BlizzCon, Gamers, WoW Trojans, Oh My

by

Share this news now.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090820_wow_ret11k_cropTomorrow morning, Blizzard Entertainment (the publisher of the wildly popular World of Warcraft franchise) will kick off another BlizzCon to show off their latest projects and directly interact with their fanbase. World of Warcraft will likely take center stage at the convention, which has become the venue of choice for Blizzard to unveil their newest expansion pack for the enormously popular online role-playing game.

Here at Webroot we have our fair share of past and present WoW players. So we’re quite tuned in to the malware that plagues WoW and other online games. As the gaming market continues to grow at an amazing rate, so does the real-money value of (and the virtual currency stored in)  game accounts  used in association with those games.

Earlier this summer we shared with our readers the top ways that threats get introduced into online games and the best ways to avoid them. With Blizzcon just hours away, and the WoW servers ramping up for the surge in imminent logons to follow, we thought we’d revisit the issue to ramp up security awareness by sharing some of the more atrocious malware variants we’ve seen hitting the WoW gaming community.

Password-stealing Trojans are what we’re really talking about here. Most WoW players that we’ve talked to have “a friend” who somehow got infected by a Trojan and subsequently had their account compromised. For some, this just means that their characters were stripped of all equipment, money, and bank items. For others who may have been in a leadership position within an established guild (a player-organized social group) the account’s thief may have stolen as many items and/or as much money as possible from the guild’s shared bank.

More people are likely to be interested in knowing what happens next. The image below shows the page you will arrive at when following one of these links (even as the URLs vary, the pages to which they link are effectively the same (We’ve employed Chilldog to censor the porn content).

20090820_wow_video

These so-called “keylogger posts” on the WoW message boards are one of the most common ways these manipulative, password hungry malware writers deliver malicious ploys to WoW players. While many WoW veterans wouldn’t be distracted by the crude tactics of these posts, there are plenty of people (and maybe even some orcs) who just can’t resist that juicy drama—or really want to learn more about their Death Knight.

20090820_wow_DK-FAQ

As you can see (even through the “censorship”), the page emulates the appearance of a flash video-based porn site. The pages leech some of the graphics from that site, but every single link on the page links to the malware installer. This simple social engineering trick, so commonly used of late by Koobface to fool Facebook users, still manages to convince users to execute the malware installer in order to view the video.

20090820_wow_looking

Misled gamers who download and run the flash “installer” won’t see any obvious difference on their computers to indicate that they are infected. At this point, the Trojan is ready to start stealing login credentials. These infections are often fairly simple in their configuration, though as with all malware there are versions out there which are much more complex. The installer executable simply drops a DLL file onto the victim’s hard drive, typically to System32 or another Windows subdirectory, which performs the keystroke logging then sends that data to the phisher behind the scam. The installer also modifies the Registry so the file loads with every startup.

20090820_wow_fallenman

While there is some indication that these account credentials are often phished specifically for gaming account information, there is nothing to prevent these individuals from applying those same login credentials, or logging additional ones, to other Web sites accessed by the infected individual. When that happens, this kind of crime easily transforms from a nuisance into major identity theft.

Come back tomorrow for tips and advice that will help you avoid these kinds of scams.
wordpress blog stats


Share this news now.

Tags:



About the Author

Name: Grayson Milbourne
Role: Threat Team Member

Share this news now.

Grayson Milbourne is the Security Intelligence Director for Internet security company Webroot. Over the past nine years Milbourne has worked in various areas of the company, spending the past seven years focused on threat analysis. His areas of security intelligence expertise range from mobile to reversing to automation to cloud security. Grayson is also an avid participant in the security community and drives awareness of current threats by speaking at major events such as RSA and Virus Bulletin. Most recently, Grayson has been focusing on the growth of mobile malware and the risks associated with BYOD. Additionally, he writes and provides technical review for the Webroot blog.


Share this news now.

Trackbacks

  1. [...] touched on the subject of World of Warcraft phishers (and the Trojans they attempt to spread) a handful of times in the past several months, it’s worth mentioning the ongoing problems phishing [...]

  2. [...] touched on the subject of World of Warcraft phishers (and the Trojans they attempt to spread) a handful of times in the past several months, it’s worth mentioning the ongoing problems phishing posts [...]

  3. [...] the most popular of the persistent, multiplayer online games. Once these crooks have a login, they take control of the victim’s account and strip any of the virtual goods of value from the account holder’s characters in the game. [...]

  4. [...] If history serves, they’ll try to lure you with false promises of getting access to the beta. Don’t fall for the trap. [...]

  5. [...] job of preventing fraud. If you play WoW, the seven or so bucks the Authenticator costs can prevent a lot of headaches if your account becomes compromised by either a Trojan or a phishing Web site. The Authenticator displays a series of numbers that [...]