Get an Epic Experience with Premium

Authenticator Keylogger Update

Authenticator Keylogger Update

Some updates to the authenticator keylogger situation. Also to remind everyone, this doesn't make authenticators useless. It just shows that not everything is 100% fail-safe. Hopefully Blizzard can get a patch out soon to help with this.

First of all, Blizzard has confirmed this:

After looking into this, it has been escalated, but it is a Man in the Middle attack.
http://en.wikipedia....

This is still perpetrated by key loggers, and no method is always 100% secure.

Additionally, Cameron has done some digging into the file and discovered the following information to potentially help you if you've been infected.

Firewall IP Block
You may be able to block the IP 205.209.181.111 to help prevent your information from reaching the hackers. This is of course something that may change after they find out they've been discovered, but it should offer some temporary help while you get rid of all the files.

This info is preliminary. If you use it you should also take the steps you do normally

The keylogger will send the data to:
Host: 205.209.181.111
Port: 1068

The keylogger data file can be found in /users/username/appdata/Temp along with the DLL

Update 1:

The keylogger sends the "current tick" to the server. Presumably so it can tell how long it has to use the code.

Brought to you by bored geek.

Keylogger Server Details
This information was also discovered by Cameron, and is essentially the "known" location of the server collecting data sent by the keylogger.

The keylogger is a standard windows based keylogger which uses SetWindowsHookEx hooking as a debug hook (WH_DEBUG) so it gets first dibbs on typed data (Although for some reason it does pass on the data to other hooks and not block them...)

The data is set to:
Host: 205.209.181.111
Port: 1068

OrgName: Managed Solutions Group, Inc. (Known spamming server)
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US

Comments

  • #1
    If the location of the server and the company is known, why can Blizzard not sue the company or get a court order for that server to be shut down?
  • #2
    Because I dont think they can 100% pin it on them.

    Though I'd laugh oh so very hard if they did.
  • #3
    Hi peeps this is unfortunate, but for now is it possible to use the on screen keyboard? because i'm thinking if this thing logs keystrokes maube it doesn't log mouseclicks please comment back when you can with any info on using the on screen keyboard until blizzard fix this issue

    Thanks
  • #4
    @Phil_McCaffrey
    firstly there could be some difficulties with typing (and overlaying windows) but it should be possible, BUT
    having on-screen keyboard isnt secure either, just harder to make such keylogger with snapshotting your screen on mouse clicks (again, hookable) becouse of amount of data it has to send to get the key - and it is also more time consuming to derive the key from data.
    Just keep that in mind.
  • #5
    @dartilus http://en.wikipedia.org/wiki/Bulletproof_hosting ;) But it will get taken down eventually, by Blizzard or others and countermeasure will be/have been taken.
  • #6
    dartilus, I wish Blizzard could do something but unfortunately keylogging was poorly defined under the wiretap laws. Cases that have came up have been thrown out by federal judges. We need stronger laws on this.

    http://livebolt.com/blog/2008/04/25/is-keylogging-legal/
  • #7
    Well we have the physical address of the host, maybe a bunch of us who live in the area should go knock on their door and protest in fron of their company?
  • To post a comment, please login or register a new account.

Network News

Login to Curse

Don't have an account? Create One.

Get an epic experience with Curse Premium
  • Faster addon downloads
  • Premium-Only Beta Giveaways
  • Ad-Free Curse experience
  • Premium Curse Client
  • and many More Features
  • Learn More »

The Sandbox: Godly Giveaway