Videogames: February 2009 Archives

Let's take a look at

Mygamesfile.com

....a website that promises much, and delivers little.

You may have seen these adverts in circulation on ad networks recently:

hl2.jpg


fall3.jpg

Snap5.jpg

In each case, the advert promotes a popular videogame - most notably Half Life 2 and Fallout 3 in the above examples. The adverts are pretty clear - a picture of said game, and "Free, Legal". It seems reasonable to expect a deal has been made to allow you to obtain the advertised titles for free, legally.

Of course, it's all about to go horribly wrong.

Visit the site, and you quickly notice a few things - many 404 errors, pages that loop back on themselves and a lot of this:

lorem.jpg
Click to Enlarge

...hmmm. Moving swiftly on, we can see elements of the site are starting to slip from "reasonable" to "slimy". Namely, this:

Snap1.jpg
Click to Enlarge

"Download Half Life 2" sits proudly at the top of the page - at this point, you'd expect the full game, wouldn't you? Especially as beneath the Download button sits a number of green bars with "Server Load" written on them - each showing a different percentage. You would think this is further evidence of the site pushing out large sized downloads of the full game - imagine your dismay, then, when you shortly discover the "Server Load" graphics are entirely fake and don't represent anything at all.

Hit the Download button, and you'll see this:

Snap22.jpg
Click to Enlarge

An install prompt for Zango, pre-ticked (of course) and also giving you the option to have "free ShopperReports", whatever that is. Without installing this, you have no way to access the wonderful free game download waiting for you on the other side.

So you accept the prompt, and install Zango & company on your PC in return for the promise of a "free game".

What do you get?

Snap4.jpg
Click to Enlarge

A CNET download page offering up the Half Life 2 demo of ONE LEVEL, is what you get.You can't even play it unless you install Steam and create an account.

Yes, you've just been taken for a ride.

Even better than that, the site owner (who registered the URL anonymously, of course) can't even be bothered to offer up the correct downloads. The second advert in this article clearly shows Fallout 3, and the Fallout 3 "download page" says this:

Fallout 3 is the third game in the great Fallout Series. It is a single player RPG action game that takes place in Washington DC, following a nuclear war. 200 years after the war, survivors live safely in a fallout shelter named Vault 101. When you find that your father has inexplicably left Vault 101, you follow him to the outside world. A world filled with Super Mutants, Giant Insects, Raiders, and Slavers.

Fallout 3 allows you to explore the entire former city of Washington with near limitless freedom. The game can be played from either 1st person, or 3rd person perspective, and the course you take throughout is entirely up to you.

On top of all this, Fallout 3 renders its environment in eye popping graphics. Every explosion, every character, and every piece of scenery is displayed in full HD, creating a really powerfull experience. This is definitely a game that must be played.

Download Fallout 3 now! Just click start on the next page.


Sounds awesome, doesn't it? Imagine the look on your face, then, when you've installed Zango, been taken to the download page and....

fall4.jpg

...you're offered a PROTOTYPE from 2003 that doesn't even resemble the game eventually released last year. It's so far removed from the promised game it's not even funny:

"While playable, Van Buren is a pre-alpha tech demo, never intended for public consumption. Many features, including combat, aren't fully implemented, the graphics are very basic, and it is extremely buggy. It is also has no connection whatsoever to the Fallout 3 project currently being developed by Bethesda."

What's particularly humorous here is that their adverts say "MyGamesFile does not host or link to illegal software". However, if you read how this "not for public consumption" demo was made available in the first place....

"Oddly enough, one day after putting a tooth I lost during a biking accident under my pillow, I woke up and found a CD under my pillow. Putting it in my computer, I found out it contained something called "demo.rar". Unzipping it, guess what I found. So thank you, tooth fairy"

Whoops. The demo seems to be "on general release" nowadays, but its origins seem somewhat "under the counter", to say the least. In case you were in any doubt just how different these two are, this is Van Buren:

vb1.jpg
Click to Enlarge

...and this is Fallout 3:

fo3.jpg
Click to Enlarge

The prosecution rests, your Honour.

Just when you think it can't get any stinkier, you scroll right down to the bottom of the page.

Do my eyes see something there? Why yes, they do.....sort of.

fakeout.jpg

Oh my, dark grey text on a slightly lighter grey background. I wonder why they did that? Well, probably because it says this:

"MyGamesFile does not host or link to illegal software. All links are to legal, demonstration versions."

After all, nobody would install Zango (making the site owner money) if they were fully aware going into this "deal" that they could get these same demos elsewhere with no need to install anything, am I right? And if they furtively admit to doing nothing more than linking to demos elsewhere, what's with all the fake "server load" graphics all over the place?

This site fails.

It reminds me a little of the fake Batman MMORPG website from a few months ago - more importantly, it highlights how Zango continue to let bottom of the pile, cookie cutter sites like this through their Q&A process.

I'm willing to bet there's more of these out there. For now, the easiest way to ensure you don't get fooled by "offers" such as this is to switch off Javascript, then hit the "Download" button. If you're taken to something like Fileplanet or a Download.com Demo page, you know to back out slowly, not making any sudden movements...

Playfire Controversy

| | Comments (4)
This is pretty bizarre. Here, we have a social networking site asking for pretty much every type of login you can imagine and getting a fair amount of criticism for it in the process. The way they go about it is somewhat peculiar, and though I don't think it was malicious on their part, it illustrates how what somebody thinks is a good idea can go horribly wrong very quickly.

The site in question is Playfire.com, a social networking site for people interested in videogames.

What were they doing? Well,it seemed messages were being sent to people on your XBox Live friends list, "reserving" a page for that username then presenting that individual with the below page:

pfire4.jpg
Click to Enlarge

Note that it asks for your XBox Live login. At that point, according to numerous complaints on forums, those friends would then receive a message on XBox Live that appeared to have come from you, recommending Playfire.

A Playfire employee has been busy posting to this blog post, and also this forum thread on the subject. From the last link:

"It looks like Microsoft's legal team has triumphed. According to Large Jaguar, Xbox.com Development Manager, "PlayFire is no longer collecting WLID credentials for people's Xbox LIVE accounts."

Again, I don't think there's anything malicious going on here - but it's a good example of how a few poorly chosen "features" can seriously damage your reputation.

When you're a new site, that's really the last thing you need...
It's been brought to my attention that over the last couple of days, people have been posting malicious links to entice gamers into running keyloggers - all of which seem to revolve around one particular game. These keyloggers will hijack your Steam account, which as you might have guessed, isn't a good thing to have happen.

One such poster (now banned from the official Steam forums) has been promoting lots of links to videogame modding tools, all focused around the game Left 4 Dead. As an example:

lfd0.jpg
Click to Enlarge

As you can see, "Xpro132" claims the mod does all sorts of cool things, but anyone downloading this file is in for a surprise. As one person put it,

"I downloaded the rar file,extracted the downloader exe,clicked exe and BOOM nothing... did I do something wrong?"

Unfortunately, you did :(

The file claims to be a "Web Downloader" for Left 4 Dead, giving you access to interesting features that the regular game doesn't have. The person responsible for the file has uploaded it to numerous free file hosting services:

hllfd4.gif

....which makes the "Downloaded: 3 times" message far too reassuring. From the looks of it, quite a few more people than that have been affected by this so far. This is what it looks like on the desktop:

hllfd5.gif

...and this is what ends up in your System32 Folder should you run the file:

hllfd6.gif

The second Win32 EXE is particularly difficult to shut down. From this point onwards, your Steam login (and potentially other logins) are vulnerable.

Interestingly, this same person is linking to many other files, some of which are hosted on reputable game modding websites. Here's another one:

hllfd1.gif
Click to Enlarge

This is yet another Left 4 Dead related program - this one is a "especial edition" (as the creator calls it) that allows you to play custom .WAV files ingame.

hllfd3.gif
Click to Enlarge

There are people complaining about it here, and the file itself is flagged by two security products on Virustotal.

Seeing as the other files this person has uploaded don't seem to be very good for your PCs health, it's advisable to give the Half-Life Sound L4d Especial Edition a wide berth too. We'll try and collect as many files related to this in the meantime, but for now, steer clear of anything posted to forums and game mod websites by the person above.

We detect the files as (amazingly enough) L4D Logger and L4D Keylogger.

Additional Research:

Chris Mannon, Senior Threat Researcher
Peter Jayaraj, Senior Threat Researcher
xboxlv5.gif
Click to Enlarge

In the past few weeks, we've noticed a steady increase in posts like this and this. Everywhere you look, people are suddenly curious as to how you "boot" someone from online videogames. They're not entering this rather famous joypad combination to do it - rather, they're dabbling in somewhat more sinister methods of tampering with gamers playing on XBox Live.

Namely - Botnets. In a big way too, from the looks of things.

What is XBox Live?


Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft Corporation. Pay for a Live account, and you can shoot other gamers online all day long on Halo 3, or maybe download some premium content such as movies, trailers etc.

Live has long been the subject of social engineers and hackers - fooling people into handing over their logins and making fake Points generators stuffed with Trojans and keyloggers to steal login info has been going on seemingly forever. There is another area of Live exploiting that's not been looked into much - that of "booting" other players from games via external means.

How is this done?

Well, typically someone will connect their XBox to their PC via a crossover cable (or via their wireless connection), join a multiplayer game then sniff the traffic (you can see a tiny example of that from the first screenshot at the top of the article). They might use this method to grab ip addresses (though it can be a little over complicated for the wannabe hacker), or they might resort to social engineering tactics away from the gaming environment. However they go about it, they need an ip address if they intend to boom, headshot their victim.

In this case, we have something rather interesting that's quickly becoming mainstream after spending a long time in the underground - combining custom made tools to create Botnet drones, specifically created to knock XBox Live gamers out of whatever game they happen to be playing at the time.

The bundle currently doing the rounds is pretty slick, and combines two tools distributed in a single AIO - it actually sits in the system tray (first icon on the left) until you feel like exploring it further.

xboxlv7.gif

Here's the two applications that work the "Magic" in this particular package, when you get tired of looking at the nice icon in your system tray:

xboxlv6.gif
Click to Enlarge

xboxlv8.gif
Click to Enlarge

Both of these programs pretty much do the same thing - facilitate the ability to DDoS people from the XBox Live network (note the default port for both programs is 3074, which is required to be open for XBox Live to function).

How do they do it?

Well, the bundle comes with two "vanilla" Bots:

xboxb2.png

...although really, the Bots can be anything you like. You don't have to use the supplied files, though of course this is designed to be a DIY-in-minutes kit (humorously, both files point to a pre-existing Botnet so anyone foolish enough to run these EXEs while trying to create their Botnet empire is going to find themselves a drone for the original creator).

After creating a host with a service such as no-ip.info that points to your own ip address, you insert that host into the ready-to-roll code in the Bot file. At that point, all you need to do is send your victims the EXE, convince them to run it on their PC and they'll start reporting back to your Booter program as willing DDoS drones. Here's a (somewhat blurry) screenshot lifted from a popular Youtube video currently in circulation of an attack in progress on an XBox gamer:

xbotrunning.jpg

As you can see, the attacker "only" has four bots, but the instructions that come with the programs tend to advise "between forty and sixty". This is now, as you might imagine, all the rage.

The big incentive here, of course, is money. There seems to be quite a lucrative market for angry gamers looking to get revenge on whoever happened to headshot them the day before - we have some screenshots of sites where these "XBox DDoS Botnets" can be created from scratch for paying customers, along with a nifty price list to get things moving.

As I said earlier, some of these tactics and techniques have been around for some time - but you only need to take a quick look around hacking forums and sites such as Youtube & Yahoo Answers to see this is rapidly becoming more and more interesting to angry 14 year olds with too much time on their hands.

What can you do about it?Well, sadly for now the answer is "not a lot". You can never be sure when playing online just who has their finger on the trigger ready to nuke you from orbit with a Botnet DDoS. The problem will only get worse as money keeps changing hands and suddenly every rage fuelled gamer who had a dream of really getting even suddenly has the power to do so even after the "Game Over" screen has flashed up.

Perhaps the best solution is just to let that annoying fourteen year old claim his headshot and go back to playing chess...

Writeup: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, Sr. Threat Engineer

Pages

About this Archive

This page is a archive of entries in the Videogames category from February 2009.

Videogames: January 2009 is the previous archive.

Videogames: March 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.