PSA: Blizzard Authenticators now Vulnerable to Keylogging

[John Funk]

PSA: Blizzard Authenticators now Vulnerable to Keylogging

Blizzard account owners beware: Even if you have a Blizzard Authenticator guarding your account, you're no longer completely immune to keyloggers.

As one of the biggest games in the world today, Blizzard Authenticator [http://www.amazon.com/World-Warcraft-Pc/dp/B000067FDW/ref=sr_1_3?ie=UTF8&s=videogames&qid=1278969746&sr=1-3]. This little device is attached to your Battle.net account, and generates a new number every time you log in to use in addition to your password - since the number changes every time, it's virtually keylogger-proof. (And don't ask me how it does this - I have one and I can't figure out how it works).

But Authenticated accounts are no longer completely secure, WoW Forums [http://www.worldofraids.com/topic/15628-keylogger-warning-authenticators-now-vulnerable/], we don't know how the new keylogger works or how it reverse-generates the code in question, but it's something that everybody should be aware of, whether you just play WoW or are looking forward to StarCraft II and Diablo III as well.

At the moment, it looks like the suspicious file in question is called emcor.dll, a file that appears to have only surfaced within the past week. If you play WoW (or are in the SC2 beta), it is recommended that you search your hard drive for this file (and delete it) immediately before logging into any games with your Battle.net account and Blizzard Authenticator. Reports say that the file is most commonly located in "/users/username/appdata/Temp," but it could theoretically be located anywhere.

A potential warning sign that you've been infected is that you will be unable to log in when inputting your password/authenticator, even if you're sure it's correct. But even if this hasn't happened to you, search for emcor.dll immediately - better safe than sorry.

Update: MMO Champion has some fairly accurate-sounding theorycrafting [http://www.mmo-champion.com/news-2/authenticator-accounts-hacked-icc-quests-crimson-deathcharger/msg2230072/#msg2230072] on just how the keylogger works.

[blockquote]Basically, what the virus does is fairly simple after you're infected :

* The next time you log in World of Warcraft, the game asks for your Authenticator code.
* The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
* The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.


How to check if you're infected
Just search for a file named "emcor.dll" on your computer, it is most likely located in "C:Users(Your user name)AppDataTemp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?
* Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
* It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you'll be safe.[/blockquote]

(Thanks, Proteus214!)

Permalink

 

[Contun]

I haven't played World of Warcraft in months. q.q

 

[WNxSajuukCor]

It's a middle man virus according to all the reports. It grabs your auth code when you input it, sends a random code to the Blizzard servers while sending your active code to another server, which gives the hackers about 30ish seconds to get into your account.

 

[BlindChance]

Man in the middle attacks! One of the two theories as to what they'd try next!

Does this affect PC only, or are macs also affected?

 

[mikecoulter]

Hmm, maybe it's a good thing that I transferred my WoW to my Mac today... Go me!

 

[Sebenko]

Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Tried the demo for that? It's... well, without all the hate, I describe it as a pretty generic RTS.

 

[John Funk]

So let me get this straight...

Blizzard comes out with this stupid fucking device that you use to access your games, which the player has to pay for, but it promises that your account will be secured against account theft... Then, their ten-dollar cash-grab doesn't even fucking work?

Between this, the splitting of Starcraft II, the huge delays on Starcraft II, the lack of LAN in Starcraft II, The whole "it's too colorful" fiasco of the still decades-away Diablo 3, and the new (and horrible) Battle.net system that is being forced on us for even single-player use AND webstore purchases... I have literally ZERO faith in this company these days, and my WoW plushie order that I am waiting on will probably be the last Blizzard product I ever buy.

So the boycott list to date is UbiSoft for their excessive DRM plan, 2K/Take2 for their DRM offenses which were most notable in the Bioshock series, the vast majority of EA titles for their criminal use of SecuROM and that travesty called EA Downloader, Valve for mandatory Steam, and Bungie for their refusal to make XP compatible PC games. Fuck, if it weren't for Squenix and GPG working on SuCom2, I'd say I've pretty much written off gaming entirely. All that's left is a smattering of indie developers and Nintendo.

Do you ever not whine? The Authenticator is one of the best things that Blizzard ever did; The fact that it took two years to crack this thing - and even then, as people have illustrated above it's a haphazard in-between solution that gives the hackers 30 seconds to get in to your account - is tantamount to the fact that it's actually really, really secure.

But there is a security flaw, and people need to be aware of it.

 

[chippa6]

All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

 

[Jared]

Well, just gotta be careful!

 

[Aura Guardian]

All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

 

[mokes310]

...and I would have gotten away with it too if it hadn't been for you meddling kids!

 

[chippa6]

All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

ah ok, I take back the comment then, I just see a pile of stuff when I go to friends houses

was the Wii Fit 3rd party?

 

[Aura Guardian]

All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

ah ok, I take back the comment then, I just see a pile of stuff when I go to friends houses

was the Wii Fit 3rd party?

Wii fit is 1st party. Forgot about that one. I use it for Skate It and Shaun White. Fun times.

 

[FBPH]

All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

What about the mandatory Motion Plus for certain titles? What about the Wii Fit? Or the weird health sensor thing coming up? Hell the Wii "controller" is a wiimote + peripheral nunchuk.

 

[paragon1]

Goddammit
Just...goddammit.

 

[Aura Guardian]

All that's left is a smattering of indie developers and Nintendo.

You talk about Blizzard making a cash grab, what about Nintendo making you buy mountains of plastic crap every month for some new game that just ends up gathering dust.

I don't think there are many publishers with Blizzard's track record of extremely polished and enjoyable games.
May take a longer time but it is worth it

All they made was a wheel,motion plus,wii mote and a nun-chuck. You're talking about the 3rd party stuff.

What about the mandatory Motion Plus for certain titles? What about the Wii Fit? Or the weird health sensor thing coming up? Hell the Wii "controller" is a wiimote + peripheral nunchuk.

A lot of new title will be needed it. So it's not a waste. What about the Wii fit? Play Skate it or Shaun White. They are a blast. Not out yet so I have no comment. And...you need those to play the games. What about them?

 

[Altorin]

actually MMO-Champions has a pretty good idea about how it works.

Basically, what the virus does is fairly simple after you're infected :

* The next time you log in World of Warcraft, the game asks for your Authenticator code.
* The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
* The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.


How to check if you're infected
Just search for a file named "emcor.dll" on your computer, it is most likely located in "C:\Users\(Your user name)\AppData\Temp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?

* Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
* It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you'll be safe.

So feel free to use any of that info in an update.