5 replies to this topic

[Arwen]

I have a long standing account in an online RPG. My character is fairly wealthy in game terms, is head of a wealthy 'clan' which has a wealthy bank account. Or 'had'. Recently while online and in the game chat room with another clan officer we received a message from another player which said 'have fun with Ophcrack and John the Ripper'. By the time we realised what these names meant, the bank account had been emptied out.

Now I am not particularly worried about losing imaginary stuff in an online game, however having researched a little into these programs, as far as I can see, they are password retrieving programs which can also be used to infiltrate a third party's computer via Windows or whatever system they may use. Only three people had the password to this account, myself and two friends. It was never given out to anyone else. I personally use Windows XP home, my one friend has a Mac and the other a laptop using Windows. I have run Spybot and my antivirus and found nothing untowards. Addressing the wider issue here, I am interested to know how these programs work and what threat they pose to our general security. Was one of our three computers gotten into? Can we avoid it happening again? I have, by the way, changed my Windows password to one over 14 digits long as I understand that this makes it unguessable by these programs.

[Budfred]

It is likely that what you are describing is a keylogger rather than a password cracker... Keyloggers record each keystroke and some of them will dig through old records for things that look like account numbers and passwords... This suggests that one of you has a keylogger and that everything you have done on the computer is at risk... It would be a good idea to read the FAQ and run scans, then post a log in Malware Removal to have it checked... This would apply to you and the other person using Windows...

[Arwen]

Hi
Thanks for your advice. I have run AVG and hijackthis. Before I post the logs in a thread in 'Malware', it would seem that my AVG log is very, very long Should I post it as is, or would it be better to link it in some way?

[Budfred]

If the AVG AS log is full of cookies (which is typical), you can delete the duplicate cookies and just post the most relevant sections, but be sure to note that in the post so that the helper knows what you did... If there isn't anything other than cookies, you can probably just say you ran AVG AS and that is all you got...

[racooper]

Ophtcrack and John the Ripper are password "auditing" programs that have legitimate uses in security administration. They are normally used by network admins to test the strength of passwords on their network/Active Directory/NT domains and *nix boxen.

It sounds like someone was able to get ahold of a couple of your local PC registry files (called SYSTEM and SAM, located in %windir%\system32\config) and run password cracking routines against them. Now, if your PC password and game password were the same, then that makes it easy to "guess" once your PC password(s) are known. So, good security tip: never use the same password for important services!

I would certainly follow Budfred's advice and post HijackThis logs from both Windows PCs in the Malware Removal forum. It's possible that you have a trojan of some sort installed that's designed to capture passwords, or even the registry files needed. I would also say, however, that this sounds like a targeted attack; the perpetrator sounds like he/she knows about your character's worth and holdings, and wanted a piece for him/herself. I wonder, if you still have access to the character(s) in question, are there logs of transactions available that might help track this down and get the culprit suspended from the game?

[Arwen]

Personally I have always used separate passwords for different types of account; I can't speak for my friend of course.
We are pretty certain that yes this was a targeted 'attack' by someone with a grudge. The admins of the game in question haven't been able to do much since the person in question was clever enough not to transfer all our stuff to him/herself. Anyway we have modified all our passwords but it remains incredible that someone should take a game so seriously that they would pull a stunt like this

I've posted my log in the Malware thread as suggested.
Thanks!