Authenticator Keylogger Update
Some updates to the authenticator keylogger situation.
Also to remind everyone, this doesn't make authenticators useless. It
just shows that not everything is 100% fail-safe. Hopefully Blizzard
can get a patch out soon to help with this.
First of all, Blizzard has confirmed this:
After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia....
This is still perpetrated by key loggers, and no method is always 100% secure.
Additionally, Cameron has done some digging into the file and discovered the following information to potentially help you if you've been infected.
Firewall IP Block
You may be able to block the IP 205.209.181.111
to help prevent your information from reaching the hackers. This is of
course something that may change after they find out they've been
discovered, but it should offer some temporary help while you get rid
of all the files.
This info is preliminary. If you use it you should also take the steps you do normally
The keylogger will send the data to:
Host: 205.209.181.111
Port: 1068
The keylogger data file can be found in /users/username/appdata/Temp along with the DLL
Update 1:
The keylogger sends the "current tick" to the server. Presumably so it can tell how long it has to use the code.
Brought to you by bored geek.
Keylogger Server Details
This information was also discovered by Cameron, and is essentially the "known" location of the server collecting data sent by the keylogger.
The keylogger is a standard windows based keylogger which uses SetWindowsHookEx hooking as a debug hook (WH_DEBUG) so it gets first dibbs on typed data (Although for some reason it does pass on the data to other hooks and not block them...)
The data is set to:
Host: 205.209.181.111
Port: 1068
OrgName: Managed Solutions Group, Inc. (Known spamming server)
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US
Comments
Though I'd laugh oh so very hard if they did.
Thanks
firstly there could be some difficulties with typing (and overlaying windows) but it should be possible, BUT
having on-screen keyboard isnt secure either, just harder to make such keylogger with snapshotting your screen on mouse clicks (again, hookable) becouse of amount of data it has to send to get the key - and it is also more time consuming to derive the key from data.
Just keep that in mind.
http://livebolt.com/blog/2008/04/25/is-keylogging-legal/