PSA: Blizzard Authenticators now Vulnerable to Keylogging


Blizzard account owners beware: Even if you have a Blizzard Authenticator guarding your account, you’re no longer completely immune to keyloggers.

As one of the biggest games in the world today, World of Warcraft has as many people trying to crack it open as it does trying to keep it secure. This is usually accomplished through a keylogger, a little piece of malicious software that people unwittingly download to their computers which captures your WoW login account and password. Enter the magical Blizzard Authenticator. This little device is attached to your account, and generates a new number every time you log in to use in addition to your password – since the number changes every time, it’s virtually keylogger-proof. (And don’t ask me how it does this – I have one and I can’t figure out how it works).

But Authenticated accounts are no longer completely secure, reports World of Raids. According to the WoW Forums, we don’t know how the new keylogger works or how it reverse-generates the code in question, but it’s something that everybody should be aware of, whether you just play WoW or are looking forward to StarCraft II and Diablo III as well.

At the moment, it looks like the suspicious file in question is called emcor.dll, a file that appears to have only surfaced within the past week. If you play WoW (or are in the SC2 beta), it is recommended that you search your hard drive for this file (and delete it) immediately before logging into any games with your account and Blizzard Authenticator. Reports say that the file is most commonly located in “/users/username/appdata/Temp,” but it could theoretically be located anywhere.

A potential warning sign that you’ve been infected is that you will be unable to log in when inputting your password/authenticator, even if you’re sure it’s correct. But even if this hasn’t happened to you, search for emcor.dll immediately – better safe than sorry.

Update: MMO Champion has some fairly accurate-sounding theorycrafting on just how the keylogger works.

Basically, what the virus does is fairly simple after you’re infected :

* The next time you log in World of Warcraft, the game asks for your Authenticator code.
* The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
* The people behind the virus now have a few seconds/minutes to use the “real” code while it’s valid to change your password / empty your account / guild bank.

How to check if you’re infected
Just search for a file named “emcor.dll” on your computer, it is most likely located in “C:Users(Your user name)AppDataTemp” but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?
* Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you’re not invulnerable.
* It definitely isn’t an excuse to not have an authenticator. We’re talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you’ll be safe.

(Thanks, Proteus214!)

About the author