Curse

cataphract · May 13, 2008, 01:04 PM // 13:04

Man-in-the-middle attack?

But that would mean the login process of GW isn't encrypted! OMG!

Ctb · May 13, 2008, 01:13 PM // 13:13

Although all the talk about unknown keyloggers and whatnot is very interesting, I think that there's one important point in the conversation that's being ignored: why would anyone waste it on Guild Wars?

If you have the ability to install a currently unknown piece of malicious software, why would you attack a video game instead of bank information or something similarly valuable?

Furthermore, keyloggers are not really invisible, they just run undetected because most people don't continually monitor memory access or file writes. If the keylogger is there, it can be seen because it has to interact with your components - and that means any other program can do the same and catch it in the act.

FileMon would pick up disk writes that the logger makes and any decent firewall would detect and stop access for a keylogger attempting to write back to an attacker's machine. I think it's improbable that anybody would have gone to the trouble to write a special logger/trojan just for Guild Wars attacks and not sold it more widely, in which case it becomes more probable that a more heavily monitored machine gets hit and finds it running.

I think that if there's actually a vulnerability here that's being widely exploited that's not a standard keylogger or trojan, it's most likely in the client.

Here's an interesting thought: when this is finally sorted out, and if it turns out to be an actual attacker of some sort, could anybody who purchases the stolen loot or gold through RMTs be charged as an accomplice to the crime? It would be rather interesting if people buying gold in these sorts of games were exposing themselves to potential federal wire fraud charges or something similarly serious.

Malice Black · May 13, 2008, 01:17 PM // 13:17

Name a GW player thats always going on about hacks ingame and on the PlayNC site etc and you have your answer....got it yet?

bingo!

Mystica · May 13, 2008, 01:18 PM // 13:18

Quote:

Originally Posted by Hissy

Your post

"People like you"...love it

hypo hypo happy hippo!

Anyways, for the rest I agree except the "head-in-the-sand attitude" since doing everything you can for your own security has nothing to do with head-in-the-sand.

I took a break off GW for almost a year and forgot my passwords since they are really hard to remember. Bad luck added my old email account got inactive and deleted. It took me almost a week of communication with Anet to get my accounts back and I had to give them loads of information and repeat them often. All I had was one of my keys and the possible email addresses (3 of them were possible for the accounts). They asked me for the store I purchased the copies at, telefon numbers I gave, addresses, 2 char names per account, email addresses etc etc. A lot of mails had to be written till I got it back so I am convinced that retrieving another person's accounts through the support is unlikely.

Actually Anet does a lot for our security, maybe just not enough for most users.

Things they could add:

- The "Lost password" page on the plaync site asks for your account name, date of birth an an image validation before you can proceed. Some additional info like other sites use it might be handy. Like ZIP Code etc.

- They could tell people to give wrong answers to the security questions but that would kill the purpose I guess. It is still advisable imo.

- They could insist on passwords with upper AND lowercase chars including letters and numbers and get rid of the "has to start with a number" restriction.

Maybe some other things aswell but the mentioned points would only be helpful for people that don't see them as common sense.

Let's see what there is so far.

- No direct communication between clients without the servers interaction.
- Passwords are not stored on your harddrive or loaded into your RAM.
- Your GW account name can differ from the PlayNC account name so you would have to guess two names.
- Your GW pass can differ from your PlayNC pass.
- A constant note on the log-in screen to remind people that it is bad bad bad to give anyone their passwords or buy gold.
- No session-hash on the PlayNC site in the URL
- R4 128 bit encrypted web site.
- PlayNC: SSL certified to differentiate from phishing sites.
- Ingame packets encrypted with strong and likely random key. Enough people tried to find it to speed up the private server creation.
- Private servers are only accessible with valid accounts so far and there is not much to do on them yet.
- 3rd party program policy
- RMT policy which might have saved a lot of accounts by spreading PHEAR!!!11

So what else are they supposed to do? There is no way to hijack your passwords if your comp is clean. The PlayNC site is well protected or at least as safe as any professional site. The servers are well protected. All transactions and interactions between players are monitored. Packets are well encrypted. They just can't reinvite the internet. Imo they have done a lot to ensure that our accounts are safe. Rest is to us.

The only option left would be to bind accounts to certain IPs. That would ban all Internet shops users and dial up users though. Not too many static IPs around.

So instead of just saying that "Anet could do more for our account's safety" give some good examples. They might read and consider them. As for me, I see enough done to feel safe.

EDIT:

Quote:

Originally Posted by Turbobusa

What's weird is that it didn't receive any answer. I wonder why.

FUD crypter/keylogger/trojans are available all over the web starting at $10-$XXX PayPal/Paysafecard/Webmoney etc...FUD=Fully UnDetected and tested again all common AVs.

All of them with the option to "destroy" themselves including traces. Just as an example.

More examples?

Even known trojans and keyloggers have undetected stubs that can hide them.

A crypter is harder to find and easier to code. Lots of UD/FUD ones out there if someone is really sick enough to use them. Same goes for downloaders.

And please don't google for them if you have any intentions to use such a tool. You will most likely end up infected. Play the game. It's fun

Ctb · May 13, 2008, 01:24 PM // 13:24

Quote:

Originally Posted by Malice Black

Name a GW player thats always going on about hacks ingame and on the PlayNC site etc and you have your answer....got it yet?

bingo!

That's just insulting. I have encountered a number of apps, shopping carts, and online tools that have had vulnerabilities and I've always reported them. The ONLY time I released one to anybody other than the people responsible for fixing the problem was when I released a proof of concept to a U.S. Army engineer who was giving a presentation on computer security in the military and needed a working example to drive the point home.

To accuse the individual you're referring to like that is just ridiculous. That he finds the problems is not proof that he's behind any of the exploits. Just because there are people who know how to find these things - most of us because we work in fields where we have to be careful not to CREATE them - is a very sad statement on the general public's sorry state of computer literacy.

zwei2stein · May 13, 2008, 01:27 PM // 13:27

Quote:

Originally Posted by Ctb

Although all the talk about unknown keyloggers and whatnot is very interesting, I think that there's one important point in the conversation that's being ignored: why would anyone waste it on Guild Wars?

If you have the ability to install a currently unknown piece of malicious software, why would you attack a video game instead of bank information or something similarly valuable?

Furthermore, keyloggers are not really invisible, they just run undetected because most people don't continually monitor memory access or file writes. If the keylogger is there, it can be seen because it has to interact with your components - and that means any other program can do the same and catch it in the act.

FileMon would pick up disk writes that the logger makes and any decent firewall would detect and stop access for a keylogger attempting to write back to an attacker's machine.

I think that if there's actually a vulnerability here that's being widely exploited that's not a standard keylogger or trojan, it's most likely in the client.

There are kids that are obscesive (spelling?) enough about GW to try it. HOW-TOs and tutorials are available on net. You don't need to be genius to put something working together.

They are far from invisible, true. But most people don't have clue how to look for one as they trust antivirus to protect them. Process can be named confusingly and it can be just another "svchost". Logger does NOT have to write on disk (you need to send info and not store it) and he could call back on port 80 which normal user machine would have enabled for their browser (launch web browser with url that contains found out password, shut it down when ok received. clumsy, but just stupid example)

Anyway, i suggest people also to seek "HijackThis!" software which will give them list of application which could possibly be some form of spyware/keylogger and well as crude (as in, not really working that well) ability to disable that software.

Turbobusa · May 13, 2008, 01:37 PM // 13:37

But when people do not download any suspicious things and yet get hacked, where does it come from?

ReiNaruto · May 13, 2008, 01:41 PM // 13:41

Quote:

Originally Posted by TideSwayer

Where are you getting the download link from? I say this because the link I used originally:

http://wiki.guildwars.com/wiki/Guide...-game_graphics

...links to Texmod hosted on a FileFront server that doesn't even have mirrors for it. Just one link. FWIW, I just downloaded Texmod from that FileFront link, did a virus scan on it (and the Texmod.exe file inside) with Avast and a-squared free malware scanner, and compared the MD5 values with the original Texmod.zip I downloaded late last year, which is still on my hard drive. Same exact MD5, so Texmod, at least from this location, hasn't been sabotaged in any way.

I erased from the wiki the other two links, only left the filefront one, that's the only that doesn't have the "keylogger" thingie.

fenix · May 13, 2008, 01:41 PM // 13:41

Quote:

Originally Posted by Turbobusa

But when people do not download any suspicious things and yet get hacked, where does it come from?

Good old fashioned hacking. IP farming + some GW client exploit, or something in game exploitable, or even email address farming and brute forcing. Doesn't require downloading, could be any number of things. Could just be a simple website like a GW Auction site, with a corrupt admin who knows a few things, and changed coding to record passwords/emails, and got lucky with a few being the same.

TideSwayer · May 13, 2008, 01:46 PM // 13:46

Quote:

Originally Posted by ReiNaruto

I erased from the wiki the other two links, only left the filefront one, that's the only that doesn't have the "keylogger" thingie.

Interesting...

zwei2stein · May 13, 2008, 01:52 PM // 13:52

Quote:

Originally Posted by fenix

Good old fashioned hacking. IP farming + some GW client exploit, or something in game exploitable, or even email address farming and brute forcing. Doesn't require downloading, could be any number of things. Could just be a simple website like a GW Auction site, with a corrupt admin who knows a few things, and changed coding to record passwords/emails, and got lucky with a few being the same.

Also, browser exploits. You could follow "harmless" link to site which would exploit vulnerability in browser and install keylogger.

Someone can just post links to your attack-site and hope that people follow them.

You can never be too paranoid.

fenix · May 13, 2008, 01:52 PM // 13:52

I downloaded TexMod from the Tomb Raider link, and it's fine, so no need to remove it as people wouldn't have gotten to that link. I'm guessing ReiNaruto has a bad Antivirus. And I'm gonna guess McAfee, because it likes to detect things in files that aren't there.

Jetdoc · May 13, 2008, 01:57 PM // 13:57

Quote:

Originally Posted by Mystica

You do not even need to download trojans activly. There are browser exploits to do that for you. Furthermore they can be hidden in pictures, email attachments and other media.
- Your info is available on several forums and a lot of people tend to give their email addresses away for whatever reason and use their [email protected] as game account. That combined with a weak password is another good way to get your account. There is still the option to exploit forums to get a database full or email addresses. While it is unlikely to crack a salted vBulletin password hash there are a) other forums that have your data with less security and b) email + weak pass is enough in some cases.

I do understand though that nobody would confess that he downloaded something from a unknown source or visited a suspicious website. After all it would destroy your self-given right to QQ.

As I've stated before, my computer is pretty darn clean (especially since it is less than a month old). Norton Antivirus/Internet Security actually ran a detailed sweep of my computer within 24 hours of the attack.

Regarding forums, I have accounts both here at guru and at gwincgamers (which are the only two guildwars related accounts). I don't even have a PlayNC account, and my Xunlai Tournament House account uses a different password. The passwords I use have no relation to my e-mail address or ingame names, so I'm not sure if the "weak" password you're referring to is applicable. The only preventative measure that I can think of that I did not take was changing my password on a regular basis (I had the same password from when I created my account about 3 years ago).

Regarding downloading something from an unknown source or visiting a suspicious website, again...I don't download anything from any odd sources. Heck, I don't even use iTunes or Limewire for that very reason...with my older computers, I had some problems many, many years ago and I learned my lesson. The only websites that I can think of where I could've downloaded an arcane keylogger or a trojan that would not be detected by Norton would be here at guru, gwincgamers, one of the two wikis, or one of the image hosting services (e.g. imageshack) since I visit the sell forum here quite often.

Again, it's easy to be suspicious of the person that got hacked (I know I've been guilty of doing the same when I've seen others' claims), but in this case, I'm not sure how much more I could have done as a reasonable player.

fusa · May 13, 2008, 01:59 PM // 13:59

Quote:

Originally Posted by Ctb

That's just insulting. I have encountered a number of apps, shopping carts, and online tools that have had vulnerabilities and I've always reported them. The ONLY time I released one to anybody other than the people responsible for fixing the problem was when I released a proof of concept to a U.S. Army engineer who was giving a presentation on computer security in the military and needed a working example to drive the point home.

To accuse the individual you're referring to like that is just ridiculous. That he finds the problems is not proof that he's behind any of the exploits. Just because there are people who know how to find these things - most of us because we work in fields where we have to be careful not to CREATE them - is a very sad statement on the general public's sorry state of computer literacy.

Except that the person Malice Black is referring to has used the hacks he's created for his own personal gain in the past (pre expoit taking tomes, mini mallyx to pre). He has also been involved in several recent exploits in the game, only coming forward after its publicly posted here on what is occurring.

naughteblonde · May 13, 2008, 02:16 PM // 14:16

We already know theres been cases of players interacting with the client in a way that it wasnt intended and in one case it did allow a user to crash the clients of everyone in that area (I think that was back in October 07) IE using a program or exploit to interact with other players clients.
Is it so impossible that something similar could be that case again?

Antheus · May 13, 2008, 02:22 PM // 14:22

Quote:

Originally Posted by Mesmer in Need

Lol as soon as i opened this thread, my Norton Antivirus scan started running. My computer is paranoid for itself lol. Grats for catching him before did any major damage.

Norton Antivirus doesn't protect against GW "hacks".

You can have every single anti-virus application running, but it will do nothing at all to stop the means through which the hackers attack GW.

Mystica · May 13, 2008, 02:30 PM // 14:30

Quote:

Originally Posted by naughteblonde

We already know theres been cases of players interacting with the client in a way that it wasnt intended and in one case it did allow a user to crash the clients of everyone in that area (I think that was back in October 07) IE using a program or exploit to interact with other players clients.
Is it so impossible that something similar could be that case again?

No player interaction involved. It crashed the instance with an invalid packet. Nothing aimed at a specific player.
Example:
If Aliens destroy the world with a badass pew pew laser beam the planet would be lost and though they did not target you, you would be royally f***ed.

gone · May 13, 2008, 02:31 PM // 14:31

doesn't matter anyhow. if the truth gets known it'll get deleted, right?

Mystica · May 13, 2008, 02:38 PM // 14:38

Quote:

Originally Posted by flubber

doesn't matter anyhow. if the truth gets known it'll get deleted, right?

And who is going to play GW2 if you delete all the players?

gone · May 13, 2008, 02:44 PM // 14:44

Quote:

Originally Posted by Mystica

And who is going to play GW2 if you delete all the players?

this isn't about the game per say, my previous post, is about posts, pertaining to what might very well be the reason certain 'hacks' are even floating around. only a few people have access to the info needed to create this sort of garbage. even fewer would waste the time.