World of Warcraft Accounts at Risk From Trojaned Wowmatrix

Virus Used to Bypass Authenticator

Security researchers at BitDefender identified a trojan that is used to steal the virtual goods in World of Warcraft player accounts which are protected using the previously-thought-unbreakable Blizzard Authenticator.

The authenticator is an electronic device generates a one-time numerical token (a string of six digits, in fact) which is used in conjunction with a regular username and password to gain access to a user’s account. The six- digit strings are mathematically related to the (unique) serial number assigned to each authenticator device, in such a way that servers can verify that a certain six-digit token was issued from a certain generator.

The method was supposed to be safer than regular password-based authentication, as an attacker would need both the username/password combination and a valid token to log in, and, obviously, the token would only be accessible to the person actually holding the token generator.

It turns out, however, that there is a way to steal and use a token – and it’s quite simple, provided one can convince World of Warcraft users to install a trojaned copy of Wowmatrix (Wowmatrix is a popular auto-updater for World of Warcraft extensions).

Once installed, Trojan.PWS.WOW.NGT patches (modifies) the World of Warcraft client executable in-memory, when it is loaded, and thus retrieves a valid token, which gets sent to an attacker-controlled server along with some information about the victim’s system. The game executable is then crashed before it can attempt to log in using the token.

The attacker is now in possesion of a valid, unused token, which gets immediately used to log in and “clean out” all the virtual goods iof the victim, by the simple method of selling them and sending the resulted virtual cash to an attacker-controlled account, as a “gift” from one player to another.

“There is, obviously, significant overlap between the population of BitDefender researchers and that of World of Warcraft players, but our reaction to reports from the World of Warcraft community would have been swift in any case, as the token authentication method is used by organisations other than Blizzard. We may be seeing the tip of a rather large and menacing iceberg here.” declared Viorel Canja, Head of BitDefender Labs.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.