Keylogger Found at UI Mod Site

Y

Yestin

New Member
Posted at http://wow.warcry.com

"Tsurani posted on 20 Dec 2006, 02:01 PM

If you visited ui.worldofwar.net in the last few days you might want to scan your hard drive with the latest antivirus definitions. We have been informed that at this time the key logger was removed from the ui.worldofwar.net homepage.

The key logger itself was in an iframe embedded from an ad that was running on their site

The key logger planted a file called ntldr.exe on your C: drive There is however ntldr.dll please do not get them confused. You need the ntldr.dll to boot your PC to a desktop. A great free online scanner can be located at Trend Micro"



Well, it got me. At 11:45 a.m. CDT someone logged into my account.

The below security virus programs will not detect ntldr.exe which might be located in your c:\ root directory, as it was on mine.

Symantec Client Security 12/20/2006
AVG 268.15.26/594 12/20/2006
Kaspersky 6.0 (downloaded today from their site)

Just removing the ntldr.exe and trying to login with a new password did not work. I had to reinstall a fresh copy of WoW before, another new password was accepted.


Patching as of now, not sure how much was taken, if any at all.


Bob
 
Eep! I hope they didn't get anything sir:( I am glad I haven't visited worldofwar lately. Gads. This may explain the post I saw of someone who won a beta key from their site and got a keylogger along with it. That site has lotsa traffic too:( This is terrible.
 
I am sorry to anyone in our guild (and out) who got caught by this virus. What a shame, I hope it changes the way companies like UI validate where they get their revenue streams from. Please don't take this wrong but stop using IE. It is poorly constructed and its security model is flawed. I am not suggesting FireFox is void of bugs but this type of thing is protected by FF in its design. I would truly be interested in the follow up to see if this problem would have existed in IE 7 but I feel the answer would be yes. FireFox has an Ad blocker called Adblock Plus which is updated all the time. I don't ever see advertisements. In any case, Yestin, I hope you will be up and running soon.
 
Thanks for the information Allanon.

Yes I run FireFox on my primary information lookup computer, my laptop. The laptop did not get infected as far as I know. The WoW machine, which is rarely used but for gaming, was only MS service patched, and regularly virus/spybot maintained. Obviously I alt-tab'd and downloaded something while in WoW via I.E 6.

What is odd is that the popular UI authors such as the author of Titan persist to upload updates and perform customer service at this very same site. :eek: I found out today that this isn't the only on occurrence of key-loggers embedded within their insecure server application. Their server admin made one comment within their public shoutbox "its been removed"
 
Without the support of mod authors, UI will die. Sadly curse has been plagued with issues since the launch of their new site and wowinterface is simply not a popular mod repository. Thank-you for sharing this with us. I hope, by your honest disclosure, it will save one person from infection.
 
That site is going on my "never visit again" list. Thanks for letting us know Bob and I truly hope they didn't wipe you out!!
 
Curse had a similar keylogger in one of their media servers, which was apparently fixed today. These sites use advertisement services that need to do a better job at scrubing their files as people can make them do some nasty things like this.

Wowinterface.com is safe since they operate off of Monocle's backbone and is ad-free.
 
Well out of curiosity I ran the Trendmicro Housecall last night and found nothing I didn't expect on my PC. I do use FF and Adblock on my machine. I believe in ads as a nice revenue source for websites but they do need to make sure what they get for ads are not hurting their business, ie keyloggers.
 
Account Security Warning: Addon Websites infected with keyloggers


Numerous threads have been popping up over the last couple of days about keyloggers embeded in Add-ons on Curse-gaming.com and worldofwar.net., lots of players got their account stolen. They have been detected in Addons and other parts of those two websites, according to users's testimony on boards.

Edit 12AM: Curse-gaming just fixed their security issues and will now prevent .html files from being uploaded on their servers. (Source)

For players who dont know, what's a keylogger and how dangerous it is for your WoW account, I will do a quick decription:
- Keyloggers record what you fill in at your account name and password and then send those data to the maker of the script. Therefore you will lose your account, since somebody else know your account and password information.

How to check if you are infected:

- If you have a file named ntldr.exe (EXE, not dll, the dll is used by your OS to boot your computer). That file is the keylogger and you should remove it asap.

How to protect yourself:

- Dont use Internet Explorer (It hasnt been confirmed that IE 7.0 was safe yet), instead download and start using Mozilla Firefox.
*Fore more security, since WoW targeted keyloggers use javascript in their process to infect you, you can block or allow java-script with the no-script add-on for firefox, It disables java on default and let you enable it on choice (for trusted websites).*

Where:

- WorldofWar.net: At this time, there is a keylogger embedded into the ui.worldofwar.net homepage. The keylogger itself is in an iframe embedded from hxxp://ui.bcegame.com/pps.exe (do not visit!).

- Curse-gaming.com: The curse-gaming keylogger is on media1.curse-gaming.com. If you go to their beta patch notes page from their site, everything's clean, but if you go to the one listed above, it's got the keylogger on it. (Source)

Source, testimony and more detailed infos:

- WorldofRaids: http://www.worldofraids.com/forum/viewtopic.php?t=2487
- Blizzard forums: http://forums.worldofwarcraft.com/thread.html?topicId=58796664&sid=1


Teza
WoR reporter
 
Hmm i know i went to worldorwar.net afew times over the last while but dont show anything when doing scans or looking manaully. using vista/ie7 so no idea if theres much difference then xp when it comes to that.

As for firefox being safer then IE i dunno if i agree. As of right now it is but thats only because 90% of reg comp users use IE, if your going to spend days maybe months finding an exploit you want to do it so you hit the biggest target possible which is IE. If any browser gets to even 50% of market they will have the same issue.
 
Yup agreed but try turning off javascript with IE :) FF has extensions (noscript) for that type of thing. Having it on has never caused me problems on any of the three sites I go to (curse, UI, and wowinterface). I do agree with your statement about target market, that is completely true and if the tables ever turned, FF would be targeted.
 
sadly enough, they also know that a fair number of IE users don't update their windows/IE, so they're still vulnerable to exploits that have been fixed for months.

On the other hand, FF (and opera, i think) automatically update in the background, as well as the people using it tend to be more aggressive about getting OS/browser updates, virus definitions, etc.

I know it's an slight overgeneralization, but I would guess that I'm not far off.
 
Everything was taken except my two BG award items. I guess those items can’t be disenchanted?

Even after removing ntldr.exe, and reinstalling WoW, I still received validation errors when trying to login. And since none of the virus scanners, or spybot removers could detect ntldr.exe, I ended up fdisking.
 
One of the reasons I use WoWinterface for my primary site for Trinity is because they are quite security aware (each and every upload is scanned and manually approved by an admin) and the admins have been very involved in the WoW UI modding community.

Curse has a name and recognition, so I upload there too, but I do not pay much attention to the site itself.

WoWInterface was also the only site that had a large library of in-the-works 2.0 addons during TBC beta and prior to the 2.0 live patch. If it was not for WoWi, the 2.0 UI situation would have been much worse, IMHO.
 
You must log in or register to reply here.
Back
Top