While the Incgamers malware problem is fixed, it looks like there's another malware flare up in the world of addons. The WoW Ace Updater, according to many users, may be passing off a trojan from an ad in the guise of an antivirus program. The program, called Winfixer, pops up in a window and (in some cases automatically) installs malware while claiming your computer is compromised and that you need to buy the full retail version to fix it. It can be detected and removed by Spybot Search and Destroy and Vundofix, and Symantec includes instructions on how to manually remove it here. Wowace.com site owner Kaelten has disabled the ads on WoW Ace Updater completely for now, and is talking to his Ad provider to find out what went wrong and which ads might be causing problems.
This isn't the first time a popular WoW site has had trouble with trojans in ads, and unfortunately, it is unlikely to be the last. Kaelten seems to be on top of it, though, so hopefully he'll get to the bottom of these claims. Since the ads are currently disabled, the program itself should already be safe to use. If you're feeling a bit skittish, though, you can check out some of Sean's recommendations for other upgrade programs here.
I should note that, being a religious user of WoW Ace Updater myself (I run it at least a good 5 times a week), I just made sure to scan my computer with the aforementioned Spybot Search and Destroy as well as AVG Free Edition. According to those programs, It has a clean bill of health.
Subscribe
Reader Comments (Page 1 of 3)
4-16-2008 @ 9:39AM
MightyIdle said...
I think I can confirm this. I'm an 'information security' professional so my gear is well locked down and I have measures in place to warn me when something sneaky is trying to install itself onto my machine. The other day, while updating my mods with WoW Ace Updater, I had a drive by install attempt on my machine.
There are quite a few vulnerabilities within Microsoft products that will allow this kind of thing to happen without the user doing anything but simply viewing the harmful content in a web browser. You have to be very careful where you surf.
The biggest step you can take to protect yourself is to make sure all of your patches are up to date. Not just your Microsoft patches, but things like Java, Flash, and any other apps you have installed. Running good anti-virus, anti-spyware, and anti-rootkit software is also important. AVG makes free versions of all three product types you can download.
Reply
4-16-2008 @ 9:43AM
MightyIdle said...
I should also add that surfing the web using Firefox with the NoScript plugin will make you a bit more secure. Internet Explorer is the biggest target for malware at the moment. It wouldn't help you in the case described above, but it'll give you some measure of protection when visiting regular websites.
4-16-2008 @ 1:11PM
Sakerin said...
I also use Firefox with NoScript (and Adblock), and am a religious user of the Ace Updater and I must say that the way this program is hard-coded to use the inferior and insecure Internet Explorer browser has always made me nervous that something like this would happen.
4-16-2008 @ 9:42AM
Smurrf said...
One good thing about Ace is that , if you're at all worried about the downloader or ad trojans, you can simply bypass them.
http://files.wowace.com/Omen , for instance, will always point you to the latest version of Omen.
You can do the same for Recount, PallyPower, and any other wowace addon. Make bookmarks for each page, make sure the right addon is at the end of the link (and it's case sensitive too; notice the O is capped), and you're good to go.
Does this take more time than using the downloader? Yes. Is it more secure? Oh hell yes. And I wished that other sites allowed the same method of pointing to latest updates.
Reply
4-16-2008 @ 9:44AM
Nogun said...
And suddenly WowAceUpdater is missing it's ad banners.
Reply
4-16-2008 @ 9:45AM
Smurrf said...
Sorry, that should have point to http://files.wowace.com/Omen/Omen.zip . D'oh.
Reply
4-16-2008 @ 9:55AM
Juju said...
This is sickening. Sylvanaar was warned of this security vulnerability many months ago, and his only response was basically, 'Why are you being mean to me? I do this for fun."
An open-source developer should know better. Sir, your irresponsible views on security will now cause people to log on to naked characters.
Reply
4-16-2008 @ 10:06AM
souvlaki said...
freeware opensource
4-16-2008 @ 10:08AM
souvlaki said...
arrows were not displayed. i'll use words instead :)
freeware is not opensource
4-16-2008 @ 10:16AM
Juju said...
Thanks, souvlaki. I was going off the comments in the sourceforge comment thread linked from the other thread, but it appears they closed the source after people complained about the ads. Pure ignorance.
http://sourceforge.net/forum/forum.php?forum_id=757575
4-16-2008 @ 10:05AM
Naix said...
Here is some helpful security tips from an computer security professional.
1. Use Firefox - Get ad blocker - Get Noscript
2. Update your windows, flash, java patches weekly
3. Change your password to 10 or more characters
4. Put your password into an encrypted file. At the wow login screen alt+tab out copy your password and paste it into the password box.
Do this and you should be malware free.
Companies hire me to tell them to update. I think it's kinda silly but I will sill cash their checks.
Reply
4-16-2008 @ 10:10AM
Dyermaker said...
Having Firefox installed and using it is not enough. You must make it your default browser too. Nothing is worse than allowing IE to pop up when you are not thinking about it.
4-16-2008 @ 10:11AM
Doc3216 said...
most keyloggers/trojans do a memory scan making C&P passwords just as vulnerable as people who type them in.
4-16-2008 @ 10:13AM
Juju said...
None of those things would save you in this case.
And if you really think Copy-and-pasting is a viable way around keyloggers, I really think you should think that through. Because it's wrong.
4-16-2008 @ 10:20AM
Ryan said...
I prefer sandboxie (which confines malicious scripts) over noscript. With the latter I always end up having to temporarily allow script on nearly every site I visit, which gets really old really fast.
4-16-2008 @ 10:38AM
Naix said...
"None of those things would save you in this case."
Wait wait Wait wait Wait wait.....WHAT?!?
So using a browser with no support for activex, disabling all pop ups and banner ads, and taking it a step further by not allowing flash or scripts to run would not save you?
Having security updates to software (antivirus, windows, java...) that use network protocols does not save you?
Using a strong password that is changed frequently does not save you?
Based on the nature of how key loggers operate a key logger by definition tracks keyboard input. Besides if the key logger reads all of your memory the person the key logger is sending the data to would have 1000's of lines of code to read threw. Do a memory dump sometime and see just how much readable data you can pick out.
Please do a little research on computer security before you babble out a response.
4-16-2008 @ 10:44AM
Juju said...
Naix, according to the Sourceforge thread linked from the Wowace thread, the program embeds IE to display the ads. So yes, running firefox won't save you.
The trojans don't capture a snapshot of your entire memory. They specifically grab the password out of Wow's memory space. They also capture the clipboard, and download all of your saved passwords from your browser.
4-16-2008 @ 10:45AM
Naix said...
Juju
I guess we should call every corporate company in the world and tell them "Juju said that security patches, anti virus, and strong password can not keep your systems safe."
Next we should call Symantec and let them in on the good news they can close their operations based on Juju's findings.
Lastly Microsoft will be happy to hear they can eliminate the windows update group because they are no longer needed.
Way to go Juju information security experts everywhere thank you for showing us the way.
BAHAAHHAHAHA!!!!!
4-16-2008 @ 10:51AM
Naix said...
Notice how I never said to USE wowace updater. If you use firefox to begin with so you won't be able to get a key logger.
Use http://passwordsafe.sourceforge.net/ to encrypt your password even in memory.
4-16-2008 @ 11:00AM
Juju said...
Naix, I'm simply saying that those things won't save you in this specific instance. They are of course good practice, and I frequently recommend them. However, you're coming off sounding like you're safe from this specific case if you do all those things, and there isn't any evidence of that. The sane path is to not use WAU at all.