By Andrew Brandt, Curtis Fechner, and Grayson Milbourne
Yesterday, at the opening of our BlizzCon coverage, we showed you just how commonly phishers target WoW players by posting innocuous-looking links in message board or forums frequented by players. Today, we’ve produced a really short video that shows exactly how someone infects their computer with a phishing Trojan.
As you can see in the video (even through the “censorship”), the page the victim eventually ends up on emulates the appearance of a Flash-video-based porn site. Every single link on the page links to the malware installer, which means that no matter where on the page the victim clicks, he or she is presented with a download dialog box. Check it out.
This simple social engineering trick, so commonly used of late by Koobface to fool social network users, still manages to convince people to execute the malware installer in order to view the video.
We’d all like to take a moment to give one simple piece of advice: If you follow a link and end up on a site you clearly weren’t intending to go to, stop. Don’t download any executable files—and absolutely don’t run any executable files if you happen to download them. If you have to, hit the Alt-F4 keyboard combination to kill the browser right there, but just don’t run anything else.
Misled gamers who download and run the flash “installer” won’t see any obvious difference on their computers to indicate that they are infected. At this point, the Trojan is ready to start stealing login credentials. These infections are often fairly simple in their configuration, though as with all malware there are much more complex versions that can steal the passwords for multiple games.
The installer executable simply drops a DLL file onto the victim’s hard drive, typically to the System32 or another Windows subdirectory. That file performs the keystroke logging, then sends that data to the phisher behind the scam. The installer also modifies the Registry so the DLL loads with every startup.
Keyloggers aren’t the only threats targeting online games. Others include spam phishing-type posts on the public forums for individual guilds, malicious URLs communicated through the in-game chat channels, and even exploits against security weaknesses in Web sites and message boards frequented by members of the WoW playing community.
For example, the Warcraft III version 1.24 update, released by Blizzard a few weeks ago, fixes a very nasty, underhanded malware game exploit not commonly seen in MMORPG games. The patch fixed a vulnerability within the custom maps function where, simply by joining a custom game hosted with a specially-crafted, malicious map, players’ computers could become infected with malware. Because custom maps are so popular with Warcraft III players, the existence of this vulnerability created a lot of fuss among the Battle.net community.
In this case, hackers really created fake maps that used the same file extension/directory as normal custom maps. These malicious maps (malmaps?) targeted the most popular custom game, Defense of the Ancients (or just DotA). What makes this exploit particularly nasty is the fact that your PC gets infected the moment you join a game where the infected DotA map is in use. And because Battle.net automatically downloads new maps, and the infected maps are very small, the user doesn’t have enough time to exit the custom game before the download completes. Once downloaded, the game automatically unpacks the infected map and executes the malicious code.
What kind of malicious code? Based on previous targeted attacks against Blizzard games, it would be safe to assume the infection is looking to steal your license key and/or account information, though we would not be surprised if it also installs a backdoor, which lets someone remotely control your PC.
But what can you do? You’re just one guy among the cybercriminals, right? Well, there are multiple ways to protect yourself. An excellent anti-malware solution is a step in the right direction, and should form the cornerstone of any gamer’s defense of their PC. You can also sign up for Blizzard’s Authenticator, which is great to have if you want to add an extra layer of security to your account. Nobody can access your WoW or Battle.net account without physical access to this device.
And even if you only occasionally browse the forums related to the games you play, be mindful that not everyone is there to be helpful or considerate. First reports of new infections or malicious links often come from the forum’s members.
The gamers – er, rather Threat Research experts — here at Webroot will keep watch for malware on WoW and other online gaming sites to keep you (and ourselves) safer while we rampage through middle Earth.