Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Titan Shields up! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Titan Shields up!

There are probably more variants of World of Warcraft (WoW) password stealing malware than there are WoW players by now. The concept of nabbing unsuspecting WoW players via keyloggers, looting all their virtual gold, and then selling the contraband to other WoW players for hard non-virtual currency has been around for years, and is the kind of shadow economy that seems to be far more recession proof than our real one.

When ISC reader Michael researched the "Titan Shield Wall" for his World of Warcraft character, a benign Google search brought him to a page (dontclick://www-svc7-com/1.html) which triggered a series of malicious Adobe Flash (SWF) files.  Analyzing SWFs has been pretty easy up to version 8, because free programs like swfdump did a good job at extracting the URL of the next phase. In more current (v9/10) SWF files, this is sometimes more complicated, but after a little back and forth, the SWFs from svc7 revealed their next stage URL:  An EXE coming from dontclick://vjd6-cn.  The malware that Michael found on his quest for the WoW Titan Shield turned out to be .. surprise surprise: a WoW password stealer (Virustotal).  Since Michael is just as savvy at wielding a virus shield, the insidious attack of the gold farming gnomes was thwarted.

Daniel

367 Posts
ISC Handler
Bank of America has been offering 'SafePass' for a while now as SMS message out-of-band authentication. Now they have added a debit card with a push-button feature that provides a one-time code. Just push through the branding to get to the goods. http://www.bankofamerica.com/privacy/index.cfm?template=learn_about_safepass
Anonymous

Sign Up for Free or Log In to start participating in the conversation!