Wowui.incgamers.com invaded by malware?
by Daniel Whitcomb 
Apr 14th 2008 at 4:30PM
Here at WoW Insider, we've noticed an unusual and disturbing glut of people having trouble with being keylogged or otherwise hacked soon after installing new addons lately (which wouldn't be a surprise -- lots of people were grabbing addons after patch 2.4, so that makes them a likely route for attackers). While it's too early to make any definite connections, It seems like there's one new lead that's just popped up: popular addon site wowui.incgamers.com (not linked for obvious reasons) is apparently passing off bad files, according to reports from Stopbadware.org and other anonymous sources.
If you've been using the site for your addons, especially in the past week or so, it might be a good idea to exercise some caution and run your favorite anti-virus or anti-malware program. The site has already been in trouble recently with reports that their UICentral addon updater (now discontinued) was using copyrighted code, and now it looks like there's more trouble abrewing for them.
Update: Wowui.incgamers not infested with malware. Full story here.Filed under: News items, Add-Ons, Account Security
Reader Comments (Page 1 of 3)
JPN Apr 14th 2008 4:36PM
Is it a usual or unusual glut? :)
I got hacked last week. Have no idea how - installed 3 add-ons from fizzwidget.com and that's all, don't go to forums, didn't go anywhere else WoW-related. Still don't know what happened - nothing has shown up on two different scanning utilities. I'm copying and pasting my new password forever.
JohnC Apr 14th 2008 5:15PM
you can get a keylogger from anyware basically, it doesnt have to be a wow related site.
and you also dont have to download anything to get a keylogger, you can get one from browsing sites, my advice is get firefox (helps stop alot of mailicious code) and install noscript on it. this prevents any code running on a website unless you allow that domain to run it (takes a while to set up because of this but worth it)
even so theres a limit to what you can do, get a spyware program (personally i recommend webroot's spysweeper) a decent virus piece of software (e.g. mcaffe) but even so very new viruses can still hit you if the softwares havent got it updated in their definitions. (this is rare but still very possible)
rick gregory Apr 14th 2008 4:41PM
*CAN* an addon contain a keylogger? They're just .lua files after all...
It's my understanding that the .exe installers/updaters can become infected but not the addons themselves.
Eternalpayn Apr 14th 2008 6:20PM
First off, there was a post above me that said something about using the keyboard to enter your password. WoWInsider, PLEASE make a post that specifically tells people this does ABSOLUTELY NOTHING. Keyloggers, believe it or not, are smart enough to know your keyboard.
Also, about this post, .lua files are executable scripts, just like a .js file. Also, most addons come in .ZIPs, which can contain a number of things in them.
Hone Melgren Apr 15th 2008 1:04AM
"Also, about this post, .lua files are executable scripts"
Actually Enternalpayne you're dead wrong here. They are interpreted scripts ie they needs something to interpret them before they can run. Last time I checked Windows does not interpret LUA natively - only the World of Warcraft program can . And I'm pretty sure Blizzard has locked down their LUA/ui programming SDK so it can't access stuff outside the world of warcraft program.
Example I'm on a mac. I can't run Windows programs natively. I need an interpreter for it . Something like Virutal PC or Parallels for example
Mad Cow Apr 14th 2008 4:42PM
Their updater app was shit. I'd been speculating on borrowed code for a LONG time. They were slow to fix it and it did not detect half of my addons correctly.
I lost faith in Wowui and Curse a long time ago.
Ace mods are win.
Faar Apr 14th 2008 5:08PM
As the post from Incgamers state, the issue wasn't with "borrowed" code, but rather a pirated Java development tool. A trivial detail one might think, but still worthy of pointing out methinks.
By the way - people believing themselves immune to keyloggers by copying and pasting their password - beware!
WoW password stealers typically do not rely on detecting keystrokes - instead they monitor the actual memory addresses where the WoW client stores your account name and password. Thus the method you use to supply the password does not matter; once it's input into the text boxes the malware program can read it regardless.
The only way around this is to not get infected (or not log into your WoW account - though this is probably not a realistic option for most of us addicts, lol...)
Rasnarok Apr 14th 2008 5:13PM
These keyloggers are getting ridiculous. It's amazing just how low some people will go to make a few bucks these days. Stealing someone's game? C'mon.
alyahs Apr 14th 2008 4:50PM
How would I know if I have been keylogged? I am doing what the above poster is doing and cut/paste my password from now on. I just had someone send me an email with the new pw so I will have never typed it on this computer. I am running a scan now on Norton. If that comes back clean am I good to go or could I still possibly have something on my computer? Any other things I can/should do so I know FOR SURE there is no keylog on my puter? Thanks.
Woecip Apr 14th 2008 4:55PM
Yea..ummm...
"I just had someone send me an email with the new pw so I will have never typed it on this computer."
Dont give you password to anyone would be a good start.
Thx for Lulz
Mad Cow Apr 14th 2008 5:00PM
I believe this was covered by WI back in the day. I'm surprised they don't run something like it on a monthly basis.
@ WI
Would be mighty nice of you guys to run something to help people avoid getting hacked. Not everyone is an IT monkey and has "best practice" habits when sitting down to enjoy a few hours of WoW or whatever. The topic could cover basic safe surfing habits, browser plugins that might prevent malware (basic configuration of said plugins for the technically challenged), what not to do when you see an add for "enhancements", Antivirus, Spyware cleaners, etc. etc.
Dan Apr 15th 2008 3:28AM
That wouldn't even fool a generic key logger, the clipboard (where everything you copy goes) is easy to access and keyloggers keep track of it for just this reason.
Virus check your computer, always keep windows updated (windowsupdate.microsoft.com) and update your webbrowser to it's latest version. For extra security you can enable both IE7 and firefox to check if the website your on is a known phishing site (ie, tries to fool you into thinking its another site so you will give them your passwords) search the help for phishing and activate it if it's disabled.
It's impossible to be 100% secure however, unless you cut the internet connection cord with a pair of scissors.
alyahs Apr 14th 2008 4:58PM
ya that person is my husband who hates the game so not really worried about that....hes not some random person who is going to hand out my wow pw. but, um, ya, thanks.
G Apr 14th 2008 7:38PM
He was likely lulz'ing because email is one of the least secure forms of communication. It's not a good idea to send anything sensitive via email.
Juju Apr 14th 2008 5:09PM
There is so much misinformation about keyloggers.
Firstly, copy-and-pasting your password instead of typing it WILL NOT protect you. Once it is inside your machine, the trojan is like a god, it can do anything it wants to your computer. Your only hope is preventing it from getting in.
Get Firefox and Noscript. This will prevent websites from installing trojans on your PC. This is where they come from, not .lua files.
Don't use Internet Explorer. Using it is like putting a big sign on your PC that says, "Hack me and delete all my characters!"
Download and install Zonealarm. There is a free version. This will prevent the virus from transmitting your password back to the hackers.
Juju Apr 14th 2008 5:19PM
Here are the links to the above mentioned products:
http://www.mozilla.com/en-US/firefox/
http://noscript.net/
http://www.zonealarm.com/store/content/company/products/znalm/freeDownload.jsp
Several of my friends have been hacked on Vek'nilash. All their gear was vendored, and in some cases, their characters deleted. They had up-to-date antivirus software, and multiple scans did not detect anything. So, don't think just antivirus alone will protect you. Get Zonealarm today!
jbodar Apr 14th 2008 7:17PM
What AV software were your friends using? Not all are created equal. No software is perfect, but some are dramatically more effective than others.
http://www.av-comparatives.org/seiten/ergebnisse_2007_11.php
alyahs Apr 14th 2008 5:24PM
oh noes! copy/paste won't work ;( Oh well. On to the other options then. I don't know much about firefox so I'll have to look into it. I work from home and if I remember correctly, I think I have to use IE no matter what so I might be screwed on that front. Thanks for info!
LiQiuD Apr 14th 2008 5:36PM
Firefox has an IE Tab plugin that will use IE for certain sites (ie Work related Sites) so that you can continue to do your job, but not make your computer an even bigger target than it already is. I have to use IE for certain things at work, and since I refuse to use IE unless absolutely necassary this is how I accomplish my work.
https://addons.mozilla.org/en-US/firefox/addon/1419
K Whitt Apr 14th 2008 5:24PM
Actually, the ads in the WoWACEUpdater .net app from ACE had an add in it that attempted to load a few things. Luckily I have both Vista and a good set of tools that catch things like that. Any site that has advertising that they don't personally review and host themselves is very vulnerable to remote injection of malware attacks.
Also to those who ask, the addons in WoW themselves can _NOT_ be used as keyloggers. LUA, LIS and such associated files are just text files of scripting language, and WoW is very strict about it does allow for in its interpretation of that language (LUAscript). However, if your particular addon has an executable to go with it (like WebDKP, WoWEcon, or WoWHead uploader) then that is very vulnerable and possibly likely to be vectors for computer nasties (althoug those mentioned sources aren't bad as of current).
Oh, and to those who think copypasta will save you from Keyloggers, think again. Actually querying and copying text from the clipboard (which is where things go when you do copy/paste) is easier to program than actual Keyboard hooks. Seriously, I can do that in under 20 lines of code in .net without needing admin access ...
As far as how do I tell if my computer has a keylogger or not, it isn't easy. Which is why they get away with doing what they do for so long. Without being a paranoid techy freak, you generally won't notice the signs of this kind of stuff happening. (Disclaimer: Having had it happen to me once a few years ago, I am now one of the afore mentioned paranoid techy freaks).