Malware Hidden in Call of Duty Cheating Software

News article:

Most troublingly, Activision says that the “cheat” tool has been advertised multiple times on a popular cheating forum under the title “new COD hack.” (Gamers looking to flout the rules will typically go to such forums to find new ways to do so.) While the report doesn’t mention which forum they were posted on (that certainly would’ve been helpful), it does say that these offerings have popped up a number of times. They have also been seen advertised in YouTube videos, where instructions were provided on how gamers can run the “cheats” on their devices, and the report says that “comments [on the videos] seemingly indicate people had downloaded and attempted to use the tool.”

Part of the reason this attack could work so well is that game cheats typically require a user to disable key security features that would otherwise keep a malicious program out of their system. The hacker is basically getting the victim to do their own work for them.

“It is common practice when configuring a cheat program to run it the with the highest system privileges,” the report notes. “Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code signing, etc.”

Detailed report.

Posted on April 2, 2021 at 6:00 AM17 Comments

Comments

Clive Robinson April 2, 2021 7:17 AM

@ Bruce, ALL,

You might want to look at some South Korean legislation, that recognises in game intangible virtual property as though it is tangible physical property.

Thus subject it to both “Public Duty”(criminal) and “Private Duty”(civil/tort) legislation and regulation.

Thus arguably running any game cheat to gain advantage would be covered by theft / fraud legislation…

me April 2, 2021 7:24 AM

i don’t get why people use cheats, i used to make them in the past for fun and for every game i had (mostly offline games like super mario). but also online games before anticheats were a thing. than i hosted “cheaters only” servers and saw what cheats other people were building.
i did not cheat to win because i literally had “press a key to kill all” or “jump to win” where is you press jump you see “victory” and match finish lol.

but when anticheats started to be a thing i just stopped because there is no point.

in virus vs antivirus, virus always win because there is a delay between release and detection, so yeah the antivirus might detect the keylogger that you installed 3 days ago but he already stealed you everything, it took a while for people to realize that but they are understanding it now they ransomware are a thing, they block your pc immediatly instead of hiding, so people understand that antivirus are not really good.

with cheat is different, you detect everything and you can ban people later, so yeah you might use the cheat for three day, but than you lose your game forever (and you paied it a lot). it doesn’t matter if a cheat is detected after one month, because after it is detected they can ban retroactively everyone that used it.

Chelloveck April 2, 2021 10:27 AM

@me: Lots of reasons, ranging from “There’s no way they’ll ever catch me!” to “I can make a lot of short-term gains and move on to the next game when they ban me here.” Some people think it’s funny to have impossibly high scores on the leader boards. Some people think it’s funny to insta-kill n00bs. Some people are actually grifting money off the games. Cheat to obtain the Sword of Ultimate Coolness, then sell it. Who cares if you get banned after that? Cheat to move up the ladder, then sell the high-ranked account. Yes, people buy high-level accounts, don’t ask me why. So what if it’s banned the next day?

As long as games have had copy protection there have been programs to circumvent it, and some of those programs have always contained malware. I remember game cracks for the Apple II that came complete with malware. Cracks, keygens, cheats… Whenever you have people who break the rules to get ahead, you have other people willing to exploit those people by feeding them malware. It’s not a new phenomenon.

trsm.mckay April 2, 2021 1:26 PM

This is news? Guess not everyone is as paranoid as this community. But I personally have operated on the assumption that cheating software includes malware since the Apple2 and Commodore Pet era.

JonKnowsNothing April 2, 2021 2:58 PM

There is also the incentive to tilt the table because of professional eSports competitions.

These events have become very popular with $1,000,000 purse to each member of the team. If a competition is set for 6 members teams, that’s $6,000,000 to the winning team, plus the hunk that goes to managers, team sponsors in the same way physical sports distribute the wealth of top athletes.

You have to do something to get noticed, and you have to tweak your gear as much as possible to do that.

Professional sports has all manner of cheats or enhancements that can give advantage. Better running shoes with spring loaded return is currently the hot topic for track and field runners. If you got a set from your shoe sponsor and the other runners didn’t and your sponsor can throw a ton of money at the game standards folks to make sure that shoe meets “current standards” well, pocket a few gold medals for your country.

If you can double stack keyboard responses to the server, you get 2 hits for 1 cycle. The opposing team is guaranteed to fail, unless they can stack 3 responses per cycle.

A good number of PVP players will do some sort of quick response. Some of it will be within the normal operating environment of the game but even then, other players may not take kindly to using the channel/animation/execution shortcuts to get clobbered. (1)

  1. One version works as follows:

Skills are assigned a duration for setup and a duration for execution and a cool down before reuse.

The effects on the other player has a duration of application.

A skill might take n-period to ramp up, the animation may take 2n-period. The effect on the other player might be 3-20 seconds.

Some skills execute immediately on key press(down or up) and others have the ramp up period. Some skills are channeled meaning the effect on the other player only continues while the animation is playing.

There are skills where the full effect is executed on key press regardless of the period of animation.

a) queue skill A with full effect on key press
b) queue a skill B that is immediate to interrupt the animation
c) queue several immediate skills B C D during the first skill A cool down period
d) re-queue the first skill A

By using the game system timing you can get 2-4 hits per action event, by using the game’s combat mechanisms.

Do people do that for fun? You Betcha.

Mr. Peed Off April 2, 2021 5:38 PM

I got cheated once on a video game. Activision shut down the game server shortly after I had purchased a game. I have never bought any more, if it’s not in a debian repository, I don’t need it.

JonKnowsNothing April 2, 2021 6:25 PM

@Mr. Peed Off

re: server shut down or item blocked after purchase

It’s a bigger problem than $35 for the purchase of the game software.

It affects nearly everything electronically delivered now: books, music, movies, TV reruns, boxed set director’s cuts etc.

Unless it’s delivered on physical media, at any time, those items you bought can be removed from access. Amazon books have done it more than once. You buy the latest best seller from your fav author and it’s delivered to the book reader in your smartphone, fablet, book reader, etc. As easy as it is to download, it’s easier for the site to block and remove the item. You won’t be getting a refund either.

Even with physical media, if it’s a game that requires access to a server environment your purchase can be null-and-void should the game publisher decide to stop making that game. Happens A LOT.

Then there are the game consoles, most now come with internet access. You buy a connection and play on a “platform” that provides N-number of games. Some games come with the base subscription and others have add-on costs for new updates/enhancements/game changes. If the console makers bring out a new one, your existing one, subscription and paid options may not work with the new setups.

Lots of gamers play on multiple platforms and multiple games, they game-hop frequently. When a new feature is added to a game, they reactivate their subs, play a few weeks/months then bail out for the next carrot on the stick. Those that are left become a decreasing income stream for the company.

Added to the physical obsolescence is corporate initiated obsolescence. If a game doesn’t hit the right part of the profit graph it can be decommissioned or sold to another company that hopes to make some profit from the wholesale transfer of the customer base to the new company.

Games are big business. Huge. They are like movie studios and run on a similar basis. They have stories, scripts, music, voice acting, along with world-building (landscape), city building and costume design. They have detailed animations and synchronized real time player actions. Some have access to music systems (player content concerts) and a full range of dress-up and play-house aspects.

But what is it you actually own?

Nothing.

You pay for electronic dots on the screen and for the privilege of clicking the mouse a million times an hour.

A physical book, is still yours, until someone takes it away from you.

ht tps://en.wikipedia.org/wiki/Fahrenheit_451
(url fractured to prevent autorun)

Dave April 3, 2021 7:30 AM

Don’t forget that it’s in Activision’s commercial interests to scare people off cheat software, in this case by publicising the presence of malware in one app. So I wouldn’t rush to generalise from this one case…

Mr. Peed Off April 3, 2021 1:18 PM

@JonKnowsNothing
Unless it’s delivered on physical media, at any time, those items you bought can be removed from access.

Physical media does not always guaranty long access. Just walk in your local electronics store and ask about floppy disk drives, 8-track players, video disk players, or a new vcr. Yes they can still be found, but for how much longer? The new, old stock will eventually all disappear.

Clive Robinson April 3, 2021 3:40 PM

@ JonKnowsNothing, Mr. Peed Off, ALL,

Unless it’s delivered on physical media, at any time, those items you bought can be removed from access.

Whilst that used to be true when the Internet bandwidth was low and most things were still done in an “off-line mode”.

In part because “off-line mode” allowed people to “bypass DRM”, and more inportantly these days, now many holders of IP no longer want one off payments they want to use more profitable contiuous “rent seeking” models.

That is, they will use any which way they can for increased long term income, so with connectivity more available and at much greater bandwidth things have been moved. That is away from “off-line” DRM to “on-line” DRM that gives the IP holders all the control they want, in the same way or worse than Amazon and various other of the big Corp media, entertainment, and Silicon valley software and hardware entities are starting to do.

So even though you might have possession of physical objects, they are “incompleate” or in some other way locked in a dynamic not static way.

In short if you don’t continue to pay, you can not play. Worse the version you buy will be very short lived and you will be required to pay over and over.

Have a look at the business models of the likes of “King Games” whilst it is possible for you to progress at almost glacial speed, you can buy in game upgrades for a nominal sum of say $5. Whilst you might only have paid the equivalent of $10-15 for a stand alone game of that type, those little upgrades soon mount up to a big heap of money say $40 or more that you would never have paid for the game as an out right purchase.

Similar tricks are “direct debit” subscriptions for a new game a week. Often the games are the same except for scenery and theam and are churned out by “sausage machine” coding/development thus are quickly the same old same old. Thus after maybe a month or two you want out, it’s then ypu find the easiest way out of a direct debit is to close your bank account rather than get the “mandate” cancelled by those taking the money.

Clive Robinson April 3, 2021 4:52 PM

@ Dave, ALL,

I wouldn’t rush to generalise from this one case…

Cheatcode’s have a long long history as,

1, Code numbers.
2, Code patches.
3, Code generators.

With CAD and similar software back in the 1980’s costing the equivalent of 25-50 thousand dollars “cracking” such software was very popular. Thus people would steal instalation codes from work, to use at home or pass on to other.

The dvelopers caught onto this so “Dongles” on the Parallel or Serial port became popular. For variois reasons (basically the developers managment where cheapskates). People used I2C and similar EEPROMs on 8-Pin DIP etc format, as most of these chips had an odd pin out (power pins not on the diametricly opposed corners) they were not just easy to recognize, the code to drive them was easy to spot when a little reverse engineering was applied. Thus “Code Patches” became available, and a little war between the CAD software developers and Patch developers started. In essence the EEPROM became part of a cipher system etc, but the reverse engineers almost always caught up real fast (looking at the history of the Sky Satellite service “set top box” is an object lesson in how this sort of battle played out when real money became involved).

Whilst “Code Patches” were almost always for high price software, even lowish by comparison Office software got initially lists of “code numbers”. Later “code generators” started to surface as the instalation software or the main software it’s self looked for “code numbers on the network” to ensure that they were all not just valid but different.

Unsurprisingly, both the “Code Patches” and “Code Generatots” both being executable code became subject to various attacks including “malvertising” and old fashioned “malware” but also a new generation of Root-Kits, RATs and similar to allow bot nets to be built.

For some reason as almost always hapens in ICTsec we’ve not remembered our history… So these days we get the equivalent of Code patches/generators containing bitcoin and similar mining code…

Why we forget or don’t bother to learn from ICTsec history I’ve no idea, but you can see the “same old same old” type attacks but with more timely payloar/exploit code…

JonKnowsNothing April 3, 2021 7:06 PM

@Clive @All

re: Cheat codes vs Legal codes

In addition to all the previous comments, another aspect is that some game makers themselves put out cheat codes. Sometimes these are not direct game related but reveal something “interesting” in the game (called Easter Eggs).

A good number of game makers publish a data dictionary/database call list to use with Lua Programming. Mostly used to manipulate player inventory items but a good number of combat options can be created leading to Plug Ins.

Some Plug Ins are vendor created but a good number are not and these are hosted on 3d party sites. Some plug ins claim to be vetted “clean”.

Along with Lua programming are OCR/Screen Readers and a fair few games run on player created/hosted interfaces.

In one game the vendor version interface works, it is just too tedious and leads to carpal tunnel injuries. So, the players over the many years of that game (and evolution of ability) pooled their programming resources into a full Game UI Kit, available to any player. As theory of game interactions has evolved and player expectations changed, so did the designers of that game change how they viewed 3d Party Coding. When 3d Party coding started a decade ago, there was big resistance from hard-core players and developers. Once the players saw the benefits they embraced the 3d Party add-ons. Later the developers realized they needed to alter their “grinding time sink” algorithms too.

  • 400 clicks = 400 items over 60 minutes
    vs
  • 4 clicks = 400 items with 45 min cool down

But then there are some questionable alterations and the interpretation varies from developer to developer. When group voice options became available, most games did not have integrated voice UI overlays. 3d Party programmers created UI Overlays so that players did not have to tab-out to see who was in the channel. Many games developers accepted this “hook” and some did not. It was a roulette spin for each game if the “hook” violated TOS/EULA or not. Most often the player using the overlay found out if their account got Hammered.

And then… there is the DMCA problem.

When is it OK to make a “backup” and when is it not OK to make a “backup”

I no longer know… I knew yesterday, but I don’t know today …

ht tps://en.wikipedia.org/wiki/Lua_(programming_language)

ht tps://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act
(url fractured to prevent autorun)

Nik April 6, 2021 8:56 PM

Apologies, been offline for a while returning from europe. Jet break, not jet lag.

@ Dave, ALL, Clive

I was working for a forensic company that made software that was expensive. every version was cracked. We used to get anonymous emails with the cracks. Then I implemented a usb/parallel port dongle protection scheme that used their homebrewed crypto (on the dongle) This was sentinel. No more cracks for a while. Then the broke the algorithm and made another crack. We switched to HASP – another USB dongle.

I used the Chinese remainder therorem to encode the serial # to the dongle and used a iterative AES encryption. The idea is that you can capture the traffic, but new data was sent to it and ever power of 4 would be checked. so replay attacks would work for a while. The responses from the dongle were used in computations in many places. also encrypted the executable. Plus atnti debugging and anti encryption / anti Vm stuff.

We never got another crack emailed. I liked fighting the battle that can’t be won.

What a blast from the past. thanks

RealFakeNews April 7, 2021 5:48 AM

Hardly new.

What I do question, is the business model of the malware operator. Surely they know their stuff will be short-lived and soon exposed?

The motives of the crack dev are easier to discern: bundle malware for cash.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.