A new virus spawned on the internet a few days ago and seems to be the first trojan capable of hacking a WoW account protected by an Authenticator. It was confirmed by Blizzard a few hours ago.

Quote from: Kropacius (Source (http://forums.wow-europe.com/thread.html?topicId=12730404058&sid=1&pageNo=1#15))
After looking into this, it has been escalated, but it is a Man in the Middle attack.

http://en.wikipedia.org/wiki/man-in-the-middle attack (http://en.wikipedia.org/wiki/man-in-the-middle%20attack)

This is still perpetrated by key loggers, and no method is always 100% secure.



Basically, what the virus does is fairly simple after you're infected :


The next time you log in World of Warcraft, the game asks for your Authenticator code.
The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.


How to check if you're infected
Just search for a file named "emcor.dll" on your computer, it is most likely located in "C:\Users\(Your user name)\AppData\Temp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?


Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
Get a decent anti-virus, buy an authenticator, you'll be safe.



http://www.mmo-champion.com/news-2/authenticator-accounts-hacked-icc-quests-crimson-deathcharger/

With the little secureid cards this is a problem, the keypad ones avoid this but amp the cost and replacement time significantly.

Me no understands...

I kinda lol'd reading this after all those claims that an authenticator makes you 100% safe. The weakness of any security measure is the end user, nothing will change that.

I kinda lol'd reading this after all those claims that an authenticator makes you 100% safe. The weakness of any security measure is the end user, nothing will change that.

Actually I personally never though it made you 100% safe, it has always, in my opinion, been an ADDED security to complement
other Security measures I use on my system, like anti-virus and anti-malware...

The main advantage that having an auth gives you is that in order for them to hack your account they still need the code. Each code is only good for 1 login so when they get the first code (You have 1 sorry that was wrong message) they an either
1. Change your password
2. Login to your WoW account

If you then try and login again and have a new authenticator code you will again get an error message, now thats 2 in a row and if that doesnt set off alarm bells then you need to have your head checked. But with that 2nd code they can take the authenticator off your account AND change your password.

But you are still sitting at your computer and they (Hopefully) dont have access to your E-mail address. If your E-Mail logs in automatically or if you use a program like outlook/thunderbird for E-mail then you can simply run through the password recovery option with Blizzard the reset your password and put the authenticator back on your account.
Then its a simple case of logging into WoW on another computer (If you dont have one in your house call someone you trust and have them do it over the phone) doing this will mean that you disconnect anyone still logged into your account (IE the hackers) and they cant get back in due to the authenticator being back on your account.

So in effect if you have a small idea of what you are doing they will get at most 5 minutes on your account. They can do a fair bit in that time but nowhere near as much as they used to be able to when they login when your in bed and they have hours to strip you and the guild bank :P

The first thing you should do is switch computers and log in.

Me no understands...

Short version: keyloggers are smart enough now to catch authenticator codes and send them back to criminals immediately, where they can use them for a few seconds to a few minutes to login to your account and do Bad Things(tm).

LoL I would think if someone keylogged your computer they would prefer you bank account or paypal login ....


I run without norton or any virus scanner and never get anything. i just shut off all remote services, never open email attachments, and if I see any program running from a web site I don't hit "no" I do a cntrl alt del and shut down IE immdiatly. And I have a full disk copy a week or so old in case I do get a virus, just pop out the old drive and slap in the new ....

theres less legal heat for stealing wow accounts than bank accounts...

Is there any information on how this virus has started to spread ? malicious banner ? infected "addon" ?

So basically if the people that wrote the trojan made it to hack a wow account (not sure if that is what it was designed for) then they also would have a script which would automatically log onto you battlenet account and disable the authenticator all in a few seconds of getting the code.
As for trying to log in and getting an error and immediately on the second try calling blizzard or believing your account has been hacked, personally I have entered wrong passwords more than once on my WoW accounts and so getting it wrong twice would not be a red flag.
I do know that I just added an authenticator just last week due to my virus scanner finding a trojan on my machine which I instantly deleted and then waited until the authenticator was in place before logging onto WoW (I had the autheticator from Christmas but had not used it) .
This was the first time in many years that I have gotten infected, I never open attachments etc and not 100% sure where it came from, only possiblity is that one of the other family members used my machine (they are banned from it but for some reason my maching does not always prompt for it's password when it comes out of screen saver mode).
Overall, security is always only one step away from the hackers, sometimes the hacker is ahead and sometimes the security, just a game of cat and mouse.

which would automatically log onto you battlenet account and disable the authenticator all in a few seconds of getting the code.


If someone wishes to remove an Authenticator from the account, don't they need to enter the Serial Number of the device before its cleared? I haven't tried, so I may be wrong.

If someone wishes to remove an Authenticator from the account, don't they need to enter the Serial Number of the device before its cleared? I haven't tried, so I may be wrong.

Indeed, the faq (http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660) says so.

Then what is the point of getting the code? There is no way for a hacker to get the serial and with only a minute or so of opportunity to log onto the hacked account it would mean that the hacker would have to have a bot or some like to auto log into the account and automatically go throught the toons, disenchanting the gear and mailing gold and mats to their own toons?
Having said that, i think I read it here somewhere that it is a bot that is used to clear out hacked accounts?

crowdx, Obviously if you are infected and try to log in again your login attempt will fail again.. Not everyone has a secondary (clean) computer they can use to login with after 30 seconds (when they get a new code on authenticator).

Using retrieve password after every logout should make your account as safe as your mailbox is, which would help abit.

I lost you somewhere Pycno, I am not understanding your point :)

The point is they have a lot more than a minute or two. As long as you keep logging in on the effected computer your login will fail. So they have untill you get feed up and call Blizzard, maybe an hour maybe a day.

And each time you try to log in you give them another authenticator code to do more damage to your account with.

Likely they use the first one to change your password so you can't log in via the Internet.

Then the next time you try to log onto your account they use that auth code to log into the game and start clearing your account out.

If someone wishes to remove an Authenticator from the account, don't they need to enter the Serial Number of the device before its cleared? I haven't tried, so I may be wrong.

To manually remove the authenticator from an account from the Battle.net site, you do not need to have the serial number to the authenticator.

However, you do need to input 2 consecutive authenticator keys. That protection makes this type of attack nearly impossible to carry out. Not impossible, just nearly so.

In order to remove the authenticator from a Battle.net account when you no longer have access to the authenticator is a bit more problematic. I have had 2 iPhones crap out taking the authenticator program with it, and since the authenticator program uses the serial number of the phone itself as a portion of the key generation algorithm, this means that a restore to a new iPhone does not result in the correct key being produced. I have had to fax in a form to Blizzard with specific account information and also a photocopy of my government issued ID card (for me a driver's license) and they then removed the authenticator from the account.

Just FYI.

To manually remove the authenticator from an account from the Battle.net site, you do not need to have the serial number to the authenticator.

However, you do need to input 2 consecutive authenticator keys. That protection makes this type of attack nearly impossible to carry out. Not impossible, just nearly so.

In order to remove the authenticator from a Battle.net account when you no longer have access to the authenticator is a bit more problematic. I have had 2 iPhones crap out taking the authenticator program with it, and since the authenticator program uses the serial number of the phone itself as a portion of the key generation algorithm, this means that a restore to a new iPhone does not result in the correct key being produced. I have had to fax in a form to Blizzard with specific account information and also a photocopy of my government issued ID card (for me a driver's license) and they then removed the authenticator from the account.

Just FYI.

This is why i use a hardware authenticator instead of an iPhone app.

This is why i use a hardware authenticator instead of an iPhone app.
Uh, with it intercepting the authenticator # from the wow.exe application the physical authenticator or iphone app will not make a difference.

Some one also asked why would some one steal wow accounts and not paypal/bank info. They are very strict about identity theft / stealing real life money you are looking at big fines and jail time if convicted. Virtual currency has very little policing in the U.S. the enforcers are the game makers and they just ban the account. I belive China was the first and Korea is following in procesecuting people for virtual crimes. Why risk the jail time of stealing your bank info, when one could steal many WoW accounts and make several hundred dollars per account with no risk if they are caught.

Uh, with it intercepting the authenticator # from the wow.exe application the physical authenticator or iphone app will not make a difference.

Some one also asked why would some one steal wow accounts and not paypal/bank info. They are very strict about identity theft / stealing real life money you are looking at big fines and jail time if convicted. Virtual currency has very little policing in the U.S. the enforcers are the game makers and they just ban the account. I belive China was the first and Korea is following in procesecuting people for virtual crimes. Why risk the jail time of stealing your bank info, when one could steal many WoW accounts and make several hundred dollars per account with no risk if they are caught.

I was speaking more of the problem people had with iphones dying, taking the auth app with it, where my authenticator is more reliable in that sense.