WoT – Potential Security Breach

SOURCE

On the German section of the forum, player Flax78 posted something interesting.

I have received a cool message from my firewall today. Apparently someone tried to attack my PC through the CEF_BROWSER_PROCESS.EXE. The IP was from the Ukraine.

Summary of the above: the IP 82.118.20.2 tried to attack named Web Attack: JSCoinminer Download 6, which tried to open the URL search . linkmyc . com/ js/ timeCounter . js?v=20171102 (cut up so you don’t click it like a dingbat). The attack was done through \DEVICE\HARDDISKVOLUME4\GAMES\WORLD_OF_TANKS\RES\CEF\CEF_BROWSER_PROCESS.EXE

The link above is a Javascript to run a bitcoin miner through coinhive. The process in question is the Chromium Embedded Framework, the thing that makes the ingame browser work (you can see all the announcements thanks to this). Is there perhaps some kind of mass attack going on, and is the CEF in WoT vulnerable, and Ukrainian h4x0rz want to mine bitcoins on your PCs? There is no conclusive evidence, but tread carefully, and install a firewall (or at least update Windows Defender definitions or something)

Advertisements

17 thoughts on “WoT – Potential Security Breach

  1. Last week I found a precomp.exe in the WOT appdata folder that was mining cryptocurrency on my gpu. Hopefully I was monitoring the temperatures and noticed it in some minutes. The same happened to one my friend, same exe, same folder.
    This could explain a lot of things…

    Like

      1. It was in C:\Users\”YourUser”\AppData\Roaming\Wargaming.net\”suspicious folder that i can’t remember”\precomp.exe
        It’s quite evident in task manager (100% gpu), and you can right click on it and do “Open file path”
        In taskschd.msc you can find a weird alpha-numerical folder with a task that launch precomp.exe after the user login in windows.

        Liked by 1 person

  2. 50% chance its due to a mod, 50% its due to a mod pack. Someone trying to make some extra money from his mods + users that click Next/OK to everything in a mod pack installer without even knowing what they are installing and agreeing to are an awesome combination.

    Liked by 3 people

  3. Cosidering that IP is from a company in Ukraine that works with creating IP’s for WG. I would find it hysterical if someone in that company used WOT for bitcoin trojans. But I doubt it.

    If you go to symantec support forum. You can find topics from people getting JSCoinminer attacks with different numbers on it. One even got it when he visited the daily mail site. So who knows what’s going on…. if anything.

    Like

  4. I had the same alert on my computer but with the Sandbox client. Also an IP from Ukraine. But I didn’t bother with the details and just blocked it.

    Like

  5. http://forum.worldoftanks.eu/index.php?/topic/663251-spionage-software-virus-in-wot/page__st__80__pid__15438689#entry15438689

    UPDATE # 2

    Apparently mods really use the ingame processes, because the first Mod Packs are changed !!!

    When mods do that, in my opinion, the ingame process lacks a protection mechanism.

    Greatdisater will probably talk about it again, but I do not care anymore.

    Mods are officially part of WoT and should never be so free that they can fetch other processes and thus harm the user.

    If this is the case at the moment (and thus becomes really clear), WG must act and either:

    a) cap the mods permissions (whatever)

    b) Allow mods only via a WG own Mod section, which is tested and secure

    c) completely abolish mods.

    Ref. Link to Aslain.com (a very popular mod pack)

    there is in the Changelog:

    v9.22.0.1 # 10 (22-02-2018):

    – reverted PYmodsCore to an older version Polyacov_Yury mods: radial menu, ut announcer, tank lights, colored chat kill msgs, camo selector. Unfortunately the author of that mods has recently added to his website.

    Whether further mods are affected is questionable.

    To the people, who say the OldSkool Mods or Aslain etc. are safe and which one can trust ….

    I agree with the principle – but as long as people do not program that themselves, but only put mods together in a ModPack, immo is nothing really safe!

    In Pro Mod a lot is done by myself, which is very good. Whether that also applies to the UT Announcer and the Radial Menu, I just clarify in the thread.

    Aslain has already reacted and adapted his ModPack.

    The fact is, until clear clarification, I currently rated as safe.

    I do not want to offend anyone and you can not blame the Mod Pack creators.

    I respect and appreciate their great work!

    Only the individual programmers who want to fool the users, you would have the head xxxxx

    So long …

    Like

  6. v9.22.0.1 #10 (22-02-2018):
    – reverted PYmodsCore to an older version [critical to all users of modpack #07-#09 who are installing one of following Polyacov_Yury mods: radial menu, ut announcer, tank lights, colored chat kill msgs, camo selector. Unfortunately the author of that mods has added recently an uwanted connection to his website that is loading ads and creating suspicious and unwanted traffic in background using the game process]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s