Imagine the following situation: a character in a game which seems to be a member of a popular guild, approaches his character and promises some interesting elements, such as rare horses (animals with which you can drive), weapons, etc.
It’s very likely that The attacker has these elements or not a valid code for them.
Subsequently, the victim does not receive a valid code or article. The trap: an attacker can force players to enter one command line in the chat window:
Run RemoveExtraSpaces = RunScript
The WoW interface (for example, the action bar, chat, and other graphics … everything in 2D) and add-ins (for example, interface improvements) are written in the Lua scripting language.
Both sides of the RemoveExtraSpaces equation, as well as RunScript, are valid functions and are part of the WoW Lua API, but filling the chat window with this single line of code leads to the behavior of the WoW user interface.
What Does This Code Actually do?
/ run is a command that interprets the following text as a Lua script.
RemoveExtraSpaces is an internal function that removes unwanted spaces in the text.
RunScript is a program that executes text as Lua code (similar to the / run command).
Why is This Threat?
The RemoveExtraSpaces function is called in each new chat message that a player receives. The above command overrides the RemoveExtraSpaces function using the RunScript function, called interception in software development.
After replacing the original function, each new chat message is interpreted as Lua code and executed immediately. The script is as follows.
An unconscious player enters the command line in his own chat window because the alien character in the game sounded very convincing when he said something like “insert this code and magical things.” Instead of winning magic items, the player has become a victim.
What we have shown above is a relatively harmless example of such abuse, proof of concept (PoC). In reality, however, this means that the attacker can now remotely control the victim’s interface.
This is very similar to the behavior that Trojans usually display on computers: they present themselves as useful and then develop their malicious behavior. In the real case, the attackers do not execute the message box with the text “Test” but execute another script, which we will explain in the next section.
Temporary Perseverance and Hidden Commands
If the command line was executed, the message shown above will not be visible to the victim but will be executed immediately. The fact that the chat feature no longer works can be suspicious for the victim and may even lead to a restart of the game.
We suspect that the attacker quickly responds to “solving this problem” by sending the above command, that sets a new connection channel and then, most likely, re-enables the chat function for the victim.
To understand the meaning of this code, you need to know that WoW plugins can communicate over a hidden channel (local and remote). This channel is configured using the “CHAT_MSG_ADDON” event.
The script generates a frame (line 2; z) in which various properties can be set. The script is registered for the CHAT_MSG_ADDON event with a specific prefix (lines 6 and 25). Only those who know the selected prefix can now secretly monitor the victim’s stolen interface. This is like a secret password.
Each time a hijacked interface receives a CHAT_MSG_ADDON event with the specified secret prefix, the code runs in the background and does not become visible to the victim.
Finally, as long as the attacker does not want you to see the actions that he performs on his account, he will not show what is happening.
Although they are add-ons that can communicate via a hidden channel, the wholesale player does not need to install any plug-ins to attack. This is a new development in terms of attacks in the game WoW.
What harm can you do?
Since the attacker has unrestricted access to the victim’s user interface, he can check whether the victim’s game character is on a virtual map in order to get closer to him in the game. As a rule, the attacker will not be able to get detailed information about other players.
In WoW, players can exchange objects with each other. To do this, two characters must be in physical proximity and then switch between elements.
If the attacker identifies the location of the victim’s character and is in the victim’s game zone, you can now remotely open a trading window, add items and/or gold next to the victim, and click the Accept Exchange button. He can practically steal the victim.
Our script describes a social engineering attack combined with a technical attack. For example, compromised clients can be used to send compelling chat messages to other players.
Guild members, friends, etc. They can use this simple but effective script to manipulate even more characters in the game. As all we know, messages from colleagues and friends are viewed as reliable.
How can I protect myself?
No matter how simple it may sound: do not enter the script code in the chat window! Ask for each message request in the chat window.
In the instance above, we talked about the attacking character in the game, which belonged to the popular guild.
Well, he pretended to be a member of such a popular guild, but in reality, it is not. He chose a famous guild and copied his name.
He replaced the small letter “L” in his name with the letter “I” in capital letters. You may already know about this squatting phishing attack technique.
Be careful when downloading third-party add-ons: use reliable and popular sites and update your add-ins.
Perhaps some will add the appropriate line of code to their add-ons and add the add-ons as a whole Art car can be used to attack A similar problem was observed in 2014 when the so-called “ElvUI backdoor” was identified in the supplement.
Blizzard can only fix the accident. You must ensure that you cannot override such a feature. Creating this article, Blizzard yesterday released a preliminary version for the next addition, Legion.
Responding to script attacks and implementing a warning message after the script has been entered, but before it is executed:
If you select Yes, the message will be permanently disabled. Even if the reboot does not return it, the question is no longer displayed. To re-enable it, you must manually delete the line of code in the configuration … in fact, only this line:
Deletion code: SET AllowDangerousScripts “1”
Path: World of Warcraft \ WTF \ Account \ <ACCOUNT NAME>
Specializing In Error Codes & Problem Solving