PSA: Blizzard Authenticators now Vulnerable to Keylogging

 Pages 1 2 NEXT
 

PSA: Blizzard Authenticators now Vulnerable to Keylogging

image

Blizzard account owners beware: Even if you have a Blizzard Authenticator guarding your account, you're no longer completely immune to keyloggers.

As one of the biggest games in the world today, World of Warcraft has as many people trying to crack it open as it does trying to keep it secure. This is usually accomplished through a keylogger, a little piece of malicious software that people unwittingly download to their computers which captures your WoW login account and password. Enter the magical Blizzard Authenticator. This little device is attached to your Battle.net account, and generates a new number every time you log in to use in addition to your password - since the number changes every time, it's virtually keylogger-proof. (And don't ask me how it does this - I have one and I can't figure out how it works).

But Authenticated accounts are no longer completely secure, reports World of Raids. According to the WoW Forums, we don't know how the new keylogger works or how it reverse-generates the code in question, but it's something that everybody should be aware of, whether you just play WoW or are looking forward to StarCraft II and Diablo III as well.

At the moment, it looks like the suspicious file in question is called emcor.dll, a file that appears to have only surfaced within the past week. If you play WoW (or are in the SC2 beta), it is recommended that you search your hard drive for this file (and delete it) immediately before logging into any games with your Battle.net account and Blizzard Authenticator. Reports say that the file is most commonly located in "/users/username/appdata/Temp," but it could theoretically be located anywhere.

A potential warning sign that you've been infected is that you will be unable to log in when inputting your password/authenticator, even if you're sure it's correct. But even if this hasn't happened to you, search for emcor.dll immediately - better safe than sorry.

Update: MMO Champion has some fairly accurate-sounding theorycrafting on just how the keylogger works.

Basically, what the virus does is fairly simple after you're infected :

* The next time you log in World of Warcraft, the game asks for your Authenticator code.
* The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
* The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.

How to check if you're infected
Just search for a file named "emcor.dll" on your computer, it is most likely located in "C:Users(Your user name)AppDataTemp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?
* Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
* It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you'll be safe.

(Thanks, Proteus214!)

Permalink

Not worried, my authenticator is safely retired along with my copy of wow.

I haven't played World of Warcraft in months. q.q

It's a middle man virus according to all the reports. It grabs your auth code when you input it, sends a random code to the Blizzard servers while sending your active code to another server, which gives the hackers about 30ish seconds to get into your account.

Man in the middle attacks! One of the two theories as to what they'd try next!

Does this affect PC only, or are macs also affected?

Hmm, maybe it's a good thing that I transferred my WoW to my Mac today... Go me! :)

So let me get this straight...

Blizzard comes out with this stupid fucking device that you use to access your games, which the player has to pay for, but it promises that your account will be secured against account theft... Then, their ten-dollar cash-grab doesn't even fucking work?

Between this, the splitting of Starcraft II, the huge delays on Starcraft II, the lack of LAN in Starcraft II, The whole "it's too colorful" fiasco of the still decades-away Diablo 3, and the new (and horrible) Battle.net system that is being forced on us for even single-player use AND webstore purchases... I have literally ZERO faith in this company these days, and my WoW plushie order that I am waiting on will probably be the last Blizzard product I ever buy.

So the boycott list to date is UbiSoft for their excessive DRM plan, 2K/Take2 for their DRM offenses which were most notable in the Bioshock series, the vast majority of EA titles for their criminal use of SecuROM and that travesty called EA Downloader, Valve for mandatory Steam, and Bungie for their refusal to make XP compatible PC games. Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Khell_Sennet:
Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Tried the demo for that? It's... well, without all the hate, I describe it as a pretty generic RTS.

Khell_Sennet:
So let me get this straight...

Blizzard comes out with this stupid fucking device that you use to access your games, which the player has to pay for, but it promises that your account will be secured against account theft... Then, their ten-dollar cash-grab doesn't even fucking work?

Between this, the splitting of Starcraft II, the huge delays on Starcraft II, the lack of LAN in Starcraft II, The whole "it's too colorful" fiasco of the still decades-away Diablo 3, and the new (and horrible) Battle.net system that is being forced on us for even single-player use AND webstore purchases... I have literally ZERO faith in this company these days, and my WoW plushie order that I am waiting on will probably be the last Blizzard product I ever buy.

So the boycott list to date is UbiSoft for their excessive DRM plan, 2K/Take2 for their DRM offenses which were most notable in the Bioshock series, the vast majority of EA titles for their criminal use of SecuROM and that travesty called EA Downloader, Valve for mandatory Steam, and Bungie for their refusal to make XP compatible PC games. Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Do you ever not whine? The Authenticator is one of the best things that Blizzard ever did; The fact that it took two years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

But there is a security flaw, and people need to be aware of it.

Khell_Sennet:
All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

Well, just gotta be careful!

chippa6:

Khell_Sennet:
All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

...and I would have gotten away with it too if it hadn't been for you meddling kids!

Aura Guardian:

chippa6:

Khell_Sennet:
All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

ah ok, I take back the comment then, I just see a pile of stuff when I go to friends houses

was the Wii Fit 3rd party?

chippa6:

Aura Guardian:

chippa6:

Khell_Sennet:
All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

ah ok, I take back the comment then, I just see a pile of stuff when I go to friends houses

was the Wii Fit 3rd party?

Wii fit is 1st party. Forgot about that one. I use it for Skate It and Shaun White. Fun times.

Aura Guardian:

chippa6:

Khell_Sennet:
All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

What about the mandatory Motion Plus for certain titles? What about the Wii Fit? Or the weird health sensor thing coming up? Hell the Wii "controller" is a wiimote + peripheral nunchuk.

Goddammit
Just...goddammit.

FBPH:

Aura Guardian:

chippa6:

Khell_Sennet:
All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

What about the mandatory Motion Plus for certain titles? What about the Wii Fit? Or the weird health sensor thing coming up? Hell the Wii "controller" is a wiimote + peripheral nunchuk.

A lot of new title will be needed it. So it's not a waste. What about the Wii fit? Play Skate it or Shaun White. They are a blast. Not out yet so I have no comment. And...you need those to play the games. What about them?

Yeah for the art of theft is not dead! Seriously create a barrier and someone just to be first will find a way to break it down or sneak past it.

actually MMO-Champions has a pretty good idea about how it works.

Basically, what the virus does is fairly simple after you're infected :

* The next time you log in World of Warcraft, the game asks for your Authenticator code.
* The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
* The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.

How to check if you're infected
Just search for a file named "emcor.dll" on your computer, it is most likely located in "C:\Users\(Your user name)\AppData\Temp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?

* Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
* It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you'll be safe.

So feel free to use any of that info in an update.

Does anyone know where the actual virus is coming from? Searched my hard drive, and couldn't find anything, but I haven't been to any WoW related websites for a few weeks now. Is it attached to addons or something like that?

Authenticators aren't perfect? This isn't anything new. In an interview with wow.com, a hacker reported that, after phishing and getting someone's authenticator code, he could still login to their account, as long as he did it quickly. It's just now it's a virus instead of social engineering.

It seems 2010 is the year for malicious software. There is also a botnet going around infecting all sorts of trusted websites making no one safe. Apparently it has infected Youtube along with several other sites like my local newspaper's, so watch yourselves out there in internetland.

John Funk:
And don't ask me how it does this - I have one and I can't figure out how it works).

The Blizzard authenticator uses a technology called SecurID, which is what many banks and other financial institutions provide to their customers. The technology itself is VERY secure. However, most security systems are still vulnerable to a man-in-the-middle attack.
Doing a MitM attack with a keylogger is absolutely trivial and I'm shocked that it took this long for it to manifest. It's not that it "took them four years to crack", I'd say it's more like it was more effort than it was worth. Now that there is an increasing number of protected accounts, hackers have decided it's worth doing.
The problem is that the SecurID token is being used at an insecure location, ie. your PC. If you run an operating system that is a greater target for keyloggers and you don't have the latest antivirus software installed (assuming the latest AV updates can catch it), you have no guarantee that your system is secure. If you are using your SecurID token at a relatively secure location (such as an ATM or actually AT the bank), you're not going to have any problems.

Khell_Sennet:
Blizzard comes out with this stupid fucking device that you use to access your games, which the player has to pay for, but it promises that your account will be secured against account theft... Then, their ten-dollar cash-grab doesn't even fucking work?

From Wikipedia:

While RSA SecurID tokens offer a level of protection against password replay attacks, they might fail to provide adequate protection against man in the middle type attacks. In the attack model where an attacker is able to manipulate the authentication data flow between a user and the server, the attacker will be able to then forward this authentication information on to the server themselves, effectively masquerading as the given user. If the attacker manages to block the authorised user from authenticating to the server until the next token code will be valid, he will be able to log in to the server.

This is not Blizzard's fault, it is an inherent flaw in SecurID. SecurID is still in my opinion the best choice for account security. If you're running any version of Windows (given that it's the largest target for viruses), you would be rather silly to not be running some form of antivirus software anyway. If you still get hit with a keylogger, either you're not paying attention to your AV updates or you were unlucky enough to pick it up within the day or two before AV companies release a fix.

Sebenko:

Khell_Sennet:
Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Tried the demo for that? It's... well, without all the hate, I describe it as a pretty generic RTS.

Quasi-generic, but with some nice improvements. Ultimately though, more of the same-old is what the doctor ordered. Not looking for some ground-breaking changes like how Dawn of War 2 abandoned base creation, or Company of Heroes abandoned any pretense of the AI playing honestly... There is a demographic which I fall under, I don't know how large a group we are, but it's people who want more of the same. Some new guns or new units are nice, and a new collection of maps or levels to play in, but the same thing we enjoyed previously, we just want more of it. Give me a new campaign for Far Cry, maybe a new kind of rifle or pistol, and I'd be happier with that than I was with Far Cry 2 or Crysis. Release ten new maps and/or a working bug-free map maker for Sid Meyer's Railroads and you'd have a hard time pulling me away from the PC. And I can't even fathom how much time I'd blow playing Freelancer if the campaign was longer or there were 50% more systems to explore.

John Funk:

Do you ever not whine?

Thursdays. Apocalypse Lane mellows me out, it's hard to be bitchy when Obama starts singing "Respect".

The Authenticator is one of the best things that Blizzard ever did; The fact that it took four years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

My bank account is really, really secure. And just recently, my bank gave out new cards with these handy-dandy chips embedded in them to make it even MORE secure. Didn't have to pay ten bucks for the card, and if anything goes wrong with my account for reasons beyond my control, THEY have to make it right again.

Maybe Blizzard's authenticator wouldn't piss me off so much if it didn't cost the end-user, since we already have to pay monthly fees for the game. If you're charging for the software itself, then charging for monthly access, I'd damn well expect better security as part of the deal. But then, if you charge a further amount for that better security, it had better be 100% foolproof. 99% doesn't cut it, 75% doesn't cut it, 100%! Otherwise, if someone has the authenticator, and it fails, Blizzard had better be willing to refund the cost of the damn thing, plus refund the full amount paid for the services and software, because 3 years of gameplay can be wiped out faster than you can say "Mumorpeger".

Khell_Sennet:

Sebenko:

Khell_Sennet:
Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Tried the demo for that? It's... well, without all the hate, I describe it as a pretty generic RTS.

Quasi-generic, but with some nice improvements. Ultimately though, more of the same-old is what the doctor ordered. Not looking for some ground-breaking changes like how Dawn of War 2 abandoned base creation, or Company of Heroes abandoned any pretense of the AI playing honestly... There is a demographic which I fall under, I don't know how large a group we are, but it's people who want more of the same. Some new guns or new units are nice, and a new collection of maps or levels to play in, but the same thing we enjoyed previously, we just want more of it. Give me a new campaign for Far Cry, maybe a new kind of rifle or pistol, and I'd be happier with that than I was with Far Cry 2 or Crysis. Release ten new maps and/or a working bug-free map maker for Sid Meyer's Railroads and you'd have a hard time pulling me away from the PC. And I can't even fathom how much time I'd blow playing Freelancer if the campaign was longer or there were 50% more systems to explore.

John Funk:

Do you ever not whine?

Thursdays. Apocalypse Lane mellows me out, it's hard to be bitchy when Obama starts singing "Respect".

The Authenticator is one of the best things that Blizzard ever did; The fact that it took four years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

My bank account is really, really secure. And just recently, my bank gave out new cards with these handy-dandy chips embedded in them to make it even MORE secure. Didn't have to pay ten bucks for the card, and if anything goes wrong with my account for reasons beyond my control, THEY have to make it right again.

Maybe Blizzard's authenticator wouldn't piss me off so much if it didn't cost the end-user, since we already have to pay monthly fees for the game. If you're charging for the software itself, then charging for monthly access, I'd damn well expect better security as part of the deal. But then, if you charge a further amount for that better security, it had better be 100% foolproof. 99% doesn't cut it, 75% doesn't cut it, 100%! Otherwise, if someone has the authenticator, and it fails, Blizzard had better be willing to refund the cost of the damn thing, plus refund the full amount paid for the services and software, because 3 years of gameplay can be wiped out faster than you can say "Mumorpeger".

Name any other computer developer that has put your account security as high as Blizzard.

Oh, and don't whine about SC2's release in 3 installments. It was either that or the game would've taken another 2-3 years to release, and if that was the case you'd be whining about THAT instead. So take your pick. Blizzard isn't going to rush a game out the door and I will stand by that kind of dedication any day. Of course you seem to be happy with half-finished games like Star Wars: The Force Unleashed or any other incomplete/buggy game you can think of.

Also, if someone wanted to hack your bank, they would. But fortunately to most would-be hackers out there, hacking a bank carries a lot more goddamn risk than hacking some dude's WoW account.

Oh yeah, speaking of Freelancer, you do know that it was one of those games that was released far too early, right? Oh sure Microsoft didn't help their case at all by putting pressure onto the developer, but hey at least it wasn't all that buggy. Had it been Blizzard who was developing Freelancer, you'd have a much larger game to explore.

Khell_Sennet:
*snip*

You are making a mountain out of a mole hill, the authenticator was 100% unhackable until this keylogger showed up, and the appearance of it was an inevitability when you consider how many hackers around the world devote their sad pathetic lives to fucking up someone's account for this game.

John Funk:
The Authenticator is one of the best things that Blizzard ever did; The fact that it took four years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

The authenticator has not been out for 4 years John, to my knowledge it was put into the blizzard store just last year. I'm more shocked that its been cracked so fast, but when you think about the supposed method being employed I'm shocked it wasn't thought of sooner. It ingeniously simple.

KeyMaster45:

Khell_Sennet:
*snip*

You are making a mountain out of a mole hill, the authenticator was 100% unhackable until this keylogger showed up, and the appearance of it was an inevitability when you consider how many hackers around the world devote their sad pathetic lives to fucking up someone's account for this game.

John Funk:
The Authenticator is one of the best things that Blizzard ever did; The fact that it took four years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

The authenticator has not been out for 4 years John, to my knowledge it was put into the blizzard store just last year. I'm more shocked that its been cracked so fast, but when you think about the supposed method being employed I'm shocked it wasn't thought of sooner. It ingeniously simple.

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

John Funk:
But there is a security flaw, and people need to be aware of it.

PEBKAC, nothing is wrong with the device.

John Funk:

KeyMaster45:

Khell_Sennet:
*snip*

*snip*

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

I think you were thinking that because deep down we'd all like 4 years of guaranteed hack protection for our various gaming accounts. :D

Oh yes and one question I had. A trick I've been using for years is copy and pasting my password into wow so that if I did have a keylogger all the hacker would get is ctrl+v. Would that same method work with my authenticator code?

KeyMaster45:

John Funk:

KeyMaster45:

Khell_Sennet:
*snip*

*snip*

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

I think you were thinking that because deep down we'd all like 4 years of guaranteed hack protection for our various gaming accounts. :D

Oh yes and one question I had. A trick I've been using for years is copy and pasting my password into wow so that if I did have a keylogger all the hacker would get is ctrl+v. Would that same method work with my authenticator code?

Good point... Except the authenticator code is unique so you'd still be typing it down somewhere.

Doc Theta Sigma:

KeyMaster45:

John Funk:

KeyMaster45:

Khell_Sennet:
*snip*

*snip*

It's certainly been out for longer than that. But you're correct, it hasn't been 4, only 2.

I don't know why I was thinking 2006 instead of 2008.

I think you were thinking that because deep down we'd all like 4 years of guaranteed hack protection for our various gaming accounts. :D

Oh yes and one question I had. A trick I've been using for years is copy and pasting my password into wow so that if I did have a keylogger all the hacker would get is ctrl+v. Would that same method work with my authenticator code?

Good point... Except the authenticator code is unique so you'd still be typing it down somewhere.

With that method, you don't need an authenticator, just a text file hidden away somewhere.

Now if the tracked that down, then those are some damn dedicated hackers.

Hey Funk, was that Thanks to Proteus214 for the Update? If it was.. wtf?

ehh, whatever, my life will go on I suppose.

Well, that's no good.

Better yet, delete WOW from your hard drive and never speak of it again.

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here