Zombies. I admit, I’m pretty fed up with zombies on account of them being jammed into every form of media imaginable whether required by the story or not. Videogames, TV shows, books, a recent movie that I’m not going to spoil – but oh look, a zombie – and everything else inbetween.
Zombies.
There’s a game on the Steam platform called Arma 2, and it’s a reasonably decent warfare simulator from a couple of years ago. It’s currently the hottest thing since sliced bread and ridiculously popular, all on account of a mod for the game featuring – yes, you guessed it! – zombies, called “Day Z”. From the website blurb:
A 225 km2 open world post-soviet state and one of the areas hit by a new and presently unknown infection which has wiped out most of the world’s population. You are one of the few who have survived and now you must search this new wasteland in order to fight for your life against what is left of the indigenous population, now infected with the disease.
Go Solo, team up with friends or take on the world as you choose your path in this brutal and chilling landscape using whatever means you stumble upon to survive.
Something’s wrong, I’m throwing my money at the screen but nothing’s happening!
As you might imagine, it looks really good. Unfortunately, someone decided to get a little too meta and add zombies of the malware variety into the mix.
Gaming press recently reported a compromise of the “quick, run away and throw your PC into the nearest river” variety at the tail-end of last week:
Infection: DayZ Servers hit by Malicious Software
This “we’re all doomed” panic was the result of a forum post on the official mod forum giving details of the attack:
He managed to get a database backup from the 22nd (Hah, we don’t keep backups for admins). But as everyone knows the normal drill when such events happen you should change your forum account password.
Forum account compromise? Uh oh.
A person has gained access to our main email account which have details listed for our FTP’s, etc. He then uploaded a malicious application to the US file host which has since been taken offline…if you are a user who has downloaded the .exe called dayz_auto_updater.exe from the US Mirror is to scan their computer against viruses
Main email account compromise? Uh oh.
Server hosts who provided us with RDP details are comprised and need to thoroughly scan their server for the same type of processes and to change their servers RDP details and to NOT ever give the RDP details out to anyone *Including DayZ* from now on.
Game servers compromised? Uh…well, I think you get the idea.
DefCon One was attained shortly after when the same mod sent out a message to a Day Z Google group.
From: DayZ Staff <staff@dayzmod.com>
Date: 9 June 2012 14:04
Subject: Server Hosts – Security Issue
To: dayztech@googlegroups.comHello Everyone,
I sadly regret due to the actions of DayZ Management, someone has wrongfully brought someone onto the Server Admin team that has either used his access to spread a ‘Bot’ around the servers or has given someone else the access.
Due to this access to all of DayZ Staff has been revoked till we can further investigate.
Now you’re probably thinking ‘what does this have to do with us’ well sadly hosts who have given us RDP access may be compromised and very well be used as a botnet.
I want to apologize in advance and I am truly sorry if your server has fallen victim to this security breach and will say with certainty that our management is going to change on how we handle servers.
What I need is all the server hosts who have gave us RDP access and are still valid login details to scan your server checking for any suspicious processes (exes) running as the RDP account you gave to us.
Usually viruses and botnets can be located in the accounts AppData folder under Roaming. It’s recommended that you scan the Appdata directory for any .exe’s floating in there with obvious names such as explorer.exe etc and change the RDP’s account password revoking any access that we may have until we can sort everything out.
It’s recommended the hosts do this so that trust can be rebuilt but if asked I will personally go through the server and look for any malware that may reside on the server.
Again, I deeply apologize for this but it’s lead to believe a new server admin that was brought on while most of the team was away has used his access to gain a strong botnet.
If you receive any emails from anyone saying that they are with the DayZ Dev Team and the names are not mine or Ander’s or Matt Lightfoot then do not respond. We will not ask you for your servers new RDP passwords for when you change them.
/tonic
Did I say “uh oh” yet? I’m fairly certain I might have. At this point, the creator of Day Z stepped up and posted to the forum, moving things in a different direction. In a nutshell, the mod overreacted and didn’t get all of their facts right:
Fact: One of our Artist’s PC’s was hacked by a person known to him.
Fact: The hacker used the Artist’s password to attack the forum’s.
Fact: This was detected almost immediately, initially it was thought that this person was in fact the artist themselves.
Fact: DayZ has RDP/Admin access to less than 15% percent of the servers hosting DayZ.
Fact: The forums were vandalized, and this was detected and rolled back immediately.
Fact: A staff member, in a rush to inform everyone, was misinformed and overreacted resulting in the infamous google groups message.
“Less than 15% of the servers hosting Day Z” is definitely better than “all of them”, although I’d love to know exactly how many servers there are – I found a list, but I’m not sure how accurate it is and a good slice of servers are filled to bursting point (the player cap is generally 50 per server).
As for the Malware itself, it claims to be the “BlackHawk Browser” which is a pretty neat trick seeing as the executable below is 299kb while the brower is around 21.8MB.
Click to Enlarge
Upon execution, files are dropped in the below locations, with VSCover springing into life every time Windows starts.
C:\Documents and Settings\Administrator\Local Settings\Temp\D3D8THK.exe
C:\Documents and Settings\Administrator\Templates\VSCover.exe
Our handy GFI SandBox tells us that the Malware checks for debuggers (because avoiding detection / analysis is always a good thing when you’re not supposed to be on the PC in the first place), hooks the keyboard (a favourite of keyloggers everywhere) and makes DNS requests:
Click to Enlarge
VirusTotal has the main “updater” executable file pegged at 20/42, and we detect it as Trojan.Win32.Generic!BT. There are certainly end-users out there feeling the burn from this one, and it might be a little while before we gain a rough idea of how many gamers had their brains munched:
Click to Enlarge
If you’re in a similar position to the above unfortunate individual, it’d be a good idea to update your virus scanner and take the required clean up steps as soon as possible. On a sort-of-but-not-quite related note: change your password for the Day Z forum. Hopefully the admins now have this one under control, though given how things are panning out right now you can bet there’ll be any number of fresh gaming related attacks on the way soon.
Christopher Boyd