View Poll Results: Is this the first found addon viral thread that has examples?
yes 2 28.57%
no 5 71.43%
Voters: 7. You may not vote on this poll

Thread Tools Display Modes
07-24-07, 09:51 AM   #1
Lieandra
A Deviate Faerie Dragon
 
Lieandra's Avatar
Join Date: Jun 2007
Posts: 10
Exclamation Recount Addon Virus ??

Scenario:

I play WoW on 2 computers (one at home and one at work). Since I do most of my addon up-dating at home, I tend to eMail the interface folder to myself at work. That helps me make sure that I have the same thing on both computers - hey, I'm a bit lazy too.

As I want to make sure that I receive the Zipped file at work. I eMail the file to both my Hotmail and Gmail accounts.

Well, at first I used very little addons, cartographer, mining, herbalism, etc.; and eMailing them to myself caused no problems.

But now I started using more addons - from WowAce.com - and have encountered a problem.

I went to work and attempted to download the interface zipped folder and hotmail blocked it as containing a virus.


So I came back home and scanned my WoW addons folder with Avast. Nothing showed as a virus. So I conducted a long process of file eMail elimination to figure it out. Meaning I took the files in the addons folder and divided them - subtracting the Blizzard addons into one group and my downloaded ones as another group. Checked to see what Hotmail said. Deleted the good non-virus zip file. Extracted and divided into two new zip files the attachment Hotmail said was viral.

I repeated the above process until I found the addon named "Recount" to be at fault.

Not being satisfied with just knowing what addon is showing on Hotmail as a virus. I did the same process of dividing and eMailing the contents of the Recount addon folder.

Within the Recount addon. I found the file that flags as a virus to Hotmail is a Targa image called "Line".

HotMail ScreenShot 02

(Locate the file in this tree sequence: "Your Drive Letter":\WoW\World of Warcraft\Interface\AddOns\Recount\libs\GraphTextures)

The file line.tga is the only one within recount that shows on Hotmail as viral. I was able to receive the file with no claim to be a virus on Gmail.

Curiosity as it is. I also eMailed the line.tga to a Yahoo account. Yahoo does not see this as a virus either.

So. My questions to you:

1. Is this Recount line.tga file a virus?
2. Has anyone ever encountered an addon being a virus?
3. If so: which ones?
4. How were you able to check and see that there is a Virus Addon ->
*** ** *(ie. Avast does not recognize it as such, Gmail does not recognize it as such, but Hotmail does.)?
5. What means of protection do you use in order to avoid getting a viral addon on your computer?

~Lie

Last edited by Lieandra : 07-24-07 at 09:55 AM.
  Reply With Quote
07-24-07, 10:06 AM   #2
Seerah
Fishing Trainer
 
Seerah's Avatar
WoWInterface Super Mod
Featured
Join Date: Oct 2006
Posts: 10,860
Your hotmail is being stupid. Sorry that it put you through all that trouble.
__________________
"You'd be surprised how many people violate this simple principle every day of their lives and try to fit square pegs into round holes, ignoring the clear reality that Things Are As They Are." -Benjamin Hoff, The Tao of Pooh

  Reply With Quote
07-24-07, 10:07 AM   #3
Siz
A Wyrmkin Dreamwalker
AddOn Author - Click to view addons
Join Date: Nov 2006
Posts: 52
First of all, the file in question, line.tga is not actually a part of Recount, it is part of a library which Recount utilizes called GraphLib. In order to confirm your scanning result with Avast, I've scanned the Recount directory using McAfee VirusScan Enterprise 8.5.0i and everything turned up clean. I would guess that due to the volume of traffic it receives, Hotmail uses a very simple type of virus scanning technology for attachments, possibly simple enough that it only looks at file names.

I have a few recommendations:
  1. Use WowAceUpdater to update as many of your addons as it can both at home and at work.
  2. Disembed the Ace2 libraries which some of your addons (including Recount) are using so that you don't have libraries duplicated in each of the addon's "libs" folders. WowAceUpdater helps facilitate the process of disembedding, current versions will actually download most of the required dependencies for any addon that you update. You can also select the !!!StandaloneLibraries addon which contains a single copy of all well established libraries.

Regarding your questions:
1. Is this Recount line.tga file a virus?
Probably not.
2. Has anyone ever encountered an addon being a virus?
Personally, no. Addons themselves are mostly nothing more than text or images which are not executed in a manner that could be exploited by a virus.
3. If so: which ones?
Names of extremely popular addons such as KTM or CTRaid are often glued onto viruses in the hopes that this will help them spread. You have to be smart enough to catch these fakes.
4. How were you able to check and see that there is a Virus Addon
Antivirus software on your local machine can generally be trusted to detect viruses. You could browse through the .zip files that addons are distributed in and look for files with extensions like .exe, .pif, .scr that have no business in an addon. It is generally wise to avoid any .exe files that you encounter when downloading an addon, though some addons are distributed as "self-extracting" executables.
5. What means of protection do you use in order to avoid getting a viral addon on your computer?
Be smart. Download from trustworthy sites such as WowInterface.com which individually verifies (by a real person) each file uploaded to the site before it is made public.

Last edited by Siz : 07-24-07 at 10:19 AM.
  Reply With Quote
07-24-07, 10:09 AM   #4
PathMaster
A Chromatic Dragonspawn
 
PathMaster's Avatar
Join Date: Nov 2006
Posts: 175
I generally trust WowAce.

Hotmail is a PITA. They hate doing attachments. I use Avast myself, and while none of them are 100% fool-proof, Avast! has served me well for a long while.

I trust Gmail enough to say that it is ok.

False-positive then.
__________________
The best victory is when the opponent surrenders of its own accord before there are any actual hostilities...It is best to win without fighting.
Sun-tzu
  Reply With Quote
07-24-07, 10:47 AM   #5
Layrajha
A Frostmaul Preserver
 
Layrajha's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 275
The extensions of the files you might find in your addon folders are usually:

.toc: a text file that gives wow information about what the addon is and what files to load

.lua: code

.xml: code of GUI elements mostly

.wav or .mp3: well, audio files

.tga or .blp: some textures

.txt: there can be a readme or a liscence


None of those files can be a problem used by wow. None of this file can be executed from windows without you to rename them to an executable extension or to specifically ask for them to be executed. Therefore, there cannot be a dangerous virus in addons that contain only those files: if there is one, it won't be able to do anything unless you strongly interact with the file.

However, there is still this story about "non virus files being dangerous":
Some time ago, someone created a virus that would basically wait until an image (.jpg only I think, I might be wrong) is open. Upon opening the .jpg, it would read data that can have been hidden in the .jpg while creating the file, and if this data is executable, it would run it. That allowed the coding and broadcasting of new viruses through .jpg files. Those files were not harmful to a sane computer, but if you were already infected, they could do whatever their author wanted them to do, while they looked like any other image.
The thing is that those files aren't the real problem. If your computer is infected, there is already a problem, and you'll get one of those files one day or another, so...
My point is, don't mess too much with "non plain text" "non working sound or image" files in your addons, and nothing wrong will ever happen. Addons could be made to help a virus destroying your comp or sending confidential data, but if they do, your computer was infected already.
  Reply With Quote
07-25-07, 10:18 PM   #6
Lieandra
A Deviate Faerie Dragon
 
Lieandra's Avatar
Join Date: Jun 2007
Posts: 10
Thumbs up My sincerest thanx.

I want to thank all of you for your responses. The viral information should have been obvious to me. But being new to the WoW scene - counting the addons - well... I really felt as if I was in uncharted waters.

Never-the-less, all of your responses are great. Including "Seerah's" response about hotmail. Not to mention you guys (girls) being addon users yourself and saying which sites you trust... well; that's also comforting to know.

I will stick with your recommendations.

Now I search for the WowAceUpdater to help me out some more. Here's hoping the learning curve is small !

Thank you again.

Ps: "Layrajha" - Thanks for the info on the .jpg compression. That was news to me.
__________________
~Lie
Shallow Shade Rogue
  Reply With Quote
07-26-07, 06:55 AM   #7
Kaomie
A Scalebane Royal Guard
 
Kaomie's Avatar
AddOn Author - Click to view addons
Join Date: Jan 2007
Posts: 438
Although it may be a false positive in this case (Trend is probably matching a specific pattern that appears randomly in the binary content of the picture) this makes you wonder. You can never know if the graphic renderer in WoW is completely safe from specially crafted pictures injected with addons. There are vulnerabilities even in DX9 that could be exploited: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4183
Not much we can do in that case, just run an up-to-date antivirus with memory scanning and buffer overflow protection if possible
__________________
Kaomie
"WE LOTS OF PEOPLE FROM STRONG SERVER GUILDS" - Trade Channel
  Reply With Quote
07-26-07, 09:22 AM   #8
Gemini_II
A Molten Giant
 
Gemini_II's Avatar
AddOn Author - Click to view addons
Join Date: May 2006
Posts: 762
Well, I'm going to really hope that Blizz doesn't run their servers on Windows machines, so theoretically they should be fairly "safe" from the GDI+ exploit (that's the JPG hack... also the name of the patch from Microsoft Update)... "Bugs get in through open Windows" so keep your 'puter patched.

I have seen and heard reports of many false-positives within Hotmail, so I would rely upon your local anti-virus solution. Biggest thing is don't download from a site you don't trust. If you are in doubt, don't touch it.

The LUA code itself is very very safe since it's plain text, but as Layrajha mentioned, it's the other files in an addon that could be infected. Specifically sound, image, and of course executables. Look for filesize... unless it includes sound files or is very large and comprehensive, most addons should be pretty small. ~500k or less usually.
__________________
Retired prior to 3.2, before all challenge was removed.

  Reply With Quote
07-26-07, 10:24 AM   #9
ReverendD
A Rage Talon Dragon Guard
 
ReverendD's Avatar
AddOn Author - Click to view addons
Join Date: Sep 2006
Posts: 343
While this doesnt count as hiding a virus inside an image, it will give you an idea of what can be done and what someone with a lot of time and know how could accomplish if they wanted to... - Embed files in Images . But I think adding harmful code to something like this would require the GDI issue to not be patched on your PC. Its always better to be safe than sorry though. 8-)
__________________
"Computers have enabled people to make more mistakes faster than almost any invention in history, with the possible exception of tequila and hand guns" - Mitch Ratcliffe
“A computer once beat me at chess, but it was no match for me at kick boxing” - Emo Phillips
  Reply With Quote
07-26-07, 11:51 AM   #10
Layrajha
A Frostmaul Preserver
 
Layrajha's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 275
About the video above:
I'll explain a bit what he does here and why it's far from the best way to hide something in an image (even if it might be the easiest one):

- He has 2 files, an image, and what he wants to hide in it.
- He creates a new "secret" file that is nothing more than the second file copied at the end of the first file.
- His jpg viewer ignores the 2nd part of the file because he has read a valid jpg file first and won't just unload it because the end of the file is corrupted. A different viewer would maybe show a warning. Most wouldn't, though.
- His archive extractor does the opposite, ignoring the beginning of the file while looking for a "header" that tells him what kind of archive he's going to extract.

The thing is that you haven't really hidden anything. Your archive appears as well as a normal archive here, just shifted a bit. Anyone can use his software and see your archive. The real nice way to hide stuff into image is something called Steganography. It is a process I have "discovered" by myself when thinking about good alternatives to cryptography, and when I told friends about it, they answered it already existed and was something in the base knowledge of cryptographers
I couldn't find a good site to explain what it is, but the base idea is the following:

A bmp image is a succession of byte (one byte is 8 bits, one bit is a 0 or a 1). One byte allows you to code an integer between 0 and 255 by reading the successions of the 8 bits as a number in base 2:
Code:
00000000 = 0
00000001 = 1
00000010 = 2
00000011 = 3
00000100 = 4
...
11111110 = 254
11111111 = 255
In a simplified black and white format, each pixel of the image is represented by 1 byte which describes its luminosity (255 would be white, 127 would be an average gray, 0 would be black).
The thing is that the last bit of this byte doesn't really matter. If you change your image and sets all the last bits of each byte to 0 for instance, that will just change every pixel's value to the closest even number below it: 245 would be 244, 123 would be 122, 36 would remain unchanged). People wouldn't notice the difference.
So those last bits of each bytes can be used to store something else.

Code:
Let's say you have an image of 10 pixels, which are:
227 178 234 023 139 141 149 071 088 253

You cut the last bit of each byte:
226 178 234 022 138 140 148 070 088 252
You wonna add the following hidden message: the letter "A".
This letter is coded by the number 65 in the ASCII table ( http://www.asciitable.com/ )

Code:
65 is coded by the following sequence of bits: 
0 1 0 0 0 0 0 1

Let's add this to the modified picture above:
226 179 234 022 138 140 148 070 088 253
This new picure looks very close to the original one, but by checking for each byte if it's even or odd and putting a 0 and a 1 in your decrypting message, you can recompose the byte 01000001, which is the "A" character.


This method can be coupled with encryption systems so that it is harder to use statistical methods such as entropy ones (cf wikipedia if you wonna push it a bit ^^) to make it harder for people to know that a message is hidden. You can also take 2 bits instead of 1 to send bigger messages (with the method I described, a file of 1 Mo that you want to hide must be hidden in an image of at least 8 Mo...).


This process can be coded in like 30 lines of C code, so it's really nothing hard. Though there is probably no really googleable soft that does that, as people who know about it and might wonna use it can most likely code it by themselves using the exact method they want
  Reply With Quote
07-26-07, 04:24 PM   #11
Gemini_II
A Molten Giant
 
Gemini_II's Avatar
AddOn Author - Click to view addons
Join Date: May 2006
Posts: 762
/applaud Layrajha

Wow... you just gave me flashbacks to school; all that binary. Subnets and IP masks, rainbow tables, hex and ASCII... lol

/end flashback
__________________
Retired prior to 3.2, before all challenge was removed.

  Reply With Quote

WoWInterface » AddOns, Compilations, Macros » AddOn Help/Support » Recount Addon Virus ??

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off