Keylogging - don't be a victim
#1
Greetings fellow Lurkers

Despite the fact that we had first kills on Aran and Illhoof last night in Karazhan (Illhoof 3rd total attempt, first one was just to see the fight mechanics), we left the instance with mixed feelings. Our trusty offtank druid not only did not get any loot yesterday, he in fact logged out with zero items on him.

Just as we were running down to Illhoof for the first attempt, ge logged off, back in, hearthed to Shattrah without any comment, portaled to Orgrimmar and went offline a short time later, all the while not responding to whispers. When he logged in, his first words would have probably made any chat filter blush. Naked, zero cash.

Apparently there is a security problem with Internet Explorer and the guildportal hosting service (or something, I realise this post isn't very helpful without detailed information, but everybody can take measures and I mainly wanted to bring the problem to attention).

So I'm most likely preaching to the quoir (spelling?) but please make sure you:
-are not using any Microsoft products (:P)
-keep your Antivirus Software /Adaware etc. up to date
-change your WoW password regularly, if you insist on Internet Explorer (though for the love of Thrall I can't imagine why you would)


Hopefully GMs will be able to rollback our druids character and get him the items back he worked so hard for. Don't let this happen to you or people you play with.


take care
Tarabulus
"I'm a cynical optimistic realist. I have hopes. I suspect they are all in vain. I find a lot of humor in that." -Pete

I'll remember you.
Reply
#2
All good advice. My condolences to your druid, and your guild.
Quote:Hopefully GMs will be able to rollback our druids character and get him the items back he worked so hard for. Don't let this happen to you or people you play with.
take care
Tarabulus
In the cases that I've heard about, the GM's can usually restore the character's gear, although once the red-tape has been waded through it takes around a month. It can certainly be done, so that's a ray of hope. (Of course, photo's of original documentation/cd's etc has to be provided.

Also, it's definately worth getting a decent spyware detector and running it regularly as well as your anti-virus program.

(PS. You were really close. It's choir.:)Almost wasn't going to mention it, didn't really want to seem like a smart a#$@.)
I hate flags

"Then Honor System came out and I had b*$@& tattoo'd on my forehead and a "kick me" sign taped to my back." - Tiku

Stormscale: Treglies, UD Mage; Treggles, 49 Orc Shaman; Tregor, semi-un-retired Druid.

Terenas (all retired): 60 Druid; 60 Shaman. (Not very creative with my character selection, am I?!Wink
Reply
#3
I've heard from some folks on other forums that some addons from Curse Gaming were infected with trojans over the weekend; most notably, KTM. I grabbed it last Thursday and seem to be fine so apparently it was later on in the weekend.

100% of the addons I've downloaded are simply unzipped to the WoW\Interface\Addons folder. If you find one that has an executable file (*.exe), I would avoid it or scan it VERY thoroughly.

A lot of the Internet Explorer vulnerabilities are patched by Microsoft fairly quickly, so Windows users should check Windows Update regularly if Automatic Updates is not turned on.
Reply
#4
Quote:If you find one that has an executable file (*.exe), I would avoid it or scan it VERY thoroughly.

I'd go one step further and say to delete it immediately.
<span style="color:#33FFFF">Nynaeve <span style="color:#33CC00">70 Draenei Priest <Emeritus>, Stormrage
<span style="color:#33FFFF">Riselar <span style="color:#33CC00">60 Night Elf Druid <Emeritus>, Stormrage
<span style="color:#33FFFF">Dynatos <span style="color:#33CC00">60 Dwarf Warrior <Emeritus>, Stormrage
Reply
#5
I'd be very leery of any add-on that comes with an executable. I haven't heard of anything that can "break" the sandbox of LUA to allow a mod to do something outside of WoW. If such has ever happened I'd love to hear about it. That being said, there are a few add-ons that do actually have associated exe's, I believe Titan Panel does. I still wouldn't use them. I won't even use the Ace Updater.

In this case, though, the problem might very well have come from visiting the site where it was downloaded rather than the add-on itself. In particular I'd be suspcious of the ani file vulnerability which recently formed the basis of a zero-day exploit against IE's rendering engine. All it would have taken was a bad banner ad and kapow. This bug isn't theoretical, it's being actively exploited. Or it might have been any of a legion of older ones, or a new one that's only been discovered so far by people who don't feel like telling MS about it. You're not completely safe using Firefox or Opera, but you're much better off.

Anyway, if someone knows they have had a keylogger installed, the machine is basically hosed. Losing some WoW goods is the least of the concerns at this point. Running rootkit revealer and every spyware program known to man MIGHT fix things, but honestly a full re-install of the operating system is the only way to be sure.

As an aside regarding the exploit: animated cursors in a web browser? Who the hell ever used this for anything other than this exploit? It's the constant adding these sorts of unwanted, useless "features" to stuff that causes so many problems. I know there's pressure to add features all the time, it's the nature of the beast. It's when the features themselves are useless crap that it really annoys me.
"Yog-Sothoth is the key to the gate, whereby the spheres meet. Man rules now where They ruled once, but after summer is winter, and after winter summer. They wait patient and potent, for here shall They reign again."
- Abdul Alhazred

Warcraft characters
Stormrage:
- Naphta, 70 Warlock, 350 goblin engineer
- Xinth, 60 Warrior
Terenas
- Nezeramontias, 33 priest
- Boulderan, 13 shaman
Reply
#6
The only addon with an executable I use is the Wowhead Client.

I also have Blizzard change my password for me about once every week or two (that way it's randomized completely):)
ArrayPaladins were not meant to sit in the back of the raid staring at health bars all day, spamming heals and listening to eight different classes whine about buffs.[/quote]
The original Heavy Metal Cow™. USDA inspected, FDA approved.
Reply
#7
Alas, I'm a victim of this whole key-logging mess, too. Blame IE all you want, from what I've heard, Firefox is affected as well. Emphasis on heard, though.

Basically, we're back to the stone-age (think, IE5 before service pack 2), where you could get infected with nasties by simply clicking a link to, say, an image, which, due to some nasty scripting, resulted in my computer being affected by a keylogger without me knowing 'till it was too late. So, be careful with what links you click.

For the time being, a solution to counter this is to simply disallow your browser to run any scripts. Safety over functionality, one might say.
Reply
#8
Quote:Alas, I'm a victim of this whole key-logging mess, too. Blame IE all you want, from what I've heard, Firefox is affected as well. Emphasis on heard, though.

Basically, we're back to the stone-age (think, IE5 before service pack 2), where you could get infected with nasties by simply clicking a link to, say, an image, which, due to some nasty scripting, resulted in my computer being affected by a keylogger without me knowing 'till it was too late. So, be careful with what links you click.

For the time being, a solution to counter this is to simply disallow your browser to run any scripts. Safety over functionality, one might say.

Unfortunately in this case, disallowing the running of scripts may not save you from what the hackers were using. They were exploiting some bad code in how MS Windows handles animated cursors. And that can come from the website sending data for an animated cursor for any browser to display, since the coding loophole is in one of the base DLLs used by windows to handle its GUI. Essentially all that you would have needed to do was go to an infected webpage; no need to click or mouse over anything there to get infected.

http://www.zone-h.org/content/view/14682/92/
http://news.bbc.co.uk/2/hi/technology/6526851.stm

Make sure you get the latest security patch from MS since this loophole has been lurking in the code since Windows NT and was still in there for the Vista release.

Reply
#9
Quote:Unfortunately in this case, disallowing the running of scripts may not save you from what the hackers were using. They were exploiting some bad code in how MS Windows handles animated cursors. And that can come from the website sending data for an animated cursor for any browser to display, since the coding loophole is in one of the base DLLs used by windows to handle its GUI. Essentially all that you would have needed to do was go to an infected webpage; no need to click or mouse over anything there to get infected.

http://www.zone-h.org/content/view/14682/92/
http://news.bbc.co.uk/2/hi/technology/6526851.stm

Make sure you get the latest security patch from MS since this loophole has been lurking in the code since Windows NT and was still in there for the Vista release.

My Windows Update broke a long time ago. Every time I try to run it, the page just keeps going. It never finishes verifying the software. Stupid MS, how I hate thee.
Roland *The Gunslinger*
Reply
#10
Quote:My Windows Update broke a long time ago. Every time I try to run it, the page just keeps going. It never finishes verifying the software. Stupid MS, how I hate thee.

I just use Automatic Update.
ArrayPaladins were not meant to sit in the back of the raid staring at health bars all day, spamming heals and listening to eight different classes whine about buffs.[/quote]
The original Heavy Metal Cow™. USDA inspected, FDA approved.
Reply
#11
Quote:Make sure you get the latest security patch from MS since this loophole has been lurking in the code since Windows NT and was still in there for the Vista release.


It may be old, it may not run every game, but I sure as hell love my trusty G5 Mac.

take care
Tarabulus
"I'm a cynical optimistic realist. I have hopes. I suspect they are all in vain. I find a lot of humor in that." -Pete

I'll remember you.
Reply
#12
Quote:Unfortunately in this case, disallowing the running of scripts may not save you from what the hackers were using. They were exploiting some bad code in how MS Windows handles animated cursors.

I'm aware of that exploit, as well, which is, as you already mentioned, fixed by now. Wasn't how they got me, though.

After finding my main character stripped, I spent some time retracing my steps and eventually got to a lovely forum topic containing a link to an image, or at least, a link that looked like one. It apperently redirected one to an evil website, which used an equally evil script to install something without you noticing (the page was nothing but a picture in appearance). At least, that's what I gathered from the replies that had been posted in the meantime, seeing as the link had been removed.

And to my knowledge, this hasn't been hotfixed yet. So in the meantime, I'd steer clear of miniurl or tinyurl links, and the same goes for other redirection services.
Reply
#13
Quote:I just use Automatic Update.

Automatic Update and Windows Update rely on many of the same services 'under the hood'. If any of those services are not running or are not running the right version, Windows Update can't even update itself. Depending on the error number you're getting (appears in light grey at the upper right hand side of the Windows Update page), there are a number of things you can do to manually set the services up and bootstrap yourself back into Automatic updates. Just search the Windows Update newsgroup at Microsoft for the error without brackets -- There seem to be a number of knowledgeable and helpful people who post there regularly. .

I had been having a similar problem for the last month or so, and put off resolving it until this most recent round of trouble. It turned out that I blocked ActiveX at my hardware firewall and then forgot about it. Even Automatic Update requires that you have ActiveX available. Once I corrected that, Windows installed the security updates, no problem.
Reply
#14
No error. Just takes about 20 minutes, before finally telling me it needs to "phone home". That is, it needs SUPER DUPER WINDOWS GENUINE ADVANTAGE SPYBOT WE CALL HOME ON YOU TOOL!

I refuse to let it touch my machine.

MS can go suck a rotten egg. I'm sick of them. I swear, the next time I build a comp, I just may do a Linux box, or an XP / Linux box, since I was forced to pay for XP (lost my old pirated Win2k copy aeons ago; oh well).

God do I hate MS. Don't even get me started on Vista.
Roland *The Gunslinger*
Reply
#15
Quote:No error. Just takes about 20 minutes, before finally telling me it needs to "phone home". That is, it needs SUPER DUPER WINDOWS GENUINE ADVANTAGE SPYBOT WE CALL HOME ON YOU TOOL!

I refuse to let it touch my machine.

MS can go suck a rotten egg. I'm sick of them. I swear, the next time I build a comp, I just may do a Linux box, or an XP / Linux box, since I was forced to pay for XP (lost my old pirated Win2k copy aeons ago; oh well).

God do I hate MS. Don't even get me started on Vista.

I'd consider a Mac too, I got sick of MS about 5 years ago and went linux; It's fun and if you're a tech-head having the increased control over your system is great. However after awhile I got sick of the level of effort required to maintain it and switched to a Macbook Pro. I've been very impressed with the product so far, I get the power of Unix with a great interface and a lot more user-friendliness in the configuration tools. Plus it runs WoW natively! (Although Cedega would let me run WoW on linux fine as well, but unsupported by Blizz).

Come over to the dark side... you know you want to!:)
Reply
#16
Quote:I'd consider a Mac too, I got sick of MS about 5 years ago and went linux; It's fun and if you're a tech-head having the increased control over your system is great. However after awhile I got sick of the level of effort required to maintain it and switched to a Macbook Pro. I've been very impressed with the product so far, I get the power of Unix with a great interface and a lot more user-friendliness in the configuration tools. Plus it runs WoW natively! (Although Cedega would let me run WoW on linux fine as well, but unsupported by Blizz).

Come over to the dark side... you know you want to!:)

Sorry. I can't turn myself into enough of an elitist asshole to join the dark side.

I'll give Apple points for style, if nothing else. Their products, most of the time, look damn snazzy (love that Mac mini). Aside from that, though, they offer me nothing I want, but keep me from plenty that I DO want. Besides, if I was going to run Windows on a Mac, what's the point of owning a Mac?

Not to mention I have this thing about proprietary system builders, of which Mac is king. I live with proprietary software because I have to, but there is at least competition to keep prices down. Macs, OTOH, always cost more than an equally-equipped PC, and you can only get parts from one source. Not my cup of tea. I like to build my own systems, too, and so I hate all system builders on general principle (with exception to high-end custom ones, like Voodoo and Falcon Northwest). Lastly, if I'm gonna learn a new OS, I don't want to have to deal with learning new hardware, to boot.:PIt's hard enough troubleshooting one or the other when it's foreign.;)
Roland *The Gunslinger*
Reply
#17
Quote:Lastly, if I'm gonna learn a new OS, I don't want to have to deal with learning new hardware, to boot.:PIt's hard enough troubleshooting one or the other when it's foreign.;)


W00t, I'm an elitist asshole:P

The thing about Macs is that you don't have to "learn" the operating system. It just works, say thankya. In about 15 years of Mac usage I have also never encountered a hardware problem.

Buy one now! And no, I'm not getting 10% off every purchase on the Apple Store I incite.



(it's 12%)


take care
Tarabulus
"I'm a cynical optimistic realist. I have hopes. I suspect they are all in vain. I find a lot of humor in that." -Pete

I'll remember you.
Reply


Forum Jump:


Users browsing this thread: 9 Guest(s)