A little corner of the Empire on the web.

19 August, 2008

EVE Central Market Upload Utility Trojan Keylogger Warning

Please see the update at the bottom of this article. I no longer suspect EVE Central or it's Market Uploader utility of any wrongdoing here.

So a friend of mine found that around a £1000 of money had been siphoned from his bank account recently (all in bank transfers of under £150). After talking to the bank about he found that the attacker had got into his bank account using the web login.

The question then became, how did they get his password? Like me, he works in IT so is pretty savvy about security generally, so had no idea how anyone could have got a keylogger onto either his home or work PC.

After much searching around he finally found this blog post a Mule in EvE: Learn and live to fight again that pointed to the fact that someone else had found a Trojan keylogger (a piece of malicious software similar to a virus that logs all of your typing and sends it to someone else on the internet) hidden inside the popular Market Upload utility from EVE Central. This is a popular tool that allows players of the game EVE Online to upload data about the ingame market place to a website where analysis can be run.

He rang me to let me know (as I also play EVE and have this tool installed), and sure enough a "deep scan" by Sunbelt Software's VIPRE Antivirus found the following trojan on my PC: Trojan-Spy.Win32.KeyLogger.acm, hidden in the "evec_upload.exe" file in the "EVE-Central MarketUploader".

Not good news, so one removal, uninstall and a few hours changing passwords later, here we are warning the rest of the public about this. As EVE-Central doesn't have any kind of public forum to post in, I'm putting this up here whilst I mail the developers for comment.

Please note that I am not blaming the EVE-Central developers here at all, I have no idea whether they are simply the victims of being unwittingly hacked themselves, or whether they are doing this deliberately. Also there is the possibility that this could be a false alarm and something in the way the Market Uploader was written is accidentally triggering a false warning in the anti virus software.

I am also most definitely not blaming CCP or EVE Online. CCP have made a great game that many, many people enjoy every day, and neither myself or EVE-Central are affiliated with them.

Update 20/8/08: Having carried out further investigation and emailed back and forth with Yann of Eve-Central it seems that we were too hasty assigning blame here. I no longer suspect EVE Central or it's Market Uploader utility of any wrongdoing here. I'm sorry for any misunderstanding or distress that could have been caused by this.

An up to date version of the VIPRE Antivirus doesn't pick up the "EVE-Central.com MarketUploader" as any kind of malware (or 'bad' software) at all.

From Yann:

I've been distributing the same package file since mid 2007. Its been at some time been listed as a Trojan all these major AV products, but detection had improved so the false positives were eliminated within a few update cycles.

It seems that some fairly old virus was written by someone using the same software that Yanne used to create the Market Uploader. This means that it has ended up looking slightly similar to an old virus, and has been at one time flagged up by many of the major anti-virus products, and then cleared again a few updates later as they fine-tune their virus detection.

This is a bit like if I used the same powerdrill to put up my shelves, as some serial killer used to do nasty stuff to people. Just because we both used the same tool, and both used it to drill holes, doesn't mean that I had anything like the same intention or outcome as the murderer.

Hmm tortuous analogy!


  1. Do you know if this has been fixed?

  2. Sorry only just realised that I never published my update here.

    After further investigation, I now don't believe that EVE-Central did anything wrong here, there is nothing wrong with it at all.


  3. TrendMicro OfficeScan version 7 (engine 8.950.1094 pattern 6.501) also reports a trojan within "evec_upload.exe"
    Previous pattern files did not report any virus