Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Titan Shields up!

Published: 2009-02-04
Last Updated: 2009-02-04 14:55:58 UTC
by Daniel Wesemann (Version: 2)
1 comment(s)

There are probably more variants of World of Warcraft (WoW) password stealing malware than there are WoW players by now. The concept of nabbing unsuspecting WoW players via keyloggers, looting all their virtual gold, and then selling the contraband to other WoW players for hard non-virtual currency has been around for years, and is the kind of shadow economy that seems to be far more recession proof than our real one.

When ISC reader Michael researched the "Titan Shield Wall" for his World of Warcraft character, a benign Google search brought him to a page (dontclick://www-svc7-com/1.html) which triggered a series of malicious Adobe Flash (SWF) files.  Analyzing SWFs has been pretty easy up to version 8, because free programs like swfdump did a good job at extracting the URL of the next phase. In more current (v9/10) SWF files, this is sometimes more complicated, but after a little back and forth, the SWFs from svc7 revealed their next stage URL:  An EXE coming from dontclick://vjd6-cn.  The malware that Michael found on his quest for the WoW Titan Shield turned out to be .. surprise surprise: a WoW password stealer (Virustotal).  Since Michael is just as savvy at wielding a virus shield, the insidious attack of the gold farming gnomes was thwarted.

Update: ISC reader Doug pointed out that WoW users can get a one-time password token for 6$50 from the Blizzard store (search for "Authenticator"). Yes, it is a tiny bit ironic that an online game has better sign-on protection available than most online banks in the US ...

Keywords: malware
1 comment(s)
Diary Archives