[Kody]

Anyone who has an authenticator attached to their account should run a search (and probably an antivirus scan in case it's on the threat list already) immediately and ensure the file emcor.dll does not exist on your computer. This file is one reported to be allowing hackers to access World of Warcraft accounts that have authenticators attached to them. It's also possible there are other variations of these suspicious files, so if anyone has additional information please respond in the comments.

Based on this thread, the file may be found in /users/username/appdata/Temp. Since the file is fairly new (first mentions of it are only a few days ago), and the common source is unknown, I urge everyone to not log in to World of Warcraft or the account management site until you've run a scan. Confirm your computer is secure before using your authenticator, because this DLL file is allowing hackers to crack through it and access your account.

A warning sign that you're currently infected with this keylogger is that WoW will say your authentication code is incorrect, even if you know for sure you typed in the correct code. Thanks to Cameron for posting about this in our forums, too.

[lora]

Not good :x

[Chrono]

It could very well be some malware similar to the one mentioned in this article: http://securology.bl...nk-malware.html

[Cameron]

Country Of Origin
The filename EMCOR.DLL was first seen on Feb 25 2010 in the following geographical regions of the Prevx community:

• Tunisia on Feb 25 2010
• The United Kingdom on Feb 25 2010
• Egypt on Feb 26 2010

[Zaythi]

Yeah, I've been thinking this would happen for a while. I have no coding experience, and have no clue what you are thinking Cam, but I was tossing out the idea of fake creating a wrong code message and getting people to disable the authenticator, which would then allow it.

I hope they get it fixed soon, before it gets too wide spread. Glad to know at least that it is targetted and live, and requires someone to be active, so its not running 24/7 all over the world.

Thanks for the heads up!

[Cameron]

Ghli, on 27 February 2010 - 11:48 PM, said:

Yeah, I've been thinking this would happen for a while. I have no coding experience, and have no clue what you are thinking Cam, but I was tossing out the idea of fake creating a wrong code message and getting people to disable the authenticator, which would then allow it.

I hope they get it fixed soon, before it gets too wide spread. Glad to know at least that it is targetted and live, and requires someone to be active, so its not running 24/7 all over the world.

Thanks for the heads up!

The good news is that it can't disable the authenticator as two codes are required to do that and the person at "the other end" can't carry on logging in once you have removed the keylogger.

That said you should still change your password asap as the authenticator is not required for the forums.

[Qnyx]

I'm a bit wary of this report, as something just doesn't add up.

1) Code being wrong - unless there is a way to send the wrong code to the WoW servers, instead of the actually input code, this won't be possible. This means - not only the .dll is the infection, but the whole WoW.exe and/or other vulnerability.

2) You need 2 codes to disable the authenticator itself as previously mentioned. You can log back in from a clean machine within a minute, and the hacker will be left at point 0 again - with no code, and no way to hack your account again.

3) You have a window of 40 seconds after someone inputs a code to enter into the account. After these seconds, the code is no longer valid.

4) Authenticator itself uses Vasco technology. If the so-called "hacker" managed to hack into a Vasco security token, and using that he used it to hack into a WoW account, he has some serious issues. Using this technology, and if the report is true, which again I highly doubt, you can get into much worthier targets, such as banks or other business organizations, which would not only be more beneficial for you, but it will make you a fortune. People need to accept that a WoW account, no matter the personal sentimental value is worth pretty much nothing. People with the ability to crack Vasco security tokens can make millions by pulling something like this off. It's as if you are using a nuclear submarine to open a tin can.

I'm pretty sure that this is a false alarm, and you are just spreading a panic, without checking all the info and/or sources first.

This post has been edited by Qnyx: 27 February 2010 - 06:23 PM

[Cameron]

Qnyx, on 28 February 2010 - 12:18 AM, said:

I'm a bit wary of this report, as something just doesn't add up.

1) Code being wrong - unless there is a way to send the wrong code to the WoW servers, instead of the actually input code, this won't be possible. This means - not only the .dll is the infection, but the whole WoW.exe and/or other vulnerability.

The keylogger causes your client to tell you the code is wrong when it's not.

Quote

2) You need 2 codes to disable the authenticator itself as previously mentioned. You can log back in from a clean machine within a minute, and the hacker will be left at point 0 again - with no code, and no way to hack your account again.

Your authenticator is never disabled.

Quote

I'm pretty sure that this is a false alarm, and you are just spreading a panic, without checking all the info and/or sources first.

This isn't a false alarm, myself and several others were waiting for this workaround. Hell, if I was so inclined I could have written it myself ages ago.

[Qnyx]

And again - you have a window of roughly 40 seconds to login with that code.

I don't want to pick a fight, but "I could have written it myself ages ago" is a bit of a ... too much ego statement ;) Yes, you might be the smartest guy in the universe, but cracking Vasco tokens is not that easy ;)

[Cameron]

Qnyx, on 28 February 2010 - 12:29 AM, said:

And again - you have a window of roughly 40 seconds to login with that code.

I don't want to pick a fight, but "I could have written it myself ages ago" is a bit of a ... too much ego statement ;) Yes, you might be the smartest guy in the universe, but cracking Vasco tokens is not that easy ;)

Uhhhh, it's not ego at all, it's common sense of how this workaround would be coded. Vasco tokens has nothing to do with it. The code isn't broken, as soon as the keylogger is removed they can't get into your account again.

40 second window is nothing, you are assuming the Johnny keylogger is using a normal unmodified wow client with no 3rd party software interacting with it.

[Chrono]

In theory grabbing username, password and key and using that to login to battle.net shouldn't be awfully hard nor should it be too hard to intercept the auth key sent and change it to something else, making it appear like you entered the wrong one.

[Cameron]

Chrono, on 28 February 2010 - 12:33 AM, said:

In theory grabbing username, password and key and using that to login to battle.net shouldn't be awfully hard nor should it be too hard to intercept the auth key sent and change it to something else, making it appear like you entered the wrong one.

This is what I'm saying. It's a keylogger with a few bits bolted on. It's not exactly rocket science.

[vevix]

The key lasts longer than 40 seconds -- It actually lasts longer than 2 minutes and most likely even longer.

Your key will still work even after the generator has generated 2 or 3 new keys but after you have used your key once it will not work again.

[GLStephen]

I would imagine the preferred goal of whoever wrote this keylogger is getting the person to disable the authenticator. The window of opportunity to exploit the info is too small for this to be used on a very large scale, but if you can get people to disable their authenticators then the window gets much larger.

[Cameron]

GLStephen, on 28 February 2010 - 12:41 AM, said:

I would imagine the preferred goal of whoever wrote this keylogger is getting the person to disable the authenticator. The window of opportunity to exploit the info is too small for this to be used on a very large scale, but if you can get people to disable their authenticators then the window gets much larger.

That can't be the goal really. Given that another feature of the keylogger is that it prevents you from logging in to your account management page.

If you imagine the keylogger has some extra software running that auto logs in a wow account every time a key is received then it becomes a lot more feasible.

[chao]

Cameron, on 27 February 2010 - 07:31 PM, said:

Uhhhh, it's not ego at all, it's common sense of how this workaround would be coded. Vasco tokens has nothing to do with it. The code isn't broken, as soon as the keylogger is removed they can't get into your account again.

Yup. If this uses the man-in-the-middle attack I suspect it does, it's a fairly obvious attack to anyone who has even a basic knowledge of computer security.

The silver lining is that this event will likely help shatter the false perception that authenticators make your account unhackable. If they were still planning to make authenticators mandatory, hopefully they will abandon that plan.

[Leviathonlx]

This post is a bit misleading. Authenticators aren't necessarily vulnerable and the problem has to do with a program in the background of your computer 'tricking' you to take your authenticator off. I don't think it's avery bright of someone to take their auth off before asking Blizzard whats wrong or looking around in the first place and don't see this problem becoming widespread at all. So in the end authenticators are fine and are not the least bit vulnerable. Now sure you got the whole someone can put in the authenticator number but that requires the hacker watching the data in real time and then doing everything they can during THAT login which means that there's no feasible way ever for that to become widespread.

[Cameron]

The program wont let you take your authenticator off...it stops you logging in to account management...

[Chimina]

My issue with this whole thing is, what's the source of this .dll file? eliminating the possibilities of getting it onto your computer would make if a lot safer and secure to start with.

[Cameron]

Chimina, on 28 February 2010 - 02:53 AM, said:

My issue with this whole thing is, what's the source of this .dll file? eliminating the possibilities of getting it onto your computer would make if a lot safer and secure to start with.

Too early to say, and the problem with tracking down these things is that people are often not willing to admit that they have been to the kind of sites that install malware ;)