Update: Keylogger source identified
by Matt Low 
Mar 1st 2010 at 11:00AM
Just a quick update from from our friends at World of Raids about the current situation regarding circumvented authenticators. It appears there are multiple websites being used for this malware. Be careful of which sites you go to in order to update your addons from; fake website addresses are being used to trick users.
For example, one of the fake sources appears as a "Sponsored Link" right at the top of a Google search. Don't actually visit that site and be sure to warn players asking about addons where to go.
What happens is the fake site will allow you to download a fake copy (did you see fake?) of the WowMatrix AddOn Manager which installs the emcor.dll. This Trojan (Malware.NSPack) can currently be detected by Malware Bytes.
Thanks Kody!
Filed under: News items, Account Security
Reader Comments (Page 1 of 4)
Catalyst Mar 1st 2010 11:08AM
Lesson learned: Pay attention while you surf the internet.
Zalvi24 Mar 1st 2010 4:31PM
my dcomp is protected as far as know, but is not showing the fake web for wowmatrix at the top, did they remove it already?
Ozzard Mar 1st 2010 11:06AM
Gotta love the juxtaposition of that with the real search result, proudly declaring that it's free from malware :-).
Ryan Smith Mar 1st 2010 11:06AM
Sweet! I love MalwareBytes.org
Rob Mar 1st 2010 11:10AM
Glad to see Blizzard finally saw that their system isn't infallible. After 2 of my guild mates got hacked with authenticators on their accounts they posted about it in the customer service forums. Then they were basically called liars by green and blue posters alike.
Magma Mar 1st 2010 11:12AM
Well technically, they weren't hacked. They freely handed their info over, which was used to log in. No hacking here.
Muse Mar 1st 2010 11:12AM
I've been saying from the start: The authenticator is not a replacement for common sense, a good firewall and some healthy caution.
It just makes those three even better.
Tyr Mar 1st 2010 11:15AM
As Boubouille wisely said:
" * Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
* It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you'll be safe"
Also, Blizzard has never said their authenticator is the holy grail of account security.
AutumnBringer Mar 1st 2010 11:38AM
No system will be infallible as long as humans are in the loop. I would think that Blizzard's network security guys would have known that already, and didn't realize that just now.
I could see blue/green posters responding unfavorably to a claim by someone about the account being hacked, but it may be due to how you phrase it.
"My authenticator got hacked" makes a very different statement from "My account with an authenticator attached was compromised". Then again, maybe the blue/green posters were being unreasonable ... they're humans too - see the first sentence I wrote again :P
Chiroptera Mar 2nd 2010 4:34AM
@ROb - were these the same two guild mates who swore they where hacked and their toons where clearing out the bank and they SAID they had an authenticator but the blue confirmed that they actually lied and did not have authenticators attached to their accounts?
http://forums.worldofwarcraft.com/thread.html?topicId=23279927798&sid=1
Tori Mar 1st 2010 11:11AM
Does anyone else use Avast Antivirus and know whether it's updated for this Trojan as well?
Hëx Mar 1st 2010 11:15AM
Once again we see that users are their own worst enemy. Sorry folks, I know that this stuff can look amazingly real, but installing anything from the internet requires double and triple checking.
As a computer/server tech with 25+ years experience, I recommend Avast! or the new Microsoft Security Essentials. Spybot Search and Destroy (w/ it's TeaTimer option) can also stop malicious installs. But the last line of defense is YOU, take the time to read prompts and Alt-F4 anything suspicious. Learn how to use Task Manager to close programs. And be VERY wary of anything that won't let you close the window or open Task Manager, like the latest Security 2010 trojan does.
And don't let this stop you from not getting or using an Authenticator. It is still much better than simply using a password alone.
Shameless plug: Anetheron-US-Horde Open Raiding Group http://www.hex.ms
Hëx Mar 1st 2010 11:31AM
Also like to recommend Firefox with NoScript, don't let the fact that it requires you to select what sites to allow to run JavaScript deter you. That is how things should be, by default a JavaScript web ad can silently install programs on your computer even if the main page you are viewing is a legitimate site.
http://www.getfirefox.com
http://www.noscript.net
seanthehorde Mar 1st 2010 11:35AM
Having recently switched to Security Essentials, I wholeheartedly recommend it.
It's free, fast, and integrates itself nicely into Windows. It's remarkably light on resources as well.
It blows AVG and Avast out of the water.
http://www.microsoft.com/Security_Essentials/
Drakkenfyre Mar 1st 2010 11:41AM
AVG went to shit in a hurry. It became bloated, and when 8.0 was released, it installed shit even when you told it not to. Then it started nagging you with a drop-down ad. Now it advertises other programs with that ad.
Cyanea Mar 1st 2010 2:06PM
NoScript + Firefox is KEY.
I also advocate AdBlock. It hides Sponsored Links, preventing them from becoming a problem as above.
Ryan Mar 1st 2010 3:19PM
NoScript isn't going to stop people from downloading and installing malware.
Drakkenfyre Mar 1st 2010 11:16AM
I wish Google would screen their advertising buyers a little better.
Just like when you hit a legitimate site, and they have a Flash exploit ad which forwards you to a fake "antivirus" site which tries to convince you that your system is infected, and you need to install their "antivirus". They need to screen their ad buyers better.
Cheb Mar 1st 2010 11:21AM
Didn't Google have another "Sponsored Link" problem awhile back that was a fake site that downloaded a keylogger or virus or something? I think it was even a WoW site?
Anyway, lesson learned, never click the Sponsored Links, since Google doesn't appear to screen them at all.
Drakkenfyre Mar 1st 2010 11:29AM
Yes, they did. After many people complained about it, they took it down.
They don't screen these damn things. You purchase advertising space, you get in.