I was downloading d3 beta today while downloading it I decided to turn the bot on, and farm some honor for the start of the new season. When I turned HB on my malware bytes blocked an attempt to a potentially malicious site with the process agent.exe I decided to google agent.exe nothing off the start then I googled warcraft agent.exe and found that this is a process for d3 that monitors for 3rd party applications. considered it just happened I doubt anything would happen to my account for at least a few hours or days, regardless should we hold off on botting while d3 is installed?
NetRange: 98.142.240.0 - 98.142.255.255 CIDR: 98.142.240.0/20 OriginAS: AS30407 NetName: VELCOM NetHandle: NET-98-142-240-0-1 Parent: NET-98-0-0-0-0 NetType: Direct Allocation RegDate: 2009-04-28 Updated: 2009-04-28 Ref: http://whois.arin.net/rest/net/NET-98-142-240-0-1 OrgName: Rcp.net OrgId: RCPNE Address: 50 Delta Park Blvd., Unit 4 City: Brampton StateProv: ON PostalCode: L6T-5E8 Country: CA RegDate: 2003-06-02 Updated: 2011-04-29 Comment: ==================================================== Comment: - Contact abuse@velcom.com in case of any Hacks, - Comment: - Illegal Activity, Violation, Scans, Probes, Spam - Comment: ==================================================== Ref: http://whois.arin.net/rest/org/RCPNE ReferralServer: rwhois://rwhois.velcom.com:4321 OrgAbuseHandle: ABUSE1200-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-416-800-7551 OrgAbuseEmail: abuse@velcom.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE1200-ARIN OrgTechHandle: NETWO548-ARIN OrgTechName: Network Administrator OrgTechPhone: +1-416-800-7551 OrgTechEmail: netadmin@velcom.com OrgTechRef: http://whois.arin.net/rest/poc/NETWO548-ARIN RAbuseHandle: ABUSE1200-ARIN RAbuseName: Abuse RAbusePhone: +1-416-800-7551 RAbuseEmail: abuse@velcom.com RAbuseRef: http://whois.arin.net/rest/poc/ABUSE1200-ARIN RTechHandle: NETWO548-ARIN RTechName: Network Administrator RTechPhone: +1-416-800-7551 RTechEmail: netadmin@velcom.com RTechRef: http://whois.arin.net/rest/poc/NETWO548-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # %rwhois V-1.5:003eff:00 rwhois.velcom.com (by Network Solutions, Inc. V-1.5.9.5) network:Auth-Area:98.142.240.0/20 network:Class-Name:network network:ID:NET-98-142-251-0-24 network:Network-Name:Velcom DSL (Dynamic Pool) network:IP-Network:98.142.251.0/24 network:Org-Name:VELCOM network:Street-Address:50 Delta Park Blvd., Unit 4 network:City:Brampton network:State:ON networkostal-Code:L6T-5E8 network:Country-Code:CA network:Tech-Contact;I:support@velcom.ca network:Updated:2011-04-26 network:Updated-By:roman@velcom.com network:Auth-Area:98.142.240.0/20 network:Class-Name:network network:ID:NET-98-142-240-0-20 network:Network-Name:Velcom.com IP Pool network:IP-Network:98.142.240.0/20 network:Org-Name:VELCOM.COM network:Street-Address:50 Delta Park Blvd., Unit 4 network:City:Brampton network:State:ON networkostal-Code:L6T-5E8 network:Country-Code:CA network:Tech-Contact;I:support@velcom.com network:Updated:2011-04-26 network:Updated-By:netadmin@velcom.com %referral rwhois://root.rwhois.net:4321/auth-area=. %ok
Call me stupid but what is D3? if you're using an unofficial version of honorbuddy, the application might have been binded with a malicious file, otherwise I don't see there being a 3rd party program monitoring your data as that would be a retarded method by blizzard as botters wouldn't bot when they saw that process and a simple if statement could be made apon opening honorbuddy to protect against that.
I use official HB, d3 is Diablo 3, and yes the process is there now in beta however I'm sure it will be hidden at a later date.
IP-BLOCK 218.10.254.67 (Type: outgoing, Port: 6881, Process: agent.exe) IP-BLOCK 218.10.254.67 (Type: outgoing, Port: 6881, Process: agent.exe) IP-BLOCK 218.10.254.67 (Type: outgoing, Port: 63210, Process: agent.exe) IP-BLOCK 98.142.251.68 (Type: outgoing, Port: 6881, Process: agent.exe) IP-BLOCK 98.142.251.68 (Type: outgoing, Port: 6881, Process: agent.exe) just a random posting from the logs.
do you think it would be possible to reverse engineer the agent.exe to possibly get an understanding of warden?
