Jump to content

  • Curse Sites
Help

Active Topics

Recent Topics

Streams Guides Talents Macros

Rate Article   - - - - -

Here are some additional follow up details about the authenticator situation.

First of all, Blizzard has confirmed this as a man in the middle attack:

Official Blizzard Quote:

After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia....e-middle_attack

This is still perpetrated by key loggers, and no method is always 100% secure.

Additionally, Cameron, a World of Raids user, has done some digging into the file and discovered the following information to potentially help you if you've been infected. Here are the details from his digging:

Firewall IP Block
You may be able to block the IP 205.209.181.111 to help prevent your information from reaching the hackers. This is of course something that may change after they find out they've been discovered, but it should offer some temporary help while you get rid of all the files.

Quote

This info is preliminary. If you use it you should also take the steps you do normally

The keylogger will send the data to:
Host: 205.209.181.111
Port: 1068

The keylogger data file can be found in /users/username/appdata/Temp along with the DLL

Update 1:

The keylogger sends the "current tick" to the server. Presumably so it can tell how long it has to use the code.

Brought to you by bored geek.

Keylogger Server Details
This information was also discovered by Cameron, and is essentially the "known" location of the server collecting data sent by the keylogger.

Quote

The keylogger is a standard windows based keylogger which uses SetWindowsHookEx hooking as a debug hook (WH_DEBUG) so it gets first dibbs on typed data (Although for some reason it does pass on the data to other hooks and not block them...)

The data is set to:
Host: 205.209.181.111
Port: 1068

OrgName: Managed Solutions Group, Inc. (Known spamming server)
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US
Back to Top

Rate Article   - - - - -

The IEM World Championship kicks off tomorrow March 2nd in Hannover, Germany. All of IEM Season 4 we've been watching teams fight it out to make it here, to the World Championships. $50,000 will be awarded to the winning arena teams at this tournament!

Watch Here!

In addition to the main stream that you can watch here on AJ, ESLTV is going to have a secondary stream that will be available through their site: http://www.esl-world...ason4/hannover/

Teams:

Group A
  • Team Dignitas - Kalimist (Rogue) / Flyn (Mage) / Hydra (Priest)
  • x6tence - Souler (Paladin) / Siler (Hunter) / Falcon (Death Knight)
  • mousesports - Angelref (Death Knight) / Aria (Hunter) / Ootzzan (Paladin)
  • SK Gaming Korea - Scommando (Ret-Paladin) / Choiminso (Warrior) / Hwanggom (Druid)
  • SK Gaming USA - Realz (Rogue) / glickz (Warlock) / Kollektiv (Shaman)
  • H2k - Sanchez (Death Knight) / Instance (Warlock) / Selcuk (Paladin)


Group B

  • SK Gaming Sansibar - Noonia (Death Knight) / Moldran (Warrior) / Fraki (Paladin)
  • SK Gaming EU - Another (Death Knight) / Inflame (Warlock) / Enigmz (Druid)
  • Button Bashers - Hiren (Rogue) / Orangemarmalade (Mage) / Numberone (Priest)
  • iNNERFiRE - Desis (Rogue) / c00ld (Mage) / Xerio (Priest)
  • coL.Black - Twixz (Hunter) / Flexx (Shaman) / Toes (Paladin)
  • Evil Geniuses - Azael (Warlock) / Tenderloinqt (Shaman) / Woundman (Rogue)

The WoW coverage begins at 10:00 CET/4:00AM EST tomorrow morning. The WoW tournament will end on March 4th.

Check out Bodi's live blogging of the tournament at WoW Riot.

Enjoy. Back to Top

Rate Article   - - - - -

Anyone who has an authenticator attached to their account should run a search (and probably an antivirus scan in case it's on the threat list already) immediately and ensure the file emcor.dll does not exist on your computer. This file is one reported to be allowing hackers to access World of Warcraft accounts that have authenticators attached to them. It's also possible there are other variations of these suspicious files, so if anyone has additional information please respond in the comments.

Based on this thread, the file may be found in /users/username/appdata/Temp. Since the file is fairly new (first mentions of it are only a few days ago), and the common source is unknown, I urge everyone to not log in to World of Warcraft or the account management site until you've run a scan. Confirm your computer is secure before using your authenticator, because this DLL file is allowing hackers to crack through it and access your account.

A warning sign that you're currently infected with this keylogger is that WoW will say your authentication code is incorrect, even if you know for sure you typed in the correct code. Back to Top
<