Last night I notice that Microsoft System Certificates Roots (which I highlight on the screenshot attached below) were modified by a program called “Firehack” (a premium multi-hack for retail World of Warcraft). Firehack.exe is only supposed to access and modify WoW-64.exe in memory; makes no sense for Firehack.exe to be modifying Microsoft System Certificates like \SmartCardRoot – \AuthRoot – \Root 'or HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\Schannel.
Do programs usually access Microsoft System Certificates like \SmartCardRoot – \AuthRoot – \Root or is this unusual behavior? I have sensitive information on my system, I’m worried that this could compromise the integrity of my system’s decryption certificates sense its certificate directories have been modified.
I though this program was safe to run because my friend uses it and make me install to play with him so I “Allowed” all of the Host Intrution Prevention warnings with out reading me (I know bad move) but after looking at my entry logs for Defense+ the modification to the certificate directory secared me.
As of now FireHack.exe has no internet access and all its permissions have been revoked and no significant data transfers 6/kb in 1kb out over the duration of its existence on my system.
You used a hacked (cracked) program (you stated that yourself). You the user must accept responsibility for knowingly running something that could potentially damage your system.
It depends on the general activity wether it is potentially unwanted / malicious. This is usually stated on VirusTotal report – you will get some hints from detection name (eg Riskware:Gamehack).
You could submit it for manual analysis with Valkyrie. :-La
—Reply for John— No, its an API (its meant to be modified) so the program is modified by my friend. he just writes the scripts and used “firehack” to channel them in to the game. It turns out the modifications to the Certificate directory were used for authentication purposes. --Instead of blaming me for using an untrusted program Moderators on the Malwarebytes forum were kind enough to answer my question.
“Certificates are stored in what is called the Certificate Store. There are “Personal”, “Other People”, “Trusted” and “Intermediate” as well as “Untrusted”. They are not stored in the Registry. Certificates are stored in the User Profiles. They are accessible by using Internet Explorer… Tools → Internet Options → Content → Certificates
There is what is called a Certificate Chain. That is there will be a Trusted Root Certificate, and Intermediate Certificate and the Certificate assigned to a Person, Program or web site.
Programs do in fact access the store quite regularly. It may be because you are using HTTPS and SSL to access a web site. It may be because a Program issued by Adobe or some other legitimate source will have a Publishers Certificate. The OS has to check the validity of a Certificate by Accessing a Certificate Revocation List ( CRL ) and make sure the Certificate trust chain is in tact. This is done via the The Online Certificate Status Protocol (OCSP) and Windows Vista and above rely heavily upon it.”
As stated is where your problem is with using a hack, no problem if the hack is safe.
Big problem if it is not.
Sorry but using hacks in any way or form, is a problem for the user themselves as only their computer will be affected good or bad in allowing these actions.
what?