Friday, May 21, 2010

MMO-Champion hacked

The team at the popular WoW fan site MMO-champion have announced that their site was recently hacked. What happened here and how can you best protect yourself against malicious code on legitimate web pages?

The malicious code was Gumblar - a malicious piece of javascript that was placed on their pages.

How did the malicious code get there?

This is a question that has not been answered by the web site owners. However, it is likely to be one of the following causes:
  1. The site was hacked and the code was manually planted there by the attacker. There are multiple ways this could have happened, but one common way is via SQL-Injection.
  2. One of their admins was infected on their own PC and their FTP login details were used by the malware to log in to the web servers and automatically infect their files.
Hackers often target legitimate web sites, especially high traffic sites, so that they get the widest exposure to their malware.

What is the malicious code designed to do?

According to a Gumbar Q&A, the malicious code redirects a user to a malicious web site that contains specially crafted PDF or flash files that automatically infect your machine if you do not have your Adobe flash player patched. The malware that it installs can redirect your google searches and replace search results with links to malicious sites. It also harvests FTP information from your machine so that it can try to automatically inject code on other web servers. Finally, it can open a back door so that your machine can be controlled remotely.

Could I have been infected from MMO-champion?

The team at mmo-champion claim that the malicious code was only on their site for 30 mins before it was detected, shut down and subsequently cleaned.

If you browsed the site in that time, you probably would have noticed an attempt to redirect your browser to another web site. Many browsers have in-built blocking mechanisms so you may have seen a big red message on your browser advising you that you are about to visit a malicious web site. If you proceeded, and the malicious web site was online at the time, then you would have been exposed to malicious pdf or flash files. If, and only if, your Adobe flash player was not patched, then these malicious files may have automatically executed. If you were running up-to-date and mainstream antivirus products then it should have been detected and stopped at this stage.

The short answer is, you may have been infected but you would have needed to have no antivirus (or poor antivirus), no recent patching of your Adobe flash player and would have needed to visit the site in the 30 mins when the code was there.

If you think your machine is infected then try this free web-based scanner - Housecall

Does it steal my WoW account info?

No, but if you were infected then you still need to clean it off your machine since it may compromise any FTP sites that you might visit, install a backdoor and your search engine results may be replaced with malicious sites. This is not the type of malware that you want on your PC.

Would the firefox 'noscript' add-on help?

Probably, although if you are a regular mmo-champion visitor then you would have been likely to nominate their site as a trusted site in noscript - resulting in noscript having no effect. Noscript is a great security measure, but it breaks a lot of sites. It is the old security vs usability trade-off.

What can I do to protect myself against these attacks?
  1. Make sure your software is fully patched - this includes your operating system (OS), browser, flash player, javascript, etc. Most people just worry about patching their OS, but there are many other avenues for exploiting software vulnerabilities on your PC.
  2. Make sure you run reputable anti-virus on your system - and make sure it is always updated.
  3. Don't ignore your browser when it tells you that the site you are about to go to is potentially dangerous.
  4. Get yourself an authenticator. Even though this malware is not written to steal WoW information, the next one might be. An authenticator is a last line of defense, and may prove to be your savior should all else fail.
Finally, don't assume you can't get infected by malware without user interaction - you can! You can pick up malware simply by visiting a web page and you won't even know it is happening. This is why you need several defense mechanisms in your security arsenal.

No comments:

Post a Comment