Wow Curse (Virus on some addons) 10/01/2013

[Deleted]

I get that, but you think people from Curse would actually investigate the issue before posting instead of saying "BULLSHIT GO AWAY"

Us mods are in no way affiliated with Curse. (Well, we mod their site, but that's about it.)
In fact, the people who are affiliated with Curse did investigate and took the necessary measures.

However, I will happily admit that I came into this thread dismissing it as untrue out of hand. You have my apology for that.

[Flaim]

let's assume i've opened the mentioned .txt in a texteditor.
afaik i'm not infested, am i?
just wanna have confirmation

[Deleted]

You would be possibly infected if you clicked the ".lnk" file in the addon's folder and your antivirus didn't catch it. Simply opening it in a text editor won't do anything (except display garbage, as it tries to interpret binary data into text).

[Flaim]

You would be possibly infected if you clicked the ".lnk" file in the addon's folder and your antivirus didn't catch it. Simply opening it in a text editor won't do anything (except display garbage, as it tries to interpret binary data into text).

didn't even have an .lnk file (edit: just found it after deleting thumbs.db lulz) and that binary garbage is called machine code (just in case you didn't know :P ), but thanks.
was just not 100% sure that it's not executed on opening in a texteditor.

[Deleted]

It's still binary data. Well, text data is binary data too, so yeah, "binary data" probably wasn't too specific.

[Deleted]

don't be so quick to judge attack methods when you know nothing about the virus nor how it got past a rather decent screening system in the first place. there are A LOT more attack methods than "Windows executed the file". one of my favourite ones was a virus that would abuse the text handling in unreal engine 2 and end up in the executable memory space making it sendable by chat and the engine would automatically execute it.

sure if you had anti virus running it would go "...wait, you're doing WHAT to my file system?" but still, ingenuity should never be underestimated and systems are too advanced to fully protect against attacks - we can only protect against the attacks we can think of.

anyone that downloaded the file should just run a full virus scan and that should be it.

[a21fa7c67f26f6d49a20c2c51]

Care to elaborate how exactly Lua files, which are plain text files parsed in the WoW sandbox with zero access to the actual file system are going to "infect" your computer?

It wouldn't be the first time that an otherwise harmless file tricked an operating system into executing code. For example there was the WMF (A vector graphics format) exploit from ~10 years ago where simply clicking on a file, viewing it in a browser, or receiving an email, or extracting an infected file from an archive was enough to allow arbitrary code execution. I know there was a similar vulnerability in Mac OS X where a carefully crafted MP3 file could trick the system into allowing arbitrary code execution as well. If the operating system does "stuff" to a file (like indexing it for searching or parsing it to generate a preview image) there it's at least conceivable that there may be a bug that leads to buffer overflow which may allow arbitrary code execution that wouldn't be exploited more widely (like a bug in your filesystem driver's read(x) function). EDIT: In the case of WMF one possible path to hands-free remote execution of arbitrary data was via outlook rendering a preview -- back when loading images and displaying them was the default behavior and the preview pane showing the most recently received message was normal -- or having Google's Desktop Search index the file.

But simply imagining a viable mechanism that might be exploited isn't enough: lots of things can be imagined but that doesn't mean they exist. It seems pretty unlikely that simply having a file on your drive is enough to be infected but it's not outside the realm of possibility. The OP would need to demonstrate more than just some hypothetical path to exploit, especially in days like today with NoEx, ASLR, and other built in security mechanisms that make converting buffer overflows (etc) into ACE exploits. The fact that the only one that springs to mind immediately is from a college course I took nearly a decade ago should say something about how unlikely this sort of thing is.

EDIT: For a non-OS example: see yesterday's bug report and today's proof-of-concept exploits for ActionPack (part of the popular Ruby on Rails web framework) that allows remote code execution due to a significant screw-up in the way object serialization is handled when reading XML and YAML data (which is supposed to be just plain text, but wasn't treated that way by the framework).

[Deleted]

Possible, I agree. More likely than this being another bogus accusation (which, no offense intended to the OP, hasn't exactly been uncommon in the past)? Doubtful (at least with the information I had at the time).

EDIT: My response might've been different if the infection had been described in a slightly more accurate manner ("replaced with an .exe file" is not the same as "an executable with .txt suffix and a .lnk that runs that .txt file"). I still stand by the statement that sneaking an actual ".exe" into the repository and the packager is borderline impossible.

[Muliercula]

So is the 3.1.2 version of Auctionator safe to download? Was uploaded 20hrs ago.

[Buu]

So is the 3.1.2 version of Auctionator safe to download? Was uploaded 20hrs ago.

Yes, the *.lnk file is the red light. None on my add-on folder.