Incident Response, Malware, TDR

Trojan identified that steals World of Warcraft account credentials

An unknown number of World of Warcraft players were forced to halt their virtual sword swinging and spell casting in order to combat a trojan designed to compromise account credentials – even those with two-factor authentication enabled.

Miscreants covet accounts for popular online games because the virtual currency and accessories associated with those accounts are considered valuable to players and can even be passed along to turn a quick real-world profit. Financial information, such as card data, is protected and considered not at risk.

On Jan. 2, a support agent with World of Warcraft publisher Blizzard, known as Jurannok, posted a message that the team had become aware of a trojan that steals player account information and authenticator passwords as soon as the user enters their credentials.

“It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either “Disker” or “Disker64,” Jurannok wrote in the post.

The next day, another support agent with Blizzard, known as Kaltonis, revealed that the trojan is built into a fake version of the Curse Client, an add-on manager for a number of popular online computer games, including World of Warcraft, Minecraft and Skyrim.

The malicious Curse Client program is being offered to people on a fake version of the Curse Client website, according to Kaltonis, who added that the phony website was being found in searches for “curse client,” which is why people were being compromised.

“At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes,” Kaltonis wrote in a post. Malwarebytes is a free anti-malware application, but Kaltonis said that most security programs should be able to identify the threat by now.

In the event that a user is hacked, Battle.net, an online gaming service used to play several Blizzard games, suggests immediately changing your password, recovering your account access, checking the list of common thefts and taking appropriate steps to prevent further damage.

“For those of you interested in these [man-in-the-middle] style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts,” Kaltonis wrote. “These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time.”

World of Warcraft was first released near the end of 2004. As of July 2013, the game has more than 7.5 million subscribers, according to a report, which indicates that the game peaked in 2010 with more than 12 million subscribers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.