Using mods in World of Tanks is a security risk

Online multiplayer game videos and discussion
Santeri
Posts: 324
Joined: 2017-7-5 09:58

Unread post by Santeri » 2019-6-18 12:29

World of Tanks is manually reviewing mods (modifications) they add to their Mod Hub. Before downloading they warn you about not taking any responsibility, but the Mod Hub itself - including the review process - creates the impression that their mods are safe.
Please note that Wargaming does not bear any responsibility regarding the use of modifications.
Image
Mod developers are complaining that the review process is slow and because of that many mods are not up-to-date. This would not be a problem if there was not a design flaw in the mod interface. In the current architecture, just like in all the past versions, mods need to be placed in a directory that contains the version number of the current game release. This means that after every update (this does not apply to micropatches) all mods become nonfunctional, they must be updated, and uploaded to the Mod Hub for a new review.

Why mods pose a huge security risk?

Mods themselves consist of Python program code, images, and flashes. Python code is human readable and even Python Byte Code can be easily decompiled back to the source code. This makes checking mods easier and should provide tools for Wargaming Mod Hub reviewers to verify that there is no malicious code included in the Mod Hub. Unfortunately this works only in theory. Many mod makers appear to be obfuscating their Python Byte Code using PjOrion. The program breaks the byte code so that it cannot be decompiled and checked. This means that Wargaming Mod Hub have actually no real means to check the mods and make sure they are not malicious. There are several tools available for deobfuscating, for example Bytecode simplifier, but they do not work with the Byte Code that is embedded in the currently available mods.

I could, for example, write a mod that appears to be legitimate and useful, but hide into the mod malicious code that activates later so that Mod Hub reviewers will not see it at the time of the review. Or, I could trigger the malware of the mod remotely after the mod has been included in the Mod Hub because there are no restrictions (and cannot be) for what mods can do. Firewalls do not help because the game must have an internet and browser access in order to work, and mods are running with the same permissions. Antiviruses cannot deobfuscate code either to detect malware. Such malware could contain anything: a keylogger to steal passwords, encrypting user's files for demanding ransom, installing a backdoor, etc.

How to fix this mess?

Wargaming should demand that the Byte Code in mods must not be obfuscated. This way malicious mod makers could be detected and rooted out. To fix the issue with updates, the mod architecture should be revamped. Mods should not be in a version specific directory and there should be a way to enable or disable them in case of problems. There could also be a warning telling that you have not updated your mods since the last game update, and an option to disable mods if the user is uncertain.

I quit using mods a few years ago thanks to the issue with updates. As long as mods are unsafe, I am going to trust only those mods that are not obfuscated or which I have created by myself.



Anonymous coward

Unread post by Anonymous coward » 2019-6-18 22:47


H4x0r

Unread post by H4x0r » 2019-6-19 08:14

How you think we get money if every people copy our codes and remove adware/mines? It must be protected codes from modifications and stealing. You are not smart person.

Santeri
Posts: 324
Joined: 2017-7-5 09:58

Unread post by Santeri » 2019-6-19 09:59

It is easy to check if a World of Tanks modification is potentially dangerous.

If you are running Windows, download and install free open source text editor called Notepad++ unless you already have it.

Unpack packed modifications. Open files with .pyc, .wotmod and .exe extensions in Notepad++ and search for the text

Code: Select all

pjorion_protected
In GNU/Linux you can simply do

Code: Select all

gunzip -c MOD_ZIP_PACKAGE_NAME | grep pjorion_protected
When the string is present, the source code of this mod is obfuscated and it is impossible to review it properly even for Wargaming Mod Hub. Modification may well contain hidden malware. Using such mods will compromise your security and may open your computer to hackers.

Kub3n

Unread post by Kub3n » 2019-6-19 10:55

H4x0r wrote:
2019-6-19 08:14
How you think we get money if every people copy our codes and remove adware/mines? It must be protected codes from modifications and stealing. You are not smart person.
Why are you selling mods?

H4x0r

Unread post by H4x0r » 2019-6-19 11:06

Kub3n wrote:
2019-6-19 10:55
Why are you selling mods?
I sell no mods give free. Money pay adware+crypto mine.