It’s not sarcastic. That’s exactly how most of these platforms work behind the scenes. They run automated, dynamic and static analysis against all the app code looking for potentially harmful signatures.
Pretty sure Steam already does that. And no automated (or even manual) analysis is going to be 100% foolproof, or we wouldn’t be worrying about supply chain attacks in Linux. So that puts us back at square one.
Yeah that’s literally what I said. Seems like the previous guy didn’t understand that. I don’t know why anyone would downvote me for just explaining how it works.
I think because in the context of the discussion, you’re (probably unintentionally?) making it sound like Steam is at fault for not catching the malware.
I mean that’s explicitly what the document above says. They call it a colossal failure of valve to allow such incredibly brazen and malware to exist on their store. If you read the forensic analysis, the writers definitely are very much blaming valve for the breach.
I mean it’s a pretty technical deep dive and they actually managed to uncover the bad guys and are willing to work with law enforcement to help see Justice done. Not exactly sure how you think they are dumb.
You can be smart on some stuff and dumb in others. Their dumb take was on somehow deciding valve was responsible without providing any sort of logical reasoning.
That’s not analyzing the code. Also almost assuredly steam does that. Finally that wouldn’t catch this since it was a back door, as long as the attacker didn’t use it it would not be detected by any automated means.
That’s called cloaking and you are right that it’s not easy to find which is why you have to trip the payload with varied approaches. Reverse engineers generally are tipped off by suspicious code artifacts then start diving in. I guess the lesson here is that people really overestimated steam’s capabilities at keeping out bad stuff and you should definitely never install any game that you’re not familiar with.
Dumb take. There are many ways to scan software without needing access to the source code.
Do you think retail antivirus providers approach every developer of every program version to request a copy of their source code for review before they can verify it’d safe?
Steam could easily gave automation the installs and runs games in a sandbox. Then watches what they do. The things it needed to do to steal the crypto should be vastly different than what a game should be allowed to do.
This isn’t foolproof. A lot of malware these days is resistant to analysis because they can detect that they’re running in a sandbox and refuse to run the malicioua code.
I chose not to spell out the full test. The fact is, valve could do it. It is just somewhat expensive. Make a law that game distributors are liable for losses if they distribute malware and you would see how well they could do it.
I didn’t say it was easy. The fact is, valve could do it. It is just somewhat expensive. Make a law that game distributors are liable for losses if they distribute malware and you would see how well they could do it.
I believe you said it was easy in the first sentence of the comment I replied to, though maybe I am reading it wrong and you are speaking on something else.
Nevertheless, they surely have the money to make some type of sandboxed environment for us to run games in, but I can also see why they haven’t since they have so many other things in the works right now and I believe they famously don’t have that many employees (they could hire more, but that could ruin their workflow, etc, not sure). Still, I would like to see this somewhere in the future so I can be a bit more carefree when running less known games.
Maybe this is something that operating systems need to do for us though, I don’t know. Xbox can do it because Windows/HyperV allow it to, but they are created by the same company so the lines are blurred a bit. Not to mention use cases for PC gaming are much wider in scope, so the sandbox environment would have a lot more things to consider (probably).
Anyways I still think this would be sorta far fetched, but I can dream it will soon exist.
Not sure how I feel about making software distributors liable for the malware (it would make any smaller stores go out of business straight away for sure).
You are right I did say easy. In my head I meant that valve pay for it and such, not that it was technically easy. But what I typed didn’t line up.
And as far as sandboxing, I wasn’t really thinking vm sandboxing, I was thinking they could litterally take a whole pc, run the game and see what it does. I assume they could probably do that in a less labor intensive way like run it in the cloud and watch for the process to try to detect that as well. All in all I was thinking more testing env, and not end user changes. Cause yeah, end user support for isolating processes should be on the OS.
But in general, they should do a better job vetting publishers and ensuring those publishers can be held accountable. That is hard to do without blocking out the smaller publishers, but I have faith that if they put a few minds to it, they could figure it out. Probably could contract out the planning part to some experts so they wouldn’t have to perm hire a lot. Might even be able to contract out the vetting so they could pass the liability on.
A crazy thought just hit me. Something like fdic insurance. Won’t happen with this admin in the US, but if the gov setup the vetting guidelines, they could insure the vetters for damages if they followed the guidelines. That would spur vetters into existence that valve and others could then contract. Pipe dream I am sure.
There are so many ways malware could get through that. What if it waits for a specific date or a certain amount of progress in the game? This automated sandbox probably wouldn’t be smart enough to beat the game, certainly not with as many games as they have.
I chose not to spell out the full test. The fact is, valve could do it. It is just somewhat expensive. Make a law that game distributors are liable for losses if they distribute malware and you would see how well they could do it.
It had a password protected zip file in an update that hid the payload. That is pretty damn basic and would not have gotten past any retail antivirus program’s heuristic detection.
Chances are that Valve is treated as a ‘trusted publisher’ by Microsoft Defender and thus it bypassed the scan. The malware even payload explicitly checks that no retail antivirus was installed, and that Microsoft Defender was active, prior to attempting to extract and run its payload.
(See comments above from other users for explicit details regarding the malware)
Password protected zip file is also a way to deliver content an indie dev might use to lock content, so that on its own is not enough, but also the “payload” was connecting to a remote server, which is not indication of bad behavior, lots of games connect to remote servers and receive commands from there, e.g. event X starts now, or something. Except in this case it allowed a reverse shell.
Citation please for any indie dev using passworded zip files to lock game content. That would be a pretty dumb approach given all retail security suites / antiviruses will flag a password-protected archive as suspect by default (because they’re so commonly used in the past to distribute malware).
Thanks for the effort digging. This does not actually point out any game doing it in particular though, and it’s actually a perfect example of a working antivirus picking up a suspect file (a password protected archive) in a game’s install tree.
This is from Aug 2024 and could even be from one of the games that distributed malware. Its absolutely something that Steam should be blocking/flagging for manual review, and a huge red flag that any developer would use this as a tool for distributing their game content.
How is a password protected zip file different from an encrypted blob? And a quick Google will show you dozens of devs asking how to do this in different engines, because it’s a very simple way to delay access to something, it won’t be permanent, but it can allow you to do stuff like pre-loading that game/DLC and activate them remotely.
The difference is that passworded zip files are used to distribute malware regularly. For a few reasons such as they’re very simple to use (malware creators are often lazy) and they can be generally be unpacked with preinstalled libraries or programs on the OS. A random encrypted file will require a DLL or runtime that can unpack the blob, and antivirus engines find that kind of stuff packaged together very sus.
Malware creation and detection are billion dollar industries playing an eternal cat and mouse game with each other. These programs don’t just instantly try to steal every file the second they run.
I am decently versed in the game of cat and mouse. The fact is, valve could do it. It is just somewhat expensive. Make a law that game distributors are liable for losses if they distribute malware and you would see how well they could do it.
It really isn’t. Scanning code for vulnerabilities should be at a very high standard for the dominant and most wealthy game platform on Earth.
Very standard practice for malicious software scanning is to install the program in a virtual environment and then monitor its processes to see if it’s performing malicious activities: eg keylogging while a background process (eg alt-tabbed), or if it interacts with browser data (trying to get saved auth cookies or saved account info), running searches for strings that are common for crypto wallets, etc.
Its entirely possible that Steam has dropped the ball in a big way here.
I can only imagine the animosity in the comments if it was from a game on the Epic store or Ubisoft UPlay…
Its also trivial for apps detecting any trivial attempts at scanning if they’re running in a VM to be detected, and masked.
Those are also valid concerns, but in an environment where admin rights are granted to games installers the vendor of the games (Steam) needs to adopt a highly curated and protective stance. To this date they provide zero details of their protection - their entire FAQ on malware on their store boils down to ‘if you find malware, please flag it on the store page for us to investigate’.
If anyone is gonna claim the steam store is highly curated… I’d point out to them that a very large amount of their store is shovelware asset flips with very few purchases and installs. There are over 150,000 games on Steam, and tens of thousands of them would fall into that category.
And it is very easy to detect you’re in a virtual environment and not do those things, or have a date to trigger the changes or something. The game had been out for a while when this happened without any issues. I just dug a little bit and it was opening a back door apparently, so as long as the attacker did nothing at that time it would have been impossible to detect. You had to know that it was malicious to look for it, then it was quite obvious, but with Valve needing to vet millions of games it’s not feasible to do a full scan of every update of every game.
No automated scan would have captured this, only a paid professional dedicating some time would (and only because this was an obvious attempt, a more subtle one would go unnoticed even by an expert) and that is not feasible.
It literally contained a known version StealC malware in its payload, and had basic python scripting with the Telegram bot code and access tokens left visible to researchers (very bad OSINT). This was not sophisticated scripting, nor novel malware, just some script kid that sourced the whole setup on Telegram. The malware would easily have been captured by a competent security company’s automated scanner.
There are so many ways to bypass what you describe, in addition to it not working for games with kernel anti-cheat etc.
The real issue is all desktop OSes deciding everything should be allowed to access everything. Why is a game able to access your crypto wallet by default, without any permission required? Why can a fake pdf access browser cookies? This has been solved on phones for years.
And there are so many ways to detect the bypasses. It’s an arms race, and the most profitable games store of all time should really have a cutting edge system to deal with it is all I said.
Windows should have better security too, but the two thoughts can be held in the mind at the same time.
Well, I just disagree with you. IMO, they are a game distribution company, not a security company. I don’t see this as their job and I am not willing to pay more for games to have some far from perfect behavior scanning.
PS: That is not to say Steam should do nothing, just not behavior analysis, which is an unnecessarily difficult and expensive measure to implement and operate.
Who said you need to pay more for games? Steam already takes thirty percent of sales (for the vast majority of sales), they are a $10b+ game distribution company… They’re worth more than several leading security/antivirus companies combined.
I just don’t understand the mindset people get around Steam. They are a business that makes a fortune distributing games, run by a billionaire - they are not a little indie company struggling under the weight of their success.
And I don’t get the mindset of large company should do things for free. Valve is using the 30% to distribute games, provide backups for saves, run steam workshop, make games playable on Linux, creating the steam framework for games, and more. And of course keeps some of it as profit. Being a large company does not give you infinite resources. If they invest massive effort into some behavior analysis stuff, either they increase prices or cut something else they are doing.
All they’re expected to do is pay for upstream providers to scan their submissions (eg third party security providers), no need to hire new staff. This is the fourth instance publicized this year! They should communicate regarding issues like OPs - but like usual, it’s crickets.
If this is really just 4th instance this year, then it would be significantly cheaper to just reimburse the ~120k then to do what you are suggesting. Besides, a third party provider will hardly deliver a cutting edge scan for games.
Most importantly, whether they pay their own employees or a third party provider, the result is the same. Either prices go up or cost cutting happens elsewhere.
Steam does scan for malware, which is why this is news. It’s notable that a game got through that was malware. You haven’t heard about other stores because it’s not worth the effort in targeting them. I wouldn’t be surprised to learn that most stores use the same vendor for malware scanning.
It is to a very high standard. There’s been 14k games released this year alone which would be a .01% miss rate for malware games. If you compare against all games to account for updates that add malware after submission it’s basically 0 at .000001%
They were contacted by an unknown person who requested they play their video game demo (downloadable from Steam). In exchange for RastaLand playing their video game demo on stream, they would financially compensate them.
Unfortunately, it’s extraordinarily easy to hide malware in any application that is expected to have online components, because you can add the malicious, “staged” malware after install. Also, depending on what the code is doing, it may not even appear malicious to malware scanners.
Crypto-stealers often don’t even need to elevate privileges or access system components or create backdoors in order to operate, they’re just sending info out, so from a behavioral perspective they often don’t really “act” maliciously.
Sadly, this is less about Valve not preventing something, and more about someone falling for targeted phishing.
Edit: Looking through the tweets, the only references to it being malicious all appeared within the past day, and the claims of the dev being compromised within the last week, so I’d guess the game was updated with malicious components in the last couple days.
The thing is, Valve could go back to their old model where they review and approve 100% of new games on Steam. It would be significantly more expensive than it used to be for them, but they have more than enough money to staff a team for this process. They could do this, and they would still be plenty profitable. They just choose not to because they have no financial reason to do so, and they would rather keep that extra money as profit. Unfortunately, their choice to leave Steam as an unmoderated hell scape has had real consequences in the real world on real people.
While this would be nice, it’s not that hard to design malware that hides itself in certain environments. It’s actually extremely common for more advanced malware to disable itself in sandboxes, for example.
For other reasons, that might be nice though. It at least enforces some level of quality and playability.
They already scan all submitted games with malware scanners. Manual approval wouldn’t be any different, they weren’t doing binary analysis or source code review before. Their AV scanners back then would have given them the same result as their AV scanners now.
that’s fair! maybe I am overestimating, IDK. I just think that if such a process still existed, the approval process would be lengthy enough that people wouldn’t even bother with trying to sneak by malware submissions.
This would be expensive, time consuming, and utterly useless.
Automated scans are going to be just as useful, if not more useful, than manual auditing. Not to mention, manual auditing is useless in 99% of cases unless you’re also submitting source code. And even then, if you offer any sort of streaming of assets, you can simply not turn on the exploit download until after the review process. That isn’t even mentioning the issues with uploading source code.
This simply isn’t an issue you can throw money or manpower at. Really, users need to be more educated, which is something valve can do.
Ho est to God, this is a PR slam dunk if they do that. They get to write if the pay out as a donation to charity for tax purposes, get the lime light of them doing something generous for a cancer patient, and can show that they take the few breeches of their malware.qall seriously. Hell they could probably double the pay out and they wouldn’t even notice the loss.
Incentives. If valve did this, the expectation would be for them to cover any and all future breaches. They don’t have the capability of detecting and preventing all attempts, and this would incentivise a wave of new malicious programs. Because hey, if you get one into the store, you can now steal a million bucks from your own sockpuppet account, and valve will cover it.
This headline feels like a trap. Yes, Valve is the arbiter of what passes through the Steam store. Part of that involves checking for malware which, while their record isn’t flawless, they’ve let very little of it through given the sheer volume of games published to Steam every year. The consequences were terrible here, and I hope that can be rectified somehow. But the implication of this is that Valve makes this sort of error all the time through their “incompetence”, which they don’t, and the point of phrasing it this way seems to be to call anyone stating otherwise some kind of defender of a multibillion dollar company. It seems like a far better use of everyone’s time to be mad at the scammer here. Supporting and profiting from child gambling via Counter-Strike is a much better reason to be mad at Valve than the mistakes or other gaps in their vetting process that will be slightly tighter as a result of this mishap.
Well since Steam provide absolutely zero details about their scanning process (or even if it exists), seems like conversely people are making a lot of really complementary assumptions about Steam, no?
This is certainly not the first malware distributed by Steam - this is in fact the fourth publicly-known instance just this year.
Seems like they need to step up their game if you ask me.
Reporting from outside sources has covered what Steam’s vetting process is. They check to see if the game runs, if it has the features that the publishers/developers claim it has on the side bar, and they check for malware. Often times this is outsourced, but the buck does stop with Valve. The thing with any security measure though is that anything can be circumvented, and preventing the same vector of attack in the future is an arms race. And another way to read what you said about how many instances of malware there are is that it affects 0.02% of games released this year so far, and they’re not the games that customers are most likely to buy in the first place like your Borderlands or Battlefields.
Almost 14 thousand games released this year on steam. You could say malware is 100x more likely than the 4 publicly known instances you mention and that’s still not even 3% of games released. Steam is responsible but I don’t know how you expect them to get that down 0% besides manually reviewing game code line by line, which would probably destroy the platform. Don’t let perfection be the enemy of good
Good it is not when the recommendation from security experts and reporters is to avoid any Steam games with low numbers of installs / reviews and betas from small companies. That’s where we’re at now.
Nobody reviews game code, as game code is not supplied, only binaries with their relevant resources. There are many security providers that would be able to provide better service that whatever Valve is doing - but who knows, because they keep tight-lipped about it every time there’s an issue, and just patiently await their defenders to hand-wave any concerns.
Lmao well I don’t know what you want. If you want your PC to be secure, don’t use the Internet. You can’t expect every piece of software you come across to be perfectly vetted. In an ideal world sure everything would be foss and peer reviewed but that sure as hell ain’t the world we live in.
video.twimg.com
Najnowsze