack originates from within your PC via trojan).
- Finally USE SOME COMMON SENSE!!!
Update: World of Raids has got more information on this attack. It is originating from a fake version of the WoWMatrix site. The attackers have placed a Sponsored Ad on Google that appears whenever someone searches for WoWMatrix. This ad is at the top of the listings were it is most likely to be clicked. Upon arriving at the fake WoWMatrix site, the visitor can then download a version of WoWMatrix which has the initial attack, emcor.dll, packaged with it. Once the dll has been executed, it downloads and installs the trojan
Malware.NSPack.
Malware Bytes can detect and remove this trojan.
The domain were the fake WoWMatrix site is hosted also hosts 14 other fake WoW related sites including ones that target Curse and Deadly Boss Mods. For those who want to look up this server, its IP is
112.137.162.183.
Examples of these domains:
Cursea .com
Deadlybossmodss .com
Gamesacca .com
You may wish to add
205.209.181.111 and
112.137.162.183 to your firewall's block list or your Hosts file.
The player Cameron from the US forums is hot on the trails of this attack as are users of World of Raids. I want to thank World of Raids for posting this info. The link to the story is here:
http://www.worldofraids.com/topic/15...atrix-website/
Additional info from WoR:
http://www.worldofraids.com/topic/15...in-patch-333/? (thanks to Bluespacecow for the link)
A good write up on how this works and how it affects you account if you get burned:
http://www.wow.com/2010/02/28/man-in...uthenticators/
The basics of this attack:
- You get infected by emcor.dll (via an infected file such as the fake WoWMatrix, there may be other fake "updaters" or other files on other fake sites so be careful) which then installs Malware.NSPack
- You attempt to log-in into WoW and input the code generated by your Authenticator
- The trojan intercepts the Authenticator code and you get an error message. WoW may crash (which is to confuse the user and give the hacker the time needed to use the intercepted code) to Desktop.
- In the meantime, the intercepted Authenticator code (which was correct and still valid) is sent to the hacker. It never gets sent to Blizzard. Repeat, BLIZZARD NEVER RECEIVES THE CODE. The hacker now has around 30 seconds to use that code.
- The hacker uses that intercepted code to log into your account using the user name and password that was captured by the key logger.
- The hacker cleans out your character of gold and items. The gold is sent off to mules which then fulfill orders for gold purchased by other players.
- The hacker CANNOT change your password or otherwise lock you out of your account. However if you do not remove the trojan before you log-in again, you can repeat this process resulting in more gold/items being lost.
- As mentioned by Bluespacecow, WoW.com and World of Raids, your Authenticator has not been hacked. It is impossible to hack the Authenticator as it is not connected to the Internet. The attack is done by a third party program, which intercepts the code when you attempt to send it to Blizzard. That program is on your PC and must be removed.