Keylogger

[Vince]

So I have good reason to believe that I've been the subject of a keylogger. I am typically pretty anal about what I do and don't download, and I have NoScript installed on my Firefox to make sure that only the things that I want to see are allowed on my computer. Is there any way you guys can think of to trace where I might have picked this thing up from, so I can avoid it happening in the future?

[wahoomac]

If you found the keylogger, see when it was created. Then try and find other things created around the same time. I had a keylogger once, and I traced it back to a downloaded file (based on timestamps), and I avoided that site from then on. That's about the only thing I can think.

[Deattribution]

Yeah, it can be difficult to trace those kind of things. You can look at the folder it was located in for clues, and as wahoomac suggested figure out the date on it. Also sometimes you can google the specific name of it and find out where other people picked it up if it's common.

You want to make sure it's not a false positive if you aren't already sure too. AVG had a false positive on a keylogger a couple weeks back and it was fixed the following day. There are a few sites you can upload the file and have it analyzed by several different scans if you're not sure. (virustotal.com and virusscan.jotti.org are two I can think of).

[CraigSca]

Just for my own edification, what leads you to believe you're the victim of a keylogger? Was it a virus check or something else?

[Vince]

My World of Warcraft account was hacked. I have no other evidence (I bank online and such, and none of that has been affected), so I think the whole thing was specifically targeted to get my Warcraft account, not anything else.

I have had very little time this week to be online, so I haven't been able to spend much time looking for the source (still haven't found the keylogging program). Thanks for the advice on ways to find out about it though - I'll be searching for programs/files created on or around the same time as this thing.

[LionsFan10]

Quote:

Originally Posted by Vince

My World of Warcraft account was hacked. I have no other evidence (I bank online and such, and none of that has been affected), so I think the whole thing was specifically targeted to get my Warcraft account, not anything else.

I have had very little time this week to be online, so I haven't been able to spend much time looking for the source (still haven't found the keylogging program). Thanks for the advice on ways to find out about it though - I'll be searching for programs/files created on or around the same time as this thing.

If it was World of Warcraft that was hacked, it's almost 99% positive that you picked up the keylogger from a downloaded mod. Unless of course, you don't use mods in WoW (though I've never seen a person who doesn't).

Check out which mods you've downloaded/installed recently, and you'll probably find your culprit.

[Alan T]

Quote:

Originally Posted by Vince

My World of Warcraft account was hacked. I have no other evidence (I bank online and such, and none of that has been affected), so I think the whole thing was specifically targeted to get my Warcraft account, not anything else.

I have had very little time this week to be online, so I haven't been able to spend much time looking for the source (still haven't found the keylogging program). Thanks for the advice on ways to find out about it though - I'll be searching for programs/files created on or around the same time as this thing.

Vince,

If your WoW account was hacked, you probably were the victim of an Iframe vulnerability that currently is out on over 200,000 websites as of the last count. I'm not a WoW player, but I work for a anti-virus software company that had had plenty of internal memos about this.

You should have been protected from this type of attack if you were using firefox with no-script. Go into your no-script options and click on the Plugins tab. About 5 lines down there should be one that says "Forbid IFRAME", see if that is checked or not. I think at one point no-script came default with that unchecked, where it really should be checked.

Most of the online games (WoW, EQ, etc) have been having horrible times with people hacking a popular website, inserting a rogue iframe into the page that shows up as invisible or not-noticable, but that iframe pulls information from another site that then can infect your system if you don't have the latest security patches installed.

Anyhows, I could go on more about this if you want me to, but for now based on what you have said, check that to see if that is what happened to you.

[Vince]

Thanks for the heads-up Alan, the Forbid IFrame was indeed unchecked. Now I just have to find the stupid thing that's on my machine. Anyone have any recommendations for anti-virus software, or even a free scan that would do the trick?

[Alan T]

Quote:

Originally Posted by Vince

Thanks for the heads-up Alan, the Forbid IFrame was indeed unchecked. Now I just have to find the stupid thing that's on my machine. Anyone have any recommendations for anti-virus software, or even a free scan that would do the trick?

If you aren't running anti-virus, you should at least go get one of the free ones that are pretty decent. Some people swear that they hate using anti-virus because it slows down their system, but they stop swearing that the first time they get hit. I think alot of people seem to be happy with free version of AVG (Not the anti-virus company I work for..)

HERE is the Cert warning regarding this issue.. as for fixing it after the fact, I'd have to look into more information on this virus.. I don't personally deal with viruses as part of my job, and I'm not really a computer guy. (I am a network engineer/network security architect) Generally speaking though, you'll want to identify what you were hit with, and follow published procedures to remove the said trojan. A more general approach is to do a full system scan with anti-virus software, as well as getting anti-spyware software to do a full system scan as well and start from there.

[Vince]

I actually have no problem purchasing an anti-virus software - I fall under those "stop swearing that the first time they get hit" heading. I just want to make sure it's gone, so I don't have to worry about opening new accounts or using other passwords and such anymore.