Security Issues: Trojan attacks Autheticator protected accounts.

Zyonin · 02-28-10, 12:24 PM

This popped up on MMO-Champion today and I am passing it along to our members and visitors:

Trojan successfully hacks Authenticator Protected Accounts

A new virus spawned on the Internet a few days ago and seems to be the first trojan capable of hacking a WoW account protected by an Authenticator. It was confirmed by Blizzard a few hours ago.

Originally Posted by Kropacius

(Source)
After looking into this, it has been escalated, but it is a Man in the Middle attack.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

This is still perpetrated by key loggers, and no method is always 100% secure.

Basically, what the virus does is fairly simple after you're infected :

The next time you log in World of Warcraft, the game asks for your Authenticator code.
The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.

How to check if you're infected
Just search for a file named "emcor.dll" on your computer, it is most likely located in "C:\Users\(Your user name)\AppData\Temp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?

Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
Get a decent anti-virus, buy an authenticator, you'll be safe.

Thanks to Boubouille over at MMO-Champion for this alert. MMO-C News post HERE

This is further proof that hackers will not stop trying attack your accounts. While this is only piece of malware, you can expect more to come. Currently this only affects Windows based systems, however Mac and Linux users should not be complacent. Linux users running WoW may be susceptible via Wine so be careful!

Make sure you have a good Anti-virus/Anti-spyware set-up that is installed, enabled and updated on a regular basis.
Make sure your OS is updated. All modern OSes offer easy an easy update process such as Windows Update, OSX's Software Update and the various Update/Package Managers for Linux distros.
Do not use Internet Explorer 6. Always run the latest released version of your browser. For greater security, if your browser can run AddOns that enhance your security, use them!
Make sure your Flash Player is updated. You would be surprised at the number of people who still use the version of Flash that was included with Windows XP. This also goes for Adobe Reader. Flash is particularly important to keep updated as holes within Flash can be exploited on all platforms that Flash is available for.
Be wary of any "strange" files. If you download something from the Internet, SCAN IT!
Do not download documents attached to email unless you know the sender AND you are expecting the file. This also goes for files downloaded from IM networks and IRC.
If you get a request to "authenticate" on your OS and you are not running an installer or making changes that you are aware of, deny the authentication and scan your system.
As mentioned, even though this attack does affect Blizzard Authenticator protected accounts, you are still better off using the Authenticator to protect your account as you are protected from attacks that don't originate from your system (this attack originates from within your PC via trojan).
Finally USE SOME COMMON SENSE!!!

Update: World of Raids has got more information on this attack. It is originating from a fake version of the WoWMatrix site. The attackers have placed a Sponsored Ad on Google that appears whenever someone searches for WoWMatrix. This ad is at the top of the listings were it is most likely to be clicked. Upon arriving at the fake WoWMatrix site, the visitor can then download a version of WoWMatrix which has the initial attack, emcor.dll, packaged with it. Once the dll has been executed, it downloads and installs the trojan Malware.NSPack. Malware Bytes can detect and remove this trojan.

The domain were the fake WoWMatrix site is hosted also hosts 14 other fake WoW related sites including ones that target Curse and Deadly Boss Mods. For those who want to look up this server, its IP is 112.137.162.183.

Examples of these domains:

Cursea .com
Deadlybossmodss .com
Gamesacca .com

You may wish to add 205.209.181.111 and 112.137.162.183 to your firewall's block list or your Hosts file.

The player Cameron from the US forums is hot on the trails of this attack as are users of World of Raids. I want to thank World of Raids for posting this info. The link to the story is here: http://www.worldofraids.com/topic/15...atrix-website/

Additional info from WoR: http://www.worldofraids.com/topic/15...in-patch-333/? (thanks to Bluespacecow for the link)

A good write up on how this works and how it affects you account if you get burned:
http://www.wow.com/2010/02/28/man-in...uthenticators/

The basics of this attack:

You get infected by emcor.dll (via an infected file such as the fake WoWMatrix, there may be other fake "updaters" or other files on other fake sites so be careful) which then installs Malware.NSPack
You attempt to log-in into WoW and input the code generated by your Authenticator
The trojan intercepts the Authenticator code and you get an error message. WoW may crash (which is to confuse the user and give the hacker the time needed to use the intercepted code) to Desktop.
In the meantime, the intercepted Authenticator code (which was correct and still valid) is sent to the hacker. It never gets sent to Blizzard. Repeat, BLIZZARD NEVER RECEIVES THE CODE. The hacker now has around 30 seconds to use that code.
The hacker uses that intercepted code to log into your account using the user name and password that was captured by the key logger.
The hacker cleans out your character of gold and items. The gold is sent off to mules which then fulfill orders for gold purchased by other players.
The hacker CANNOT change your password or otherwise lock you out of your account. However if you do not remove the trojan before you log-in again, you can repeat this process resulting in more gold/items being lost.
As mentioned by Bluespacecow, WoW.com and World of Raids, your Authenticator has not been hacked. It is impossible to hack the Authenticator as it is not connected to the Internet. The attack is done by a third party program, which intercepts the code when you attempt to send it to Blizzard. That program is on your PC and must be removed.

nightcracker · 02-28-10, 01:14 PM

"Luckely enough I don't use an authenticator" < LOL

Seriously, I have NEVER been hacked on ANY game or website.

I don't get it how people even get hacked at all.

Cralor · 02-28-10, 01:25 PM

In any case, this still means that an Authenticator is great. Of course there will always be a way to get around things, but this is one trojan. You are saving yourself from many other types of malicious things with an Authenticator.

Petrah · 02-28-10, 01:45 PM

Thanks for the heads up, Zyonin!

Horrid · 02-28-10, 03:50 PM

ive been waiting months for my authenticator to arrive no help from blizz trying to find it LOL

Dridzt · 02-28-10, 04:37 PM

"One Trojan" I have to laugh at that sorry

Within a week a development kit will be out mass producing such trojan with slight mutations so they pass the AV signatures.

Sorry but anyone with minimum experience from the reversing scene knows that the moment a protection is bypassed once it's sol.

Cralor · 02-28-10, 05:22 PM

Maybe I used wrong words. While my knowledge is not considered as an Expert, I wanted to point out that this shouldn't be a factor to say that an Authenticator is a waste. They are still useful in making your account more secure.

Dridzt · 02-28-10, 05:42 PM

It wasn't directed at you sorry, and you're right ofc another layer of protection is always another layer of protection

It was this

We're talking about a single virus here and the authenticator will save your ass 99% of the time.

from the original source that prompted my reaction.

Cralor · 02-28-10, 06:07 PM

In that case, we're both wrong

Thanks for clarifying.

Zyonin · 03-01-10, 02:25 AM

Originally Posted by Dridzt

It wasn't directed at you sorry, and you're right ofc another layer of protection is always another layer of protection

It was thisfrom the original source that prompted my reaction.

Which is where this line from my post comes into play:

Finally USE SOME COMMON SENSE!!!

Sadly, common sense is sorely lacking in this age of instant gratification.

Bluspacecow · 03-01-10, 09:11 AM

Thanks Zyonin.

I was going to post about this but I needed to get more info. I saw it come up on world of raids which incidently has better coverage about this then mmo champion.

http://www.worldofraids.com/topic/15...w-vulnerable/?

http://www.worldofraids.com/topic/15...in-patch-333/?

http://www.worldofraids.com/topic/15...trix-website/?

Also might want to block on your firewall the IP and port :

Host: 205.209.181.111
Port: 1068

EDIT : opps I see you already said about world of raids. Leaving these links up for reference.

Bluspacecow · 03-01-10, 09:20 AM

Not sure if you've got this in your post but let's make one thing clear :

The Authenticator was never hacked.

It was never removed from the account.

The authenticator was worked around but not compromised. The hackers used a working code from an authenticator combined with a keylogger username and password to gain access.

They are still as secure as before and will still produce one time use codes.

I feel I had to point this out as there's currently a lot of fights over this one basic fact of the case that a lot of people are ignoring.

A lot of reasonable , intelligent people are missing this and they start arguing about how if the authenticators can be hacked how come they haven't hit banks and other places that use them yet if they are so insecure ?

forty2j · 03-01-10, 10:04 AM

Originally Posted by nightcracker

"Luckely enough I don't use an authenticator" < LOL

I do hope you realize that, although this attack is one way to get around an authenticator, it should work just as well if you don't have one. Having an authenticator simply gives them a limited time window to hack your account; they have to be watching non-stop to get you. You can even shorten this window some by waiting until your code is about to change before typing it in.

nightcracker · 03-01-10, 10:28 AM

Originally Posted by forty2j

I do hope you realize that, although this attack is one way to get around an authenticator, it should work just as well if you don't have one. Having an authenticator simply gives them a limited time window to hack your account; they have to be watching non-stop to get you. You can even shorten this window some by waiting until your code is about to change before typing it in.

I'm sorry, usually I don't flame, but this is an exception.

"I do hope you realize that, although this attack is one way to get around an authenticator, it should work just as well if you don't have one."
Did you notice the " < LOL" marking sarcasm after my first sentence?

"Having an authenticator simply gives them a limited time window to hack your account; they have to be watching non-stop to get you."
I'm not a monkey.

"You can even shorten this window some by waiting until your code is about to change before typing it in."
Bull****. The internet is faster then your waiting abilities, the moment from logging in until the moment they have changed your password is +/- 2 seconds. Unless you have crappy internet, like REALLY crappy internet this method might work. But then the game would be unplayable.

Zyonin · 03-01-10, 10:52 AM

Keep it civil guys otherwise the Fire Department will be called in.

For those who need this in simpler terms, Alex Ziebert over at WoW.com has an excellent write up:

http://www.wow.com/2010/02/28/man-in...uthenticators/

I will update the original post of this thread as more information comes to light.

Bluspacecow · 03-01-10, 11:12 AM

Good way of removing the DLL if on your system :

http://www.mmo-champion.com/news-2/a...00/#msg2231200

I agree guys let's keep it civil. We don't want our calm rational Red headed Irish Lass Admin to come in here and lay the smack down

And now for something completely different

Psychophan7 · 03-01-10, 04:21 PM

Good news, everyone! WoW.com found out where the malware came from!

http://www.wow.com/2010/03/01/update...ce-identified/

Bluspacecow · 03-02-10, 12:21 AM

Originally Posted by Psychophan7

Good news, everyone! WoW.com found out where the malware came from!

http://www.wow.com/2010/03/01/update...ce-identified/

Actually no they didn't

It was Cameron of World of Raids like I linked 3 posts above

http://www.worldofraids.com/topic/15...trix-website/?

Psychophan7 · 03-02-10, 12:57 AM

To be fair, those links are obfuscated (love that word) by the forum. Still, the important part is that the source was found, not that who found it "F1RST!!!!"

Riddrick · 03-02-10, 03:17 AM

Good to know, and if i ever get my hand on that Man in the middle.
I will pawn him IRL. Thats for sure!