Saturday, April 26, 2008

Suspect: Healbot

So I was reading a post over at Big Red Kitty called "You Know We Are At War". Buried in the comments was this little jewel:

"When you download your addon (and these are almost entirely from addons) take a moment before installing them to examine them.

What, you use an autoinstaller? No, or at least not any more unless you’re willing and able to do the checks in the addons folders before running. (yes, I love Aces autoinstaller. I do manual checking.)

Anyway, examine them before you load WoW if not before you install. Safe files are those that end in nothing, toc, lua, and txt. Unfortunately all the addons have to have an xml as well so regretfully we have to allow that too. Now anything else is to be treated with caution - but not automatic rejection. For example Auctioneer has an mp3 file, and cycircled (along with most other addons that do visual changes) uses tga files.

If it’s an exe, com, bat, jpg, scr, html, or any other ‘executable’ file extension, stop. Delete."

So I ran a check on my system and sure enough the Healbot addon has both a jpg and an html. FreeMoney.html and myshop_WoW. jpg.

I opened the html and looked at the code. I didn't see anything suspious. There is not javascript in the file at all. I don't have the skills to check the jpg for exploits. I've run Healbot since my reformat, so the thought that this Addon could be the culprit scares and sickens me at the same time.

I'm searching for a tool or something/someone who can give a thumbs up or thumbs down to myshop_WoW.jpg.

If you use Healbot, I recommend you check your Addon folder for the html and jpg and delete just to be safe.


Gothyelk said...

Thanks - both of those have been deleted. Love your site btw.

Shalkis said...

Jpegs are pictures, so any executable code should just be rendered as an image, not run.

That is, if the decoding routine is working like it's supposed to. There have been cases where the jpeg decoding routine couldn't handle malformed jpegs properly, and ended up overwriting itself with code embedded in the picture. That's called a buffer overrun error. If that's enough to classify jpg as a "dangerous" file type, then toc, lua, xml (or pretty much anything) are as dangerous.

Fortunately, operating system and application vendors have been getting smarter and now it's common practice to check your code for potential buffer overrun errors. And even if they fail to find those, modern processors and operating systems (read: anything made within the last 4 years) contain a feature called the NX (No eXecution) bit. Microsoft calls it DEP.

Basically, what NX does is to mark which parts of the memory contain data and which contain code. If your program tries to execute anything in memory reserved for data (like that jpeg image), your operating system will shut down the malfunctioning program, preventing any potentially malicious code to be run in this way.

Oh.. and even if the addon did contain a malicious exe file, WoW wouldn't touch it, let alone run it. Addons run from within WoW are very limited in what they can and cannot do. They can only execute LUA code, and Blizzard designed LUA. It's impossible for an addon run from within WoW to do anything Blizzard doesn't want, since the addon literally doesn't have the "words" for it.

However.. if the addon's instructions tell you to execute that exe file.. beware. Humans are by far the weakest link when it comes to security. Why break a lock when you can get in by asking someone to open the door for you?

Nilum said...

Just got back to a computer after my flight from Tokyo and delays. So sorry to hear that you got hacked, but it's good to hear that you got almost everything back at least.

Anonymous said...

hey over the weekend i was doing a web search for wowwikki and saw a post up that wikki, thottbot, wowhead and alkazam,spelling?, all had a trojan keystroke logger in their pop up adds, could be your problem there