Titan Shields up!

There are probably more variants of World of Warcraft (WoW) password stealing malware than there are WoW players by now. The concept of nabbing unsuspecting WoW players via keyloggers, looting all their virtual gold, and then selling the contraband to other WoW players for hard non-virtual currency has been around for years, and is the kind of shadow economy that seems to be far more recession proof than our real one.

When ISC reader Michael researched the "Titan Shield Wall" for his World of Warcraft character, a benign Google search brought him to a page (dontclick://www-svc7-com/1.html) which triggered a series of malicious Adobe Flash (SWF) files.  Analyzing SWFs has been pretty easy up to version 8, because free programs like swfdump did a good job at extracting the URL of the next phase. In more current (v9/10) SWF files, this is sometimes more complicated, but after a little back and forth, the SWFs from svc7 revealed their next stage URL:  An EXE coming from dontclick://vjd6-cn.  The malware that Michael found on his quest for the WoW Titan Shield turned out to be .. surprise surprise: a WoW password stealer (Virustotal).  Since Michael is just as savvy at wielding a virus shield, the insidious attack of the gold farming gnomes was thwarted.


385 Posts
ISC Handler
Feb 4th 2009
Bank of America has been offering 'SafePass' for a while now as SMS message out-of-band authentication. Now they have added a debit card with a push-button feature that provides a one-time code. Just push through the branding to get to the goods. http://www.bankofamerica.com/privacy/index.cfm?template=learn_about_safepass

Sign Up for Free or Log In to start participating in the conversation!