Authenticator Accounts Hacked, ICC Quests, Crimson Deathcharger

[Deviltry]

The majority of viruses target a computer; they don't care whether it's a mac or a windows pc.
There are a number of viruses that specifically target windows pcs. This is a very small number relative to the total number of viruses that exist.

Yeah they target all PCs, too bad that "they" are exe files and don't work on Macs.

[sparks]

so what do we do.
A guildie had his authenticator account lost last week.
He got his account reset on friday afternoon.
3 hrs later it was hacked again.
so they didn't say anything to him except he was the first they had ever heard of that lost account with the Authenticator.
yea right, don't want to cause a panic.

all they did was say change your password and you will be fine.
NO mention of something like this.
Just search for a file named "emcor.dll" on your computer, it is most likely located in "C:\Users\(Your user name)\AppData\Temp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.


and I think that the Authenticator is telling people that are stupid that its ok.

[Puntar]

Well, as I understand Wiki article there is no chance a hacker would get your MAC address if you are behind a router.

So, even if hacker would get you Auth key from user behind a router, he would need to brute force the MAC address within the time frame of valid key.

[Nezoia]

Thankyou much!

DLLs are also for Linux and Mac, when used in applications written in Mono (C#).

And file extensions rarely means anything. The reason to use a DLL is you can hook it into the load process of WoW, or load as a global hook on say, keyboard input (think keylogger).

I probably wouldn't use a .dll for it on Mac, but it's still doable

If anyone one should do it to disguise stupid users who think they're safe since it's a "windows file".

[Melkzor]

The trojan not good marina gonna be mad the e Quests be good marina be happy

[Deviltry]

Well, as I understand Wiki article there is no chance a hacker would get your MAC address if you are behind a router.

So, even if hacker would get you Auth key from user behind a router, he would need to brute force the MAC address within the time frame of valid key.

Well hacker would get your routers MAC address. So would Blizz servers. And hacker would change his MAC to your routers. Eh?

[DrgnDancer]

man-in-the-middle-attack

Also known as a replay attack.

I just learned about this in Cisco. Basically it means that the network that Blizzard/AT&T uses to run WoW on doesn't have their WAN connections secured, or at least not completely secured. This is usually remedied with authentication (pap, chap) being configured between routing devices within their network. Without authentication/encryption measures in place, a hacker can intercept network traffic and modify it so that the receiving device will send information back to the hacker.

I'm just going for my vanilla CCNA, so that's all that was covered in the text.

I wouldn't be surprised if this was an inside job.

Now I see why my teacher said that CCNA Security certs are in high-demand. Without a doubt, the CCNA security goes in-depth with stuff like this.

This is wrong in two places. I'm not sure if it's already been said, because I'm responding now before incorrect information becomes a meme (I'm already multiple pages to late sadly). Your CCNA training is narrowly focused on internal Cisco LANs (with good reason, that's what CCNAs mainly deal with). What you're not realizing is that Man-in-the-Middle attacks are a generic computer security term for any attack in which some software stack in between two other software stacks intercepts information. Normally this happens on networks, and normally it is the result of the attack vectors you describe in your post. In this case, the man in the middle is on your own computer.

Just like networks, software on computers communicates with other software on the same computer through specific channels. WoW sends information to Windows (or MacOS) through these internal communications ports, and this information is in turn sent to the network, video card, etc. Windows send information to WoW through the same channels to give it data about keystrokes, network replies, mouse movements and such. In this case the man in the middle sits on your computer in between the two pieces of software watching the information flow by. It grabs the Authenticator data stream that WoW is sending to Windows intended for the network card, and then falsifies a reply stream saying that the authentication failed. It then takes the Authenticator info that was intended for the Blizzard server and instead sends it to a third party server.

The second place that you're wrong is implying that this indicated Blizzard's network is inherently insecure. I'm not saying that their network IS secure, don't misunderstand me. I have no idea one way or the other. Even if this particular MITM attack were network based, remember that a good chunk of the authentication interface is going over the Public Internet. Even if Blizzard could be 100% sure of it's own internal network security, there could still be a MITM vector that grabbed data off of the public portion of the exchange medium.

I hope you don't take this as calling you out or anything. You understand the basics of the most common form of MITM attack, and the way Cisco trains people it's completely understandable that you would not realize the term is more generic than you've been taught. Cisco does an excellent job of certifying people to manage its equipment; but it tends to focus almost entirely on practical, "this is the Cisco way to do this", information. Often to the exclusion of theoretical knowledge that can be more helpful when you get into the real world and find out that not everyone uses exclusively Cisco gear :-)

[Sarac]

I laughed on this:

What does it mean exactly?

* Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
* It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you'll be safe.

We shouldn't get anything, we trust on it that our account info is safe when we follow Blizz steps...alot of people who got hacked and got everything back just get hacked again.

Even if you have the best antivirus you are never safe from this if the big boss Blizz won't protect your info...if a perfect antivirus would exist than hackers wouldn't be able to do shit. The reality is that everything is possible to be hacked and there will never ever be an unhackeble system.

I understand Blizz has trouble dealing with it and i respect that...shit happens. What i don't get is that they got a freaking crappy customer service and they don't give any decent help to people who lost accounts.

Lets say that out of 10 peeps only 4 know anything about pc's further than booting and installing something. They are screwed as hell.
Basicly what i'm saying is that i don't blame Blizz for people getting hacked but i do blame them for not having any decent support for those who got hacked.

PS: I don't even play this game for over a year now but i hope whoever does will have his account back one way or another.

[DrgnDancer]

It seems to me that there is a solution Blizzard *could use* which would completely prevent key loggers from effectively working on Authenticator enabled accounts. If they encrypted the entire World of Warcraft session (ala SSH), it still would not prevent key loggers from grabbing the authentication data as it was typed into the keyboard, but they would be unable to interfere with the login session. Without the shared key, a man in the middle would be unable to grab traffic in or out of the WoW client. On the other hand, this would dramatically increase the load on both ends (especially on the servers dealing with billions of transactions ), which is probably why they don't do it. People on borderline hardware have enough trouble with latency and low frame rates.

Edit to add: This would not help without an Authenticator, as a key logger would still just grab your password as you type it in and send it on to be uses later. Only the time limited nature of Authenticator codes would allow this to function.

[Ryoushii]

No it's NOT, excusing people for being fucking dumb is not a valid reason to keep using the incorrect term, half of this shit happens because of dumb fucking people who can't put 1+1 together.

It's not that they're dumb, it's just that they haven't been informed and definitions change over time. The same way someone can use a bruteforcer and say they've "hacked" an account, simply because the term has changed now because of popular use.


Also, Wow.com has an update on the source of this and a little bit more info:
http://www.wow.com/2010/03/01/update...ce-identified/

[DrgnDancer]

Simple solution: whenever Blizzard receives a failed login request to your authenticator account, it changes your authenticator number.

That way when the Trojan intercepts your login info and authenticator number, it's useless b/c Blizz trashed that number due to the failed login attempt sent from your computer.

I think this won't work. I'm not an expert on the Authenticators but I am pretty sure they work like this:

1) Authenticators have a near perfect time sync with some outside source. On the phone version, they use the phone's time which is in turn synced with the phone's network and based off GPS time. The dongles, I believe, get GPS time for themselves with small satellite receivers.

2) The number generated on your screen is a hash, created once every 30 seconds, between the current time and a unique prime number associated with the device or the software on your phone.

3) The Authentication server knows your unique prime number and has the same time as your device. It generates the same code and compares what you send to what it thinks the code should be.

The Authenticators are not on any sort of computer network. They aren't talking to Blizzard. Blizzard cannot force them to generate a new code on invalid login attempts. They are simply very stupid little calculators with very accurate clocks. They perform one calculation every 30 seconds "$uniqueprimenumber(RSATransformedBy)time", then they display the result. While you might be able to do something more complicated with the smart phone versions, the dongles are far more common, and incapable of much more.

[DrgnDancer]

Making the authenticator secure against man in the middle attacks is trivial. Blizzard hasn't released details of the attack, but it's unlikely to be a real man in the middle attack (given that the authenticator is a 3rd party product designed by people who should know what they're doing - unlike Blizzard). Instead, the attack likely relies on the attacker being able to modify the client endpoint rather than only being able to observe and modify bits on the wire. There is nothing that can be done to stop such an attack on any OS.

It's still a man in the middle. It's just that the "man" is in the "middle" of communication between two pieces of software on the same machine, not two remote machines. The concept is exactly the same, it just works on the operating system's internal communications rather than a network stack. read my comment above.

Edit to add: Since I've posted like four times already I'll just start adding to this post...

I'm super new to mac's, is there something I should be looking for here? I know I won't find a .dll so does that mean I'm safe? Sorry for a newbie question

Yes and no. Yes you are safe from this particular attack. It was written for Windows Clients. No, you are not safe from this attack vector. It is perfectly conceivable that the same thing could be done on a Mac, but no one has. Generally Macs have two security advantages over Windows machines. First they are less of a target, because fewer people use them so Windows is "low hanging fruit". Second OSX has much better sand-boxing and privilege escalation mechanics than Windows XP. Vista and Windows 7 have gone a long way in this regard, but many (probably most) people still use XP.

[hacko]

worldofraids.com has a bit more info on the attack, such as the small fact that a company running 14 fake websites is using them to distribute the hack.

So much for proof of concept ...

[serish]

Is it me or does that tabbard scream White Power...lol blizzard is racist

[MatsT]

This isn't a man in the middle attack. A MitM attack can be avoided by quite simple measures. For example you could just use the authenticator codes as an encryption key for the login information. This is more or less totally safe against MitM attacks since you have a shared secret key that the attacker have no way of knowing. He can still block the connection, but he can't log in to your account. In fact, they might even be doing this already I dunno.

However, when the computer has access to your computer he have access to both your password and the authenticator key, the secret key. There is literally no way for blizzard to know that it's not you logging in.

[Miltiadhs]

yay for the icc news.
as for the authenticators,i feel sorry for those that this thing happened to them.but to tell u the truth,i play this game since it came to my country(2004 Greece)and i was never hacked.also was able to download whatever i wanted without a prob.and i ahve to mention that i have a good anti-virus spybot and such.so i dont understant how this happened.(maybe goldsellers? )well i hope that blizz can do smthign about it

[LeperHerring]

It's still a man in the middle. It's just that the "man" is in the "middle" of communication between two pieces of software on the same machine, not two remote machines. The concept is exactly the same, it just works on the operating system's internal communications rather than a network stack. read my comment above.

Yes, except nobody calls those attacks man-in-the-middle attacks.

[CaffeineAddiction]

Security issues with accounts are usually pebkac issues. As many of the other posters have stated, this issue was one many of us foresaw as a possibility. People who think they are 100% safe are usually the ones most vulnerable due to there false scene of security.

Things to think about:

- Authenticator gives you 30 sec window, so if the hacker isn't awake they cant hack your account. Um, if you have a code and 30 sec to use it ... what is stopping them from just logging into the biz website and just turning the authenticator off / changing you password via a script?

- 30 sec, why not just log in again and boot them off ... wait a sec, if you didn't connect the first time ... how exactly do you think you are going to connect the second time to boot them? Do you think it would be that hard to just have the trojan block all attempts of logging in? Some of you just are not that creative.

so, how do you 100% prevent getting hacked? You don't ... but there are ways of making it less likely to happen to you.

- Get Firefox
- Use NoScript http://noscript.net/
- Get Antivirus
- Learn how to use and configure your firewall
- Think before you click
- If your password for WoW is the same as THIS forum or any other website, you are wrong ... fix it. In fact, if any two websites have the same password, you should fix those as well. Use Firefox to auto-complete them and then set a root password to protect your list. This means if someone uses cross site scripting on one site ... they don't get the other sites passwords (or your account password).
- Get a Second Email account ... if your email address for wow login is gofish@gmail.com, making a second one for forum / fan sites like gofish.stuff@gmail.com and then forwarding all email from gofish.stuff to the gofish account. This gives yet another layer of security against hackers getting your info from hacking a fan sight data base.

Authenticators are not a magic bullet, but they do help. I personalty don't have one and will not be getting one any time soon, but it enforces passwords of regular (non-computer tech savy) users to be unique (not found on other forum sites that could have there DB hacked into) and changed regularly (every 30 sec).

And if you ever meet someone who thinks they are 100% secure, laugh at them to there face ... NOTHING is 100% secure. Just because you cant think of a way something could be stolen doesn't mean other people lack the creativity and talent to steal it.

[Aragon]

Hello all,

/*
After bringing this issue up with some other malware researchers, we found a similar infection (earlier version) from November 26, 2009. This previous version also disabled DEP for Internet Explorer and made connections to a Chinese site.
*/

I located a copy of this trojan to see what it was doing. As mentioned before, the files are hosted on sites that are designed to look like legitimate sites. In fact, the downloads from these sites include the legitimate versions of the files offered. What someone has done is taken the installer files for these programs and transparently attached a PassWord Stealer (PWS) to them. I found 2 different downloads being offered.

The first one inside a ZIP file was an executable that installed the malware. It was protected by using an installer program (most likely NullSoft Installer) and encrypted to prevent generic unpacking.

The second one was packed with a simple Microsoft CAB package installer. This one included the Malware dropper as well as the NullSoft installer packed file.

Once the program are runs, it creates the "emcor.dll" file in the user's TEMP directory (%TEMP%\emcor.dll) as well as the legitimate program as a temporary file. The real program is run and the user sees the program starting normally. In order to start up with every new program that is launched, the dropper adds the following to the Windows Registry. The emcor.dll file is also marked with the Hidden attribute to prevent it from being seen by the default options of Windows Explorer. The dropper uses a hidden command prompt window to delete itself when done.

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" == "AppInit_DLLs" = ",%TEMP%\emcor.dll"

This entry tells Windows to load the emcor.dll into each program started. Below are some of the strings found in memory once emcor.dll is loaded. Mac users do not have to worry in this attack since the DLL file is made for Windows and will not load on a Mac version of the game.

x86 Load Address 0x10000000, mapped size 0x00006000 bytes

Code:

Url
MAGIC
WinXP
Win7
Vista
KickUserOutGame,Create Log file failed!
KickUserOutGame:%u
send info digipass server failed!
send succeful!
connect digipass server failed!
socket error!
Send Mail
ShowAllInfo
Find Digipass!
?a1=%s&a2=%s&a3=%d&a5=%s&a4=%s&a6=%s
SendGameInfo end
SendGameInfo beagin
WOW
WTF\Config.wtf
realmName "
current tick:%u
ShowDigiPass,Open Log file failed!
Get Digipass successful...
enter ShowDigiPass
user32.dll
get hook failed!
Get user32 failed!
Set Hook
Hook OK!
WOW.EXE
WinInet

Based just on some of the calls made in this dll, it seems it was made specifically to detect WOW running and to block the application from ever really talking to Blizzard Servers. Instead, it calls resources inside the game client to display error messages while sending data about your account.

This does not look to be a hack on the authentication method (TLS/SSL) but rather a hack of the game client on the user's machine. Since the module loads inside wow.exe, it potentially has the ability to control/intercept anything it does.

Removal:
This trojan virus could easily be turned into a rootkit by hiding its presence, network connections, files, and registry settings. As this point it uses almost no protection for itself to stay alive but this could change at any time. Since this malware does not protect itself, it is easy to remove by deleting the emcor.dll file and/or removing the registry change. Since the file could be loaded and locked by Windows, you could just rename the file and then reboot to disable it. For those that just want to have a program scan and clean your computer, I recommend the following two scanners that will detect and remove this threat. These scanners can be safely run with your current security solution and do not install permanently on your computer.

ESET Online Scan: This is the easiest/simplest to use. Anything it detects will be removed automatically.
Kaspersky Virus Removal Tool: For extreme cases and advanced users. This tool has self protection, anti-rookit/anti-hook technology, and malware discovery with automatic or manual removal methods.

Mitigating Factors

• If you had a Host Intrusion Prevention System/Software (HIPS), the installation of emcor.dll into the registry could be blocked.
  
• Some of the better AntiViruses can detect and block the real malicious code, emcor.dll.
  
• A good firewall would have detected a bad module loaded and prevented network communications when emcor.dll is loaded.

The Authenicator code is valid for a few minutes (despite the code changing every 30 seconds) and is only marked invalid once it is actually used on Blizzard's authentication servers. This means in order for this password stealer to work, the data would have to be sent and used within a few minutes. This greatly reduces the chance of success. If someone was to put in their authenticator code three times in a row, the hacker could use the first code to log into the battle.net account and then use the 2 other codes to remove the authenticator. Even with just 1 code, the hacker could have enough time to log in at least once and start mailing items away.

AntiVirus Detection
Here are the detection abilities of some major AntiViruses to Date (Mar 1, 2010). AntiViruses not listed did not detect anything.

The actual bad file containing the malware code:

emcor.dll: 10896 bytes
MD5: cf90ce3756379e165dab141309e080fb

AVG: PSW.Generic7.BLYJ
Comodo: TrojWare.Win32.GameThief.Magania.~NWABD
Ikarus: Trojan-GameThief.Win32.WOW
Kaspersky: Trojan-GameThief.Win32.WOW.xin
McAfee+Artemis: PWS-OnlineGames.c.dll
NOD32: a variant of Win32/PSW.OnLineGames.OTG
Panda: Trj/CI.A
Sophos: Mal/Generic-A
Sunbelt: Trojan-GameThief.Win32.WOW.xin
TheHacker: Trojan/WOW.xin

The dropper executable:

dropper.exe: 18064 bytes
MD5: 91aae9167dc26da2b4128608eb447137

AntiVir: TR/Dropper.Gen
Antiy-AVL:Trojan/Win32.WOW.gen
Avast: Win32:Malware-gen
AVG: PSW.OnlineGames3.ADCO
BitDefender: Gen:Trojan.Heur.PT.bmX@ayTEIPl
Comodo: TrojWare.Win32.GameThief.Magania.~NWABD
eSafe: Win32.TRDropper
F-Secure: Gen:Trojan.Heur.PT.bmX@ayTEIPl
GData: Gen:Trojan.Heur.PT.bmX@ayTEIPl
Ikarus: Trojan-GameThief.Win32.WOW
Kaspersky: Trojan-GameThief.Win32.WOW.ino
McAfee+Artemis: Artemis!91AAE9167DC2
McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Suspicious.L
NOD32: a variant of Win32/PSW.OnLineGames.OTG
Norman: W32/Malware.LKEX
Panda: Trj/Lineage.BZE
Sophos: Sus/Dropper-A
Sunbelt: BehavesLike.Win32.Malware (v)
TheHacker: Trojan/OnLineGames.otg
VirusBuster: Trojan.PWS.OnLineGames.BLZM

Here is the NullSoft Packed File:

AntiVir: HEUR/Crypted
Ikarus: Win32.SuspectCrc
Kaspersky: Trojan-GameThief.Win32.WOW.ino
MalwareBytes: Malware.NSPack
McAfee+Artemis: Artemis!F4EAFBA24C75
McAfee-GW-Edition: Heuristic.LooksLike.Win32.Suspicious.H
PCTools: Packed/NSPack
Sophos: Mal/EncPk-CR
Sunbelt: Trojan.Win32.Generic!BT
TrendMicro: Mal_Nsanti-X
VirusBuster: Packed/NSPack

[Ceromus]

Yes, except nobody calls those attacks man-in-the-middle attacks.

/\_what this guy says is correct. So please stop calling it a man-in-the-middle attack.


Also please stop saying a key only lasts for 30 seconds or 60 seconds as they last a lot longer than that. (around 15mins)