Update: Keylogger source identified

by Matt Low Mar 1st 2010 at 11:00AM

Just a quick update from from our friends at World of Raids about the current situation regarding circumvented authenticators. It appears there are multiple websites being used for this malware. Be careful of which sites you go to in order to update your addons from; fake website addresses are being used to trick users.

For example, one of the fake sources appears as a "Sponsored Link" right at the top of a Google search. Don't actually visit that site and be sure to warn players asking about addons where to go.

What happens is the fake site will allow you to download a fake copy (did you see fake?) of the WowMatrix AddOn Manager which installs the emcor.dll. This Trojan (Malware.NSPack) can currently be detected by Malware Bytes.

Thanks Kody!

Tags: account-security, authenticator, breaking, emcor-dll, exploit, keylogger, keyloggers, malware, man-in-the-middle, safe-surfing, security, security-exploit, technical-support

Filed under: News items, Account Security

Reader Comments (Page 1 of 4)

Catalyst Mar 1st 2010 11:08AM

Lesson learned: Pay attention while you surf the internet.

Zalvi24 Mar 1st 2010 4:31PM

my dcomp is protected as far as know, but is not showing the fake web for wowmatrix at the top, did they remove it already?

Ozzard Mar 1st 2010 11:06AM

Gotta love the juxtaposition of that with the real search result, proudly declaring that it's free from malware :-).

Ryan Smith Mar 1st 2010 11:06AM

Sweet! I love MalwareBytes.org

Rob Mar 1st 2010 11:10AM

Glad to see Blizzard finally saw that their system isn't infallible. After 2 of my guild mates got hacked with authenticators on their accounts they posted about it in the customer service forums. Then they were basically called liars by green and blue posters alike.

Magma Mar 1st 2010 11:12AM

Well technically, they weren't hacked. They freely handed their info over, which was used to log in. No hacking here.

Muse Mar 1st 2010 11:12AM

I've been saying from the start: The authenticator is not a replacement for common sense, a good firewall and some healthy caution.

It just makes those three even better.

Tyr Mar 1st 2010 11:15AM

As Boubouille wisely said:

" * Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
* It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you'll be safe"

Also, Blizzard has never said their authenticator is the holy grail of account security.

AutumnBringer Mar 1st 2010 11:38AM

No system will be infallible as long as humans are in the loop. I would think that Blizzard's network security guys would have known that already, and didn't realize that just now.

I could see blue/green posters responding unfavorably to a claim by someone about the account being hacked, but it may be due to how you phrase it.
"My authenticator got hacked" makes a very different statement from "My account with an authenticator attached was compromised". Then again, maybe the blue/green posters were being unreasonable ... they're humans too - see the first sentence I wrote again :P

Chiroptera Mar 2nd 2010 4:34AM

@ROb - were these the same two guild mates who swore they where hacked and their toons where clearing out the bank and they SAID they had an authenticator but the blue confirmed that they actually lied and did not have authenticators attached to their accounts?

http://forums.worldofwarcraft.com/thread.html?topicId=23279927798&sid=1

Tori Mar 1st 2010 11:11AM

Does anyone else use Avast Antivirus and know whether it's updated for this Trojan as well?

Hëx Mar 1st 2010 11:15AM

Once again we see that users are their own worst enemy. Sorry folks, I know that this stuff can look amazingly real, but installing anything from the internet requires double and triple checking.

As a computer/server tech with 25+ years experience, I recommend Avast! or the new Microsoft Security Essentials. Spybot Search and Destroy (w/ it's TeaTimer option) can also stop malicious installs. But the last line of defense is YOU, take the time to read prompts and Alt-F4 anything suspicious. Learn how to use Task Manager to close programs. And be VERY wary of anything that won't let you close the window or open Task Manager, like the latest Security 2010 trojan does.

And don't let this stop you from not getting or using an Authenticator. It is still much better than simply using a password alone.

Shameless plug: Anetheron-US-Horde Open Raiding Group http://www.hex.ms

Hëx Mar 1st 2010 11:31AM

Also like to recommend Firefox with NoScript, don't let the fact that it requires you to select what sites to allow to run JavaScript deter you. That is how things should be, by default a JavaScript web ad can silently install programs on your computer even if the main page you are viewing is a legitimate site.
http://www.getfirefox.com
http://www.noscript.net

seanthehorde Mar 1st 2010 11:35AM

Having recently switched to Security Essentials, I wholeheartedly recommend it.
It's free, fast, and integrates itself nicely into Windows. It's remarkably light on resources as well.
It blows AVG and Avast out of the water.

http://www.microsoft.com/Security_Essentials/

Drakkenfyre Mar 1st 2010 11:41AM

AVG went to shit in a hurry. It became bloated, and when 8.0 was released, it installed shit even when you told it not to. Then it started nagging you with a drop-down ad. Now it advertises other programs with that ad.

Cyanea Mar 1st 2010 2:06PM

NoScript + Firefox is KEY.

I also advocate AdBlock. It hides Sponsored Links, preventing them from becoming a problem as above.

Ryan Mar 1st 2010 3:19PM

NoScript isn't going to stop people from downloading and installing malware.

Drakkenfyre Mar 1st 2010 11:16AM

I wish Google would screen their advertising buyers a little better.

Just like when you hit a legitimate site, and they have a Flash exploit ad which forwards you to a fake "antivirus" site which tries to convince you that your system is infected, and you need to install their "antivirus". They need to screen their ad buyers better.

Cheb Mar 1st 2010 11:21AM

Didn't Google have another "Sponsored Link" problem awhile back that was a fake site that downloaded a keylogger or virus or something? I think it was even a WoW site?

Anyway, lesson learned, never click the Sponsored Links, since Google doesn't appear to screen them at all.

Drakkenfyre Mar 1st 2010 11:29AM

Yes, they did. After many people complained about it, they took it down.

They don't screen these damn things. You purchase advertising space, you get in.

| 1 | 2 | 3 | 4 | Most Recent | Next 20 Comments

Add your comments

Your comments:

Remember me

E-Mail me when someone replies to this comment

Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.

When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.

To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.

Breaking news Feed

WoW Insider Show

Subscribe via iTunes for our latest show.

Hot Topics

Put WoW.com headlines on your site
Follow WoW.com on Twitter
Find us on Facebook

Upcoming Events

Event	Date
Call to Arms: Eye of the Storm	9/3 - 9/6
Darkmoon Faire: Elwynn Forest	9/5 - 9/11
Call to Arms: Alterac Valley	9/10 - 9/13
Harvest Festival	9/16 - 9/22
Call to Arms: Warsong Gulch	9/17 - 9/20
Pirates' Day	9/19
Brewfest	9/20 - 10/5
Call to Arms: Strand of the Ancients	9/24 - 9/27
Call to Arms: Isle of Conquest	10/1 - 10/4
Call to Arms: Arathi Basin	10/8 - 10/11
BlizzCon	10/22-10/23