Friday, 10 January 2014

Troj/WowSpy-A

Recently a malware who target World of Warcraft got identified.
This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Battle.net Authenticator.
Yes, this is another post about password stealer mawlare...

 There is no option to retain password on the WoW client.

The method used to spread this malware is by fake websites leading to malicious download.
The Trojan is bundled with legit programs such as WowMatrix or Curse Client, used by players to manage their AddOns.



Malicious Wowmatrix installer. (DCDD6986941B2B4E78A558CAB3ACF337)

Fake sites:
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.CURSE.PW
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.WOWMATRIX.PW
• dns: 1 ›› ip: 142.4.105.99 - adress: WWW.WOWMATRIX.PW.PW


Blizzard released a statement due to this new threat:

I don't know how work the dll for the moment (at least a bit)
My debugger got some stability issue when handling wow.exe but i will get back on this, the mechanism seem interesting (and they even use OutputDebugString!).

Network trafic after login in:

C&C (in Chinese):

Compromised accounts:



That all for the moment :)

5 comments:

  1. Really really really interested in seeing your follow-up on this one. I'd be willing to bet it was put out by gold farmers such as the ones at brosale.com, they even spam people in games like final fantasy xi.

    ReplyDelete
  2. LOL! OllyDbg solitaire!

    http://o.aolcdn.com/dims-global/dims3/GLOB/resize/1825x1019/quality/80/http://tctechcrunch2011.files.wordpress.com/2013/02/solitaire.jpg

    ReplyDelete
  3. Très intéressant (c'est moi qui t'ai filé le mail à propos du trojan) et le site en question a reçu combien de comptes volés environ ?

    ReplyDelete
  4. Does it steal the password by injecting into wow.exe and hooking the api wow uses to communicate with the login server and then just parse the requests for the password

    ReplyDelete
  5. Any update to this analysis xyli? Curious to know which method the author is using to intercept the login and password. Via a network api like wspsend() or perhaps something else

    ReplyDelete