Discord 'Spidey Bot' Malware Is Stealing Usernames, Passwords

News
By published

Antivirus software is your best bet at beating the malware

(Image credit: Sharaf Maksumov/Shutterstock)

Hey, gamers and alt-right trolls -- a new Discord piece of malware is coming to get ya!

Called "Spidey Bot" by its discoverers, the Windows malware injects itself into Discord's code and steals your username, email address, IP address, phone number and Discord user token. 

The malware also copies the first 50 characters of your Windows clipboard, which might contain your password if you've copied and pasted it recently, and creates a "backdoor" so that more malware can be installed. Macs don't seem to be affected.

If you're not familiar with Discord, it's chat software often used by PC gamers that has also been picked up lately by people who've been kicked off Reddit and Twitter for particularly unsavory comments. 

Unfortunately, you won't be able to tell if your Discord application is infected. [UPDATE: It turns out you can -- see the end of this story.] Even if you do, you'll have to delete the Discord software and reinstall it to make sure you're clean. All you can do is make sure you're running the best antivirus software, which should block the malware.

Discord itself doesn't seem to be too helpful in responding to user concerns.

But sadly, Discord is right. There's not that much the software maker can do from its end at the moment, except maybe to tell people to access Discord on their phone or gaming console instead of on a PC or Mac. 

Discord's Windows and Mac client is built on Electron, a open-source framework that creates applications out of the Chromium web-browser engine and JavaScript. 

Like the desktop clients of other Electron-built apps such as Slack, Signal and Skype, the Discord desktop application is really just a big web browser, and it's going to run whatever JavaScript you feed it.

A couple of the Twitter complainers with whom Discord corresponded pointed out that Discord might want to encrypt certain parts of its JavaScript library. That might be a long-term solution, but it's not going to help anyone right now.

UPDATE: Bleeping Computer updated its own article on Spidey Bot with a method by which Discord users can check to see if their Discord desktop installations have been infected.

Spidey Bot targets only two files in the Discord application folder:

 %AppData%\Discord\[version]\modules\discord_modules\index.js 

and 

%AppData%\Discord\[version]\modules\discord_desktop_core\index.js

Open each of these files in Notepad. Each should have only a single line of code. If either has more than one line, your Discord build is compromised and should be uninstalled.

Bleeping Computer also proposed that Discord perform a file-integrity check every time the application is launched to prevent against further compromise. That feature doesn't seem to exist in the application right now, but it wouldn't be hard to add in a future software update.

TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.