Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this .exe up to something?


  • Please log in to reply
5 replies to this topic

#1 67789

67789

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 18 November 2015 - 12:49 AM

Hello. I'm sorry if this is the wrong forum or, not to mind that, the wrong forums for this kind of query, but I have a file here that I have cause to be suspicious about. It's from an emulated world of warcraft server (which is to say you modify one file in your client that designates what server it should connect to and make it connect to a small private machine containing a third party program called a server core which then emulates the software found on Blizzard Entertainment's actual company servers, sending similar messages back and forth between clients and storing information blah blah,) I play on, found here. This server recently updated from one expansion pack (Mists of Pandaria) to another (Warlords of Draenor, specifically patch 6.2.2a, if it helps) and now everyone's game clients need to be updated to continue connecting. In order to facilitate this, the staff have provided an incredibly stripped down and minuscule 12 MB client (full scale WoW clients are typically more than 10 GB and can be over 20 gigs) which has all the essential data and streams the rest during play. That tiny client is what I am suspicious about, and comes in the form of a compressed folder and can be found in this link hosted on their site for your perusal. This is not new or alien to world of warcraft in general. Blizzard themselves have had the functionality to stream most of the data during play since at least Cataclysm, which was the expansion before Mists of Pandaria, but that's somewhat unimportant. What's important is that I know the people who devised this modified client and I don't trust them as far as I could throw them, and can absolutely see them trying to slip some rootkit or trojan in on the back of the data stream in the hope some idiot has financially sensitive information lying around unencrypted or whatever.

 

Now, this is mildly irrelevant to me. I don't have any financially valuable accounts on other games to be stolen, I don't keep any important personal details like PIN numbers to be uncovered, I don't write soggy embarrassing poetry or have any compromising pictures of myself suffering through coitus with Miley Cyrus to spread all over tumblr, so in theory I could just encrypt the absolute bleep out of everything and keep it on an external and nuke all cookies and leftover trash files and the rest of that security jazz and do my thing, but it's against basic principle to just let people go through my hard drive at their whim. It's mine.

 

So the first instruction in the connection guide for the new Warlords of Draenor server after you've converted your existing account and then downloaded the compressed folder above is to run an .exe in that folder called RPHConnect.exe. So I did what any paranoid internet denizen does when told to run an executable and chucked it straight into VirusTotal, yielding a negative result on everything (AVG, Avast, McAfee, BitDefender, the works) except for an obscure antivirus I've never heard of before called Qihoo-360, which coughed up the result "HEUR/QVM06.1.Malware.Gen."

 

Full analysis page here. While I know that 1/54 is very good and this is probably just a false positive, I'm very hesitant (read: paranoid paranoid paranoid) to discount the idea that this developer who is capable of doing the job of Blizzard's whole maintenance team and keeping things running smoothly is not also capable of meticulously testing his own special little malware baby against all the major antiviruses one by one and making sure it doesn't make their alarm bells ring and that he just didn't pay attention to Qihoo-360 because it's too small and underused. They're quite clever and I don't trust them even a little bit.

 

But I don't know where to go with that. I don't have any of the expertise I would need to peel the .exe apart and see exactly what it does or where it streams from or what it is streaming (well actually the wow-64.exe or wow.exe also found in the compressed folder I linked should theoretically do the streaming, so I really don't know what RPHConnect.exe does at all and I suppose that's just one more reason to be suspicious about it,) and I don't trust my own antivirus to pick up on anything devious it does because it already registers the file as clean on VirusTotal. So I'm hoping that someone around here has the programming skills to do some reverse compiling magic stuff on the .exe and see if it does anything outside downloading world of warcraft files to a world of warcraft folder. I've heard things about running RPHConnect.exe making people's windows explorer goes unresponsive, which makes me very suspicious for reasons I'm sure I don't need to explain in a place like this.

 

I'm not even sure what I'm asking for. I'll recognise files that are a necessary part of WoW, so if anyone here knows how to run suspect files like this in a controlled environment while logging everything they do and what traffic they send and receive that might shed some light on it? What do you even do first to tell if an .exe makes it possible for a hacker to view the contents of your computer? If it does allow for browsing in folders where it has no business, I would certainly settle for some method to lock it down and prevent it from accessing anything but what it needs to access to function as a WoW client. If you need to know anything about World of Warcraft emulation before you can say what is and isn't safe, this site contains a significant wealth of information about the practice and will probably tell you everything important, but don't quote me on that, I'm not in the business, as it were. I don't know how much work this kind of investigation calls for so if I'm unwittingly begging for days of your time here then I apologise profusely for presuming to ask for that much effort.

 

I'm sorry if I'm barking up the wrong tree and if someone has some other community more specifically dedicated to tearing out the guts of potentially dangerous programs and figuring out what they're doing to send me on to, that would be very helpful, especially if the place is full of antisocial geniuses who unwind puzzles like this in twenty minutes for the fun of it.

 

Lastly, please don't give me advice like "if you don't trust them don't play on their server." I recognise this is indeed wisdom, but if I hadn't already decided I was going to cautiously risk it anyway I wouldn't be here looking to make sure. Thank you in advance.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 AM

Posted 19 November 2015 - 03:53 PM

Reverse engineering 12MB of binary code is a gigantic amount of work. This is not realistic.

 

If you have nothing that they can steal from you, then why not just run it in VM?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 19 November 2015 - 03:55 PM

You could also submit that executable to Hybrid-Analysis website and post the report URL here. There might be some useful information in it.

https://www.hybrid-analysis.com/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 67789

67789
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 19 November 2015 - 05:03 PM

Reverse engineering 12MB of binary code is a gigantic amount of work. This is not realistic.

 

If you have nothing that they can steal from you, then why not just run it in VM?

 

Understandable. What's VM and is there an instruction manual suitable for braindead narks that you can give me?

 

 

You could also submit that executable to Hybrid-Analysis website and post the report URL here. There might be some useful information in it.

https://www.hybrid-analysis.com/

 

Oh, that's actually awesome, thanks. Here are the results it spat out.

 

https://www.hybrid-analysis.com/sample/541821279e2d91fff664bd19238fd20fe7aeeb957efe1596d2d7300082e59d6b?environmentId=2

 

It's in Elvish, I can't read it.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 AM

Posted 19 November 2015 - 05:04 PM

A VM is a virtual machine. VMware has software that allows you to create and run virtual machines.

But if you've never done that, it's not easy to get started.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 67789

67789
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 23 November 2015 - 04:09 AM

Thank you all for your assistance.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users