I am not a programmer by any means, so i dont know how these things work exactly. What i do know is that i found out that some of the lobby names that were responsible for last night’s attack suggested that our computers are now infected with malware.
Is this a bluff, or should we be concerned?
The attack, from my understanding, only caused issues while your Starcraft II client was running; and quitting out the game entirely solved the problem.
I have also been told that the problem has gone away from multiple people I trust who are more invested in the problem than I am, but I haven’t seen a proper resource about this so I would maintain concerns about opening the custom games tab while connected to the internet.
My biggest concern is the attackers claiming that they had malware involved. Somebody had managed to see all the lobby names. The claims are what concern me. Unfortunately i cannot post the link to the image, but there are a few posts on the SC subreddit with the imgur link.
Sounds like they found a way to overflow the lobby name buffer. Maybe they overflowed the map name. It sounds like an injection exploit. The first places I’d check would be the map / lobby name validation algorithms. You look for user inputs that have complex algorithms. Complex algorithms tend to have bugs. With user input it can provoke a bug that allows code to be injected. Probably puts the lobby info in an sql database and it’s an sql injection.
Imagine being so stupid as to hack a video game service. Now the fbi is gonna throw your butt in prison for 10 years. If you are going to take on that kind of risk, at least do it on something worthwhile.
Always, always, always, strip user inputs of non abcd characters before passing them off to the rest of the code.
I do not have that kind of technical prowess, but i did run a virus scan and it came back negative. Im both hoping that it didnt fail and that these lowlifes get locked up like the bastards they are.
Also, i would also like to point out that i submitted a support ticket avout it three days ago. I have heard nothing but crickets.
It is not a malware but proly an html script that can crash the game into error. However, you can import literally any file in a custom map. You can import even a virus.exe
So it sounds like our computers are fine provided we didnt actually download the map(s) that crashed the game. Thank Christ
Still, im leaving sc2 uninstalled until my support ticket is answered, though it has taken a few days already
Even if you downloaded the bad maps it’s highly doubtful that your computer would be at risk. If all that happened is that someone uploaded maps that make the client crash, it’s basically a non issue.
Doubtful. There is a 0.0% chance that the map files are anything but configuration files. The game reads settings out of these files. To get executable code to be run you’d have to find a bug in the code that reads the config files and inject executable code via the config. Aka extremely difficult to do, and probably not possible.
It’s a shame that after several days still there is no response from Technical support. They may have removed malicious maps from arcade but problem still exists because vulnerability has not been removed. Game is not patched. Another guy can do the very same attack any time. Not sure if there is any point to play the game until it is patched.
This is kind of true. Maps are more like a ZIP or rar archive, they have folders with Galaxy scripts, often triggers that are ingame actions, terrain data, placed units, imported files. You can import a trojan but executing it may not be something the map can do. Still if the bnet system has no detection to detect such imports, then poor.
Yep, they are called mpq archives. I always found it curious that they used zlib for their compression. Limpel ziv variants are guaranteed to at least match zlib in size but are drastically faster to decompress. It’s basically a no brainer. Lzma has drastically better compression but is about as fast to decompress. Either way, it’s just better.
They do have some embedded scripting but it would be colossally stupid if they allowed binary data to be embedded and or file downloading or imports from inside the scripts. The only data that should be embeddable is ascii characters. Any data that the scripts reference would be loaded separately via config files and have their own validation process. It would be very hard to do any kind of injection exploit with those measures, which is why I think it’s highly unlikely to download a virus via the sc2 arcade. More likely than not, someone made a map that provoked a UI bug in the the sc2 client, which wouldn’t show up until they published the map, at which point in time it was too late.
What’s more curious is that sc2 maps use some kind of custom scripting language. I personally never use anything but Lua. Lua is mature, robust, has the ability to generate c++ bindings, and it has “JIT” compilation which makes it lightning fast. It can also be compiled with nedmalloc which makes it parallel. Each lua sandbox can be run on a separate thread. That’s one of the big challenges of building a parallel game engine. You have to get the scripting libraries to run in parallel too, and good luck with that.
Regardless, the script binding functions should always validate parameters and throw exceptions if the parameters fail a sanity check. Basically all user inputs should be validated at all times. You can even catch lagging mechanics and or infinite loops if the binding function starts a sub thread and waits for the task to complete while checking on a timer. If it takes too long it can kill the the thread and throw an exception. It’s not rocket science, modern c++ makes thesd things very easy to implement.
From what I understand, it is the Lobby Titles/map Titles that have been exploited for an injection, not the maps themselves. It occurs from loading the Lobby List.
this, my friend said this could be quite easy if it just checks the link if theres actual map content, if not then dont load
An injection exploit is where you inject code into an application and trick the application into running it. I still haven’t seen any reliable sources on what’s actually happening, but it’s probably just a bug that causes the client to crash and not an injection exploit. Anyone who has the technical skills to do an injection exploit is also smart enough to know it is a colossally stupid idea. I would be extremely surprised if it’s anything but a bug that causes the game client to crash (probably related to the UI).
Hey all,
Here’s a break down of the exploit written by a community member on github’s forums. It explains quite a bit about the threats that people have been speculating about.
I hate how High Voltage is using his expertise to ruin our experience instead of using it to make something cool