Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links

WARNING: WWW.ISTARIA.COM INFECTED WITH TROJAN!

MenkureMenkure Member Posts: 30
in Istaria: Chronicles of the Gifted

The main Horizons site, along with the forums and other community site pages have been infected with a TROJAN / MALWARE Virus. The website will open a standard IFrame redirect to a standard malware and exploit site. The IFrame will download the virus from the site and run it using several methods (incase one or more should possibly fail). The trojan is a basic password stealer and keylogger. The virus is referred to as Win32/MS07-017!eploit, and McAfee recognizes it as Exploit-ANIfile.c

People who use Internet Explorer, with javascript enabled are extremely susceptible to infection. People have reported that they have avoided infection using other browsers such as Firefox. Others have indicated that systems that are kept up to date with the latest patches from Microsoft are not as susceptible to infection.



Below is a post quoted from Steeleclaw, from the official forums:






Goldkin has spent most of the evening playing with the trojan downloaded from the compromised sites and has provided information about how it works and what it does.

Did You Get Infected?

The bad html tries to download and run an installer at least 3 different ways. Just because your scanner caught one does not mean you didn't get it. Don't assume. Go check.

First, the installer: It gets saved as winlogi.exe somewhere in your system temp folder (search for winlogi.exe). It then downloads another program and puts a copy in %WINDIR%system32svchqs.exe -- this is the payload. (search for svchqs.exe) You may also see svchqs.exe show up in the process list.

If either of those two files show up, you probably got it.



Impact

What does this do? Steal WoW passwords. That much is known. I don't know if it cares about any other passwords, but always err on the side of caution.



Now What?

Cleaning the system is an exercise left for the student.

Once you've cleaned up or reinstalled and patched (you DO run Windows Update, right?), go and change every password that you've typed in on that system. It's a pain in the tail, but it's better than having your accounts compromised.

A Bit About Compromised Passwords (read this anyway)

Don't re-use passwords or rotate them (don't reuse the password for one account for another). Make up new ones -- very different ones. If I knew your password was 'zxcvbnm8' and it didn't work anymore, I'd try simple changes, like 'zxcvbnm9'. Don't think a malicious person won't do the same.

Also, if your compromised password is similar to or the same as the one for your email accounts linked to things like banking, game or forum accounts, change it, even if you didn't log into the email service after getting infected. Think about how easy it is to use the "I forgot my password" features once you have control of the email account associated with them.

While I'm on my soapbox about passwords, try to make them at least 8 characters long, and include an upper case character as well as a punctuation character requiring the use of the shift key. Avoid dictionary words, sequences of adjacent keys, either of the two with numbers appended, and "l337 sp33k" subsitutions. Those are quite common, few in variations, and are the first things a malicious person would try as guesses.




Please be aware of this if you play Horizons and visit the Istaria.com community site, or the forums!

-Menkure

Comments

  • AdminAdmin Administrator RarePosts: 5,623
    Yikes, this is the same trojan that got on our servers months back.  Nasty bugger, we had to nuke all the servers and move them behind a firewall applicance...best of luck to the Horizons team in cleaning this up and keeping it out

    - MMORPG.COM Staff -

    The dead know only one thing: it is better to be alive.

  • HadesPvPHadesPvP Member Posts: 33
    So it's a trojan on the Istaria Horizons site that looks for World of Warcraft passwords? Thats a bit unusual....

    Don't count on the Horizons staff to do anything about it though, I don't even know if they have a staff anymore....

    image

  • Kaelaan21Kaelaan21 Member UncommonPosts: 349

    Hrm.. unless this was fixed within 1 day (which I doubt) - I'm wondering the credibility behind this claim. (Not saying that the OP made it up, it could be that he was informed of incorrect information)

    After taking a look at the source ... there are no iframes or javascript .. at all on the main website.

    After taking a look at the forum source, there are no iframes or javascript that dynamically create iframes. There are javascript ajax functions that create on the fly div tags for the menu systems, but those aren't malicious. Sames goes for the login page.

    Did anyone (i.e. forum users) mention that the website was infected? The post quoted in the OP just mentions about the trojan. It doesn't claim that it was on Horizon's website.

  • SWGLoverSWGLover Member, Newbie CommonPosts: 539

    They got it fixed now.......I'm surprised, their style would have been to leave it alone for a month or two.

    Not much going on at the site anyhow, everyone is mainly waiting for the "sorry, this site is closed" sign to be hung.

     

    Thanks be to David Bowman for killing another game..........  

     

     

  • MenkureMenkure Member Posts: 30

    Kaelaan,

    It seems that EI did go in and remove the iframe links. They also did some 'tidying up', which included the deletion of the stickied threads in the general board (one of which had the contact info to PayByTouch, in order to cancel your subs). The two main threads about the virus/trojan were also deleted. The post from Steeleclaw, which I posted, was from the second thread, which he started. Steele's thread was the one in which he described in detail how to find out if a person had been infected, and also how they could safely remove it.

    A new thread was started regarding the trojan (LINK: here!) , and Steele quoted the user EIHORIZONS as saying the following:

    Originally Posted by EIHorizons
    Sorry for not getting a post up quicker, as the situation was worse that it appeared from the outside and have just finished clearing the security issues and had to secure log files for law enforcement.

    The problem code has been removed from all effected sites/code...

    ForumMaster

    Steele does not say where this quote came from, but no post can be found on the forums. It is likely that it was sent to him in a private message.

    Steele did have this to post, in response to the above note:

    Originally Posted by Steeleclaw
    Excellent. Now, how about restoring the more useful posts, such as the one describing how to tell if you got infected? The two dropped .exe files do not get picked up by all virus scanners.

    If you're not going to take any initiative in helping users with the aftermath, at least stop covering up the ones trying to help.

    I'm rather disappointed with the way this has been handled -- from leaving the sites serving the malicious html up all weekend, to an apparent cover-up. I have yet to see an apology, an informative description of what led to the breach, or a description of the steps taken to prevent it from happening again.

    What troubles me the most is that you state that "The situation was worse than it appeared from the outside", with no further elaboration. Hint: If you have any reason to suspect that user data has been compromised, be it password hashes, personal information, or financial information, you have an ethical (and possibly legal) obligation to notify your users of the breach and what information may have been compromised.


    I can assure you, I am not making any of this up. If you also check the Horizons General Forums on IGN (
    LINK: HorizonsVault - VN Boards), you will find a similar post started by someone else, collaborating the same information.

    Cheers!

    -Menkure

  • MenkureMenkure Member Posts: 30

    Update: The virus is back, and has reinfected the main webpage ( http://www . istaria . com ).

    A post on the community forums, ( http://community.istaria.com/forum/showthread.php?t=16166&page=2 ) by Draygon has this to say:

    posted by Draygon:
    So it's true, one of those exploit links is back, though the forums appear to be untouched for the time being. Actually this isn't just similar to the last episode, it's identical; the link and its placement in the post are exactly as they were previously.

    To me, this suggests not someone who inadvertently discovered an administrator password, as they would be likely to modify other pages and/or leave a 'calling card', but a script that may be methodically attempting known exploits and inserting code where it can. Last time it nailed the forum, community site, and the istaria home page. The affected posts were deleted (along with other forum posts while it was down for 'maintainance') and the forum apparently secured from that particular threat, though perhaps the point of entry on the home page was not closed if they assumed that all were from the same source.

    In the meantime, should one have to visit the home page, it is strongly encouraged to not use Internet Explorer, as it is most vulnerable due to being specifically targeted, and that JavaScript be disabled or enabled on a per-site basis.


    Please keep this in mind if you choose to visit the main community site for Horizons.


    -Menkure

Sign In or Register to comment.