I Clicked a Keylogger. :|

[RyanW2050]

So, I clicked a WoW account hijack keylogger.

This is the one I clicked. !!!!!!!!THIS IS A KEYLOGGER!!!!!!!!


I was hoping anyone could figure out what it was and help me make sure I have it removed.

I was running Firefox 2.0.0.3 at the time.

 

[RyanW2050]

Page source, if that helps anything.

 

[mechBgon]

1) what antivirus product do you use, if any? Was its real-time protection enabled?

2) what operating system do you use?

3) what symptoms did you see?


Don't log onto WoW or anything else important if you suspect a keylogger is on your system. Use Internet Explorer to run F-Secure's online scanner and post the exact infections it discovers, if any.

 

[Barfo]

Change your WoW password from another machine.

 

[mechBgon]

The page has an IFRAME that calls a script which sends you an ANI Exploit file. screenshot :camera: The payload of the exploit is unknown, since I can't get a copy of it past my ISP's Fortigate.

Questions:

1) is your computer patched against the ANI Exploit vulnerability? If you're on WinXP, you can tell by looking in Control Panel > Add/Remove Programs, marking the "Show updates" checkbox, and making sure the 925902 update is in the list.

 

[RyanW2050]

I updated the code to the actual source, I wasn't familiar with the code function and the forum had butchered it.


Anyway, i didn't run any antivirus at the time of clicking, but I have installed and scanned with with Kaspersky / NortonInternetSecurity, they found nothing.

I ran windows update after the click too, so I do have the exploit protection NOW, but i do not know if I had it before I updated. It had been a few months.

I use windows XP home, Firefox 2.0.0.3 with Adblock.


I have logged into wow again now, I used the on screen keyboard to enter the password, not sure if that makes any difference. Didn't notice anything strange happening.

I'm downloading the F-Secure scanner now.

 

[mechBgon]

Originally posted by: RyanW2050
I updated the code to the actual source, I wasn't familiar with the code function and the forum had butchered it.


Anyway, i didn't run any antivirus at the time of clicking, but I have installed and scanned with with Kaspersky / NortonInternetSecurity, they found nothing.

I ran windows update after the click too, so I do have the exploit protection NOW, but i do not know if I had it before I updated. It had been a few months.

I use windows XP home, Firefox 2.0.0.3 with Adblock.


I have logged into wow again now, I used the on screen keyboard to enter the password, not sure if that makes any difference. Didn't notice anything strange happening.

I'm downloading the F-Secure scanner now.

Some keyloggers take screenshots of where you click, specifically to defeat on-screen keyboards. I think I'd take barfo's suggestion and change the password from a clean system, then... well, if it were me, I'd bust out the DBAN CD, burn my Windows installation to the ground, and start over securely.

If you need a good free antivirus for WinXP in the future, try out the AOL Kaspersky. how to configure it and stuff :thumbsup:

 

[RyanW2050]

F-Secure scan found 7 tracking cookies.





Result: 7 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System

Statistics
Scanned:

* Files: 24128
* System: 3963
* Not scanned: 2

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 6
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

 

[RyanW2050]

This seems to be identical to what was encountered here.

http://isc.sans.org/diary.html?storyid=2789



I guess i'm ****** if I wasn't patched, then? Reformat time? >.<

 

[RyanW2050]

One last thing. What is the possibility of this keylogger traveling to other (unprotected) computers on my network?

I use a patch cable to transfer files onto my laptop before I reformat; could the keylogger jump over there and then back onto the clean install?

 

[kainlongshot]

I did something similar too . . .

The darn loggers are all over the place in the official wow forums. I consider myself a somewhat computer savy person and I'm really kicking myself for clicking that darn thing.

I guess I got a similar question to OP. I did the whole virus check, adware check, etc. and its not turning up anything. Yet I'm pretty darn sure where I went had a logger on it. I'm currently running vista x64, defender is on, Avast! is on, firefox with adblock, and automatic update is on when this occured. I'm super paranoid right now have yet to log back into wow or any other sensitive websites for fear alone.

I threw caution to the wind and did a number of things: I killed both my XP and my Vista installs. I formated and killed both partitions using Gnome (Ubuntu 6.10 disc) Partition manager. I then went back to my acronis backups ( i keep a clean XP and a clean Vista install and all the apps minus the drivers). Both drives and operating systems are now restored and running. Both operating systems were fully updated as soon as they came online. I even killed my WoW folder and all its addons. I have even formated my temp drive (where I keep my swap space drive).

Before I continue, my operating system(s) and my personal folders (my documents) are on 2 different drives. I've performed an anitvirus, adware, etc on these separate drives with no issues. Is it safe to say that they are also clean? The reason I'm asking is that I don't have any place to store that much info offline. I have approximately 750mb worth of music, pictures, recorded shows, movies, misc stuff, games, and documents of a personal nature. I just don't have a spare spare harddrive of that size to meticulously sort through. Am I safe or am I still in trouble?

 

[RyanW2050]

Well, we know how this particular logger gets in, it's the cursor exploit that autoupdate fixed in april. If you did click THAT type of attack, and you were updated, you're safe. However i can imagine that there are plenty of other ways to transmit a logger.

Without knowing what link you clicked, it's probably tough to figure out if you were protected or not.


What i'd like to figure out is what this keylogger does if it succeeds, i've heard it autoruns something on the next reboot.

 

[kainlongshot]

Ryan, I don't think these keyloggers are capable of jumping to other computers. I just don't think they are that advanced. I'm not saying it can't happen but aren't firewalls, real time protection of viruses, etc. supposed to keep crap like out anyway? Getting the malicious data on your system through an exploit is one thing but getting it through a patch cable from a direct file transfer should be a whole different story. Someone correct me if i'm wrong.

Great now i'm more worried than ever. . . even if my original operating systems are dead and I didn't DBAN like one person mentioned (current operating systems XP and Vista are mere husks of what they once were) I'm still at risk of reinfection?

I'm about this close to ripping my hair out . . . there wasn't much there to begin with.

P.S. Oh and I'm not going back to that website just to find out what kind of attack it is . . . with the possibilty of becoming re-re-re- infected

 

[RyanW2050]

Is there a way to track all outgoing transmissions, so you could watch at certian times? (Like logging into wow)

 

[kainlongshot]

Well there's a free progam called peer guardian that just about loggs ever single IP you connect to. No doubt you should catch that culprit but thats a lot of IPs to sift through. Its free, just google it. The program was made primarily to log, track, and filter when one uses peer to peer programs. It it can log your connections in a history file.

 

[mechBgon]

Originally posted by: RyanW2050
Well, we know how this particular logger gets in, it's the cursor exploit that autoupdate fixed in april. If you did click THAT type of attack, and you were updated, you're safe.

Also, if you use IE7 on Vista, you would've been immune to web attacks by the ANI Exploit even if you weren't patched (as long as you didn't shut off UAC!). Firefox would've been vulnerable since it doesn't have Protected Mode.

Being that you're on Vista, kainlongshot, it's not likely malware would get far (as long as you left UAC enabled). But it's nice to be sure, and a full take-no-prisioners reformat accomplishes that. If you want to send me a Private Message (PM) with the suspected website, I could look at it for you and maybe get some intel on what's going on there. The PM dealiebob is the padlock icon at the upper-right on any of my posts.

Interesting report: According to Kaspersky Lab, there were over 1000 new flavors of password stealers last month. Kaspersky's malware miscellany for April. That's more than 30 variants a day. This is lucrative for the malware writers. Use antivirus software and also strongly consider using a non-Administrator user account if it works out for you. If you try it and it doesn't work, you can always go back. Limited accounts are lethal to many types of exploits, because even if the payload gets delivered by a working exploit, it's only stolen an unloaded weapon.

 

[abaez]

Curious, would this have happened with Opera?