Potential Trojan Account Threat (Bluepost)

[Noix]

This is a blue post i found not sure if its old

Hello,

We've been receiving reports regarding a dangerous Trojan that is being used to compromise player's accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.

If your account has been compromised recently, I'd recommend looking for the Trojan. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64". It will usually appear like this:

Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup


We are currently looking for more information on the Trojan. We have not been able to locate any anti-virus programs that will remove it besides just reformatting your system. If you have been recently compromised and find it on your system please reply with the following pieces of information.

Your MSInfo.
A list of any addons you recently installed along with where you got them.
A list of any programs you recently installed along with where you got them.
Any security programs you have run and their results.
______________________________
Monday - Friday, 8am - 5pm Pacific Time

http://us.battle.net/wow/en/forum/topic/11041384892

[Sketchy]

Top right hand side of the blue's post you can see when it was posted...
As I write this it says 3hrs ago, so it's not old. Scary to read though.

[Noix]

Yes very, yea i just notice the time on it. i looking into virus itself see if i can find any info on it

- - - Updated - - -

http://home.mcafee.com/VirusInfo/Vir...spx?key=109638

i use Avast (imo i think its one of the top virus scanners)

[Blufossa]

Is this the work of DERP's DDOS cover up, or from a different source? :S

EDIT: I see it might be coming from a Curse client DL. Hmm.

[Noix]

Not sure, havent heard anything this is still fresh

- - - Updated - - -

Yea i heard that it might be bad curse build or something along them lines not sure about it tho

- - - Updated - - -

can someone from MMO Post this (Blue post atlest) on main page. kinda important

[ComputerNerd]

Notable blue posts are posted regularly on the front page, so that will get coverage.
The type of attack described isn't new, and has been utilised before.
Seems strange behaviour if it is adding itself to the startup, being something relatively obvious and counter-productive if the account has already been compromised.

Ok, some further reading suggests that Dr. Web is a tool able to detect and remove it.
http://www.drwebhk.com/en/virus_tech...en5.64266.html

[Tharkkun]

People wonder why it's so hard for Blizzard to keep up when this bullshit is in the wild. A rootkit which activates upon detection that you're logging into WoW which then spawns a bot which connects to WoW or changes your account info in a 60 second Window. Marvelous!

I want a damn retina scan verification system!

[Jester Joe]

Found out through a friend about this, looks like I'm clean for now with this.

[The Glitch]

Saw this and instantly did the MSInfo test to check and couldn't find anything, so I assume I'm ok.

But very scary, seeing as having an authenticator kinda gives me a feeling of security, to now know it certainly isn't full proof.

How to check your system for the Trojan:

MSInfo

Press Windows Key + R.
Type MSInfo32 and press Enter.
In the MSInfo diagnostic window, click File, then Export.
When the Export As window appears, choose Desktop.
Name the file "MSInfo" and click Save.

Open the saved MSInfo file.
Press Ctrl + F and search for "Disker" or "Disker64"

[Aurabolt]

The Authenticator isn't foolproof. A group of hackers demonstrated this the day it went live. This is is a reminder if folks want to steal your account they'll find a way.

I'm surprised this thread isn't getting more attention. A Trojan that you have reformat your hard drive to be fully rid of is more than an inconvenience >.>;

[Deleted]

Compromising the client is where security breaches happen today - mostly because companies like Blizzard are actually really good at securing their systems and we the players suck in comparison - so the easiest attack vector is to go for the client.

Enabling SMS alerts on your account is one more additional thing to do - that way you get SMS sent to your phone when your account settings change (i.e. when a potential trojan removes your Authenticator)

If you install things like the Curse client (this one seems to come from a fake Curse client), make sure you install it from the right address, not from some shady forum link or by clicking Google ad

[Tharkkun]

The Authenticator isn't foolproof. A group of hackers demonstrated this the day it went live. This is is a reminder if folks want to steal your account they'll find a way.

I'm surprised this thread isn't getting more attention. A Trojan that you have reformat your hard drive to be fully rid of is more than an inconvenience >.>;

Reformatting is the solution to a 0 day trojan. In a few days every malware removal tool will have a rootkit fix. According to the Blizzard thread vendors like McAfee picked it up already.

The authenticator is still the most secure device available. Getting compromised by a man in the middle attack with a 60 second window to work with is more sophisticated than many of the trojans attacking non wow users.

[Chat]

So.. Curse Client is currently unsafe? have we found out where people are getting said trojan from?
Kinda scary to get this kind of info but nothing about where it's originating from ._. im scared to click/update anything now.

[Chonar]

I see an authenticator the same way I see hanging a padlock on your bike's wheel without actually locking it.
It doesn't make it 100% safe; It just makes you a less appetising target, cause those wanting to take your stuff will always go the route of least resistance.

[Vargur]

I don't know this msinfo guy, but just type in the start command prompt "msconfig" and there's the startup tab.

[ablib]

So.. Curse Client is currently unsafe? have we found out where people are getting said trojan from?
Kinda scary to get this kind of info but nothing about where it's originating from ._. im scared to click/update anything now.

The curse client has always been unsafe. This isn't the first time information has been stolen via the Curse client. I always lol at people who actually use it, and can't believe anyone with even a minutiae of technological sense would ever recommend installing it. It's nothing more than pure spyware, if you understand how it works and how easy it is to exploit.

[ComputerNerd]

I don't know this msinfo guy, but just type in the start command prompt "msconfig" and there's the startup tab.

MSInfo allows exporting, MSConfig does not.
Simply as a check, then yes MSConfig is easier.

The curse client has always been unsafe. This isn't the first time information has been stolen via the Curse client. I always lol at people who actually use it, and can't believe anyone with even a minutiae of technological sense would ever recommend installing it. It's nothing more than pure spyware, if you understand how it works and how easy it is to exploit.

The primary problem with the curse client is the advertising.
Being flash they are vulnerable to the same things any flash advert on any website are.

When an ad is just that, rather than a full blown in-your-face presentation, then we won't have this sort of issue.

[Deleted]

Reformatting is the solution to a 0 day trojan. In a few days every malware removal tool will have a rootkit fix. According to the Blizzard thread vendors like McAfee picked it up already.

It's not a 0day, it's just a new variant of a existing trojan, hence no signature detection. Also, not a rootkit, that's something different. This is just a normal Trojan stealing your stuffz.

The infection, judging by some of the info in that forum thread is coming from *fake* Curse client - downloaded from somewhere else, not from the main Curse site. As far as we know the official client is still OK.

Also some reports in that thread say they have gotten infection after suspicious redirects from wowhead - which might indicate that it's a ad based exploit (ans since Curse client shows ads, that might well be how the stuff gets on peoples systems)

[Thallidomaniac]

People wonder why it's so hard for Blizzard to keep up when this bullshit is in the wild. A rootkit which activates upon detection that you're logging into WoW which then spawns a bot which connects to WoW or changes your account info in a 60 second Window. Marvelous!

I want a damn retina scan verification system!

And then a determined account hacker or hacking group starts ripping out eyeballs from players to steal accounts.

[Deleted]

People wonder why it's so hard for Blizzard to keep up when this bullshit is in the wild. A rootkit which activates upon detection that you're logging into WoW which then spawns a bot which connects to WoW or changes your account info in a 60 second Window. Marvelous!

I want a damn retina scan verification system!

So the hacker gets your retina scan too? neat.