Authenticator Keylogger Update
Some updates to the authenticator keylogger situation. Also to remind everyone, this doesn't make authenticators useless. It just shows that not everything is 100% fail-safe. Hopefully Blizzard can get a patch out soon to help with this.
First of all, Blizzard has confirmed this:
After looking into this, it has been escalated, but it is a Man in the Middle attack.
This is still perpetrated by key loggers, and no method is always 100% secure.
Additionally, Cameron has done some digging into the file and discovered the following information to potentially help you if you've been infected.
Firewall IP Block
You may be able to block the IP 18.104.22.168 to help prevent your information from reaching the hackers. This is of course something that may change after they find out they've been discovered, but it should offer some temporary help while you get rid of all the files.
This info is preliminary. If you use it you should also take the steps you do normally
The keylogger will send the data to:
The keylogger data file can be found in /users/username/appdata/Temp along with the DLL
The keylogger sends the "current tick" to the server. Presumably so it can tell how long it has to use the code.
Brought to you by bored geek.
Keylogger Server Details
This information was also discovered by Cameron, and is essentially the "known" location of the server collecting data sent by the keylogger.
The keylogger is a standard windows based keylogger which uses SetWindowsHookEx hooking as a debug hook (WH_DEBUG) so it gets first dibbs on typed data (Although for some reason it does pass on the data to other hooks and not block them...)
The data is set to:
OrgName: Managed Solutions Group, Inc. (Known spamming server)
Address: 45535 Northport Loop East