Compromised Python libraries

[FallenLondon]

Hi there,

I don't know anything about programming, so if someone that does can shed a light on possible impact for developers and/or users of Ren'py games? And of course warn if necessary.

You must be registered to see the links

My thoughtprocess doesn't go farther than Python compromised - Ren'py uses Python - trouble?! I searched a bit on the forum, but couldn't find anything regarding this. Probably good news .

Kind regards, FL.

 

[Rich]

My thoughtprocess doesn't go farther than Python compromised - Ren'py uses Python - trouble?! I searched a bit on the forum, but couldn't find anything regarding this. Probably good news .

Python itself wasn't compromised - PyPi is a repository for Python add-on packages. By analogy, there could be (and are) malicious apps on the Android App Store, which, if downloaded, will do Bad Things to you, but that doesn't mean that Android itself was compromised. To be affected by this, you'd have to have a Python application that brought in and used one of the malicious libraries by mistake, instead of the "proper" libraries that they were impersonating.

Ren'py is, indeed, based on Python, but the vast majority of it is written by PyTom. It only uses a couple of Python modules, and those modules come packaged with Ren'py. And none of those were affected.

 

[anne O'nymous]

Python itself wasn't compromised - PyPi is a repository for Python add-on packages.

I would had that the two compromised packages where for Python 3.x, while Ren'py still rely on Python 2.7, therefore Ren'py was never at risk... at least not because of this.

But it must stay as a reminder that, like you implied with the App Store analogy, it can happen everywhere. This time the concern was for Ren'py, tomorrow it can be for a Unity template/add-on, by example. A dev who want to use RPG Maker without paying can have downloaded a compromised "free version". Assets for Daz3D aren't just models, morphs and all, some are pure compiled add-on, and I'm pretty sure that unlike a project like Python, there's no real security team behind Daz3D.
And finally, on top of that, the code of the game itself (including the code of a Ren'py game) can be, voluntarily or not, compromised to act as malicious one.

You have to always stay on guard, but "reasonably on guard". Weight the pros and cons, use trustworthy sources, double check what you download (which would have been enough in this particular case) and keep in mind that even better can made errors time to time. Back in the early 00's, even a project like OpenBSD (a 100% oriented security OS) have been compromised ; it lasted less that a day if my memory is correct, but it happened.

 

[Rich]

And finally, on top of that, the code of the game itself (including the code of a Ren'py game) can be, voluntarily or not, compromised to act as malicious one.

This is definitely something to be remembered - any time you download an executable onto your computer, you have the potential of bringing along Bad Stuff.

Weight the pros and cons, use trustworthy sources, double check what you download.

Truer words were never spoken...

 

[anne O'nymous]

This is definitely something to be remembered - any time you download an executable onto your computer, you have the potential of bringing along Bad Stuff.

I would have said it as "something that will be executed", more than "executable".
Strictly speaking, a Ren'py game is an executable (the engine) and something that will be executed (the game). Therefore some can think that they are safe as long as they use the official version of the engine, and not the one provided by the game. But looks at what "Doki Doki Literature Club!" do, by example when they call Windows user by their login.
People must not forget that even a Ren'py game can do whatever it want on their computer, and access whatever information is stored. This on Windows, but also on Linux and MacOS x, privilege escalation is a reality, and not being root just a security, not a full guaranty.

To be noted that I used Ren'py as example, because it's the most seen engine in the community, but it apply to everything ; including tools like unrpyc, a snippet for your e-mail reader, and so on. As long as it's code, compiled or interpreted, there's a risk.
Hell, there where a time when even JPG images had been used to spread a virus, and there's the breach in winrar that make an ace archive being a vector of infection.


All this say, I'll also repeat the other thing you quoted, because being careful doesn't mean that you have to be paranoid : "Weight the pros and cons, use trustworthy sources, double check what you download."

99% of us are safe with just an anti-virus, because we are average Joe with no real interest as target, nor real enemies. We will never be targeted because of who we are, therefore we will rarely be exposed to something totally unknown from the experts. At worse, we will be one of the first infected, and the next update of the anti-virus will warn us about this.

 

[Rich]

99% of us are safe with just an anti-virus, because we are average Joe with no real interest as target, nor real enemies. We will never be targeted because of who we are, therefore we will rarely be exposed to something totally unknown from the experts. At worse, we will be one of the first infected, and the next update of the anti-virus will warn us about this.

I'm going to disagree with this just slightly on a couple of counts. (Primarily on mechanisms, not on overall effect.)

First, many of The Black Hats that delight in inflicting Bad Things on us aren't targeting any of us specifically, so being an "average Joe" doesn't necessarily protect us. Many of the attacks that have been launched were done with the specific intent of "acquiring" machines that could be remote-controlled ("bot nets") for later use such as DDoS attacks. For those, "they" mostly don't care who they manage to acquire. Granted, using something like Ren'py as a vector may not have occurred to many of the Black Hats, but if it did, and they decided to infect something popular like, say, Summertime Saga or DMD, they'd probably be able to get to quite a few people.

Second, if you take the Ren'py case, in general antivirus scanners are most likely to look at the .exe file (to use the Windows example) that comes with a game. (A number of users have experienced this, as once in a while you get a false positive.) However, in the case of Ren'py, there is executable code (Python) buried inside the .rpyc files (which may be directly visible, or may be packaged inside a .rpa file). The odds that antivirus scanners will go poking around inside these files looking for malicious signatures are much lower. Not saying that they couldn't, but the Ren'py community represents a small enough percentage of the overall world that it's not nearly as likely to get on the AV companys' radars, particularly the additional work that would be required. Put another way, a typical AV scan is going to look at the .exe and decide it's safe, and never notice the malicious code that the "safe" program may turn around and execute. (Caveat: I don't know that AV companies have not done this - this is just a SWAG. Or maybe just a WAG.)

I will agree with you, however, that if something like this was done, the AV programs are still reasonably likely to pick up anything that a rogue game might install in order to "capture" a machine, even if they missed the "pull it down and install it" code. And, in addition, modern operating systems (W10, the newer MacOS, etc.) make it much harder (though not impossible) for code to do privilege escalation than used to be the case. So a properly configured computer (security features not disabled, AV software installed, etc.) does have layers of defenses that make this kind of thing more difficult.

In any event, my own judgment is that the risk of this kind of thing is not high, but obviously it's not zero. So (personally) I take a few extra levels of defense.

 

[anne O'nymous]

First, many of The Black Hats that delight in inflicting Bad Things on us aren't targeting any of us specifically, so being an "average Joe" doesn't necessarily protect us. Many of the attacks that have been launched were done with the specific intent of "acquiring" machines that could be remote-controlled ("bot nets") for later use such as DDoS attacks. For those, "they" mostly don't care who they manage to acquire.
Granted, using something like Ren'py as a vector may not have occurred to many of the Black Hats, but if it did, and they decided to infect something popular like, say, Summertime Saga or DMD, they'd probably be able to get to quite a few people.

True, but don't over worry about them. Botnet owners seek for discretion, they will most likely come from the outside than from the inside. What they want is a totally lax user ; the kind that assume that "it's normal", if something odd happen, whatever this thing.
For them, using a virus is counter-productive, especially if it's one widely spread. It will be intercepted soon or later, which will cost them part of their botnet ; a botnet that will not be able to make grow again before some times. Not because the virus would be intercepted, but because the lab(s) that will have it, will put it in a sandbox, then let the computer be corrupted, to later be able to study the tools themselves.
They also are more likely to corrupt a game that is way less successful. If Summertime Saga or DmD where corrupted, I'm pretty sure that it wouldn't need more that a week before all anti-virus labs were aware of this. Writing a virus is relatively easy, but writing the structure for a botnet is something totally different, and they would have to change it radically enough if their tools were part of the database of an anti-virus. Plus, they generally use zero day exploit, that they want to keep for them. Pointing the light on their infection vector would cost them a lot of time and money.

What is to fear is more the ones that steal credit cards number. Those would target big games, because they're fishing with explosives. It's more or less like a Nigerian scam, they spread thousand of fishing hook in the hope to have two/three fishes at the end of the day.
There's also those who will use your computer as light SMTP host for their spam, or light HTTP server for their fishing campaign. But, having left the field too long ago, and seeing how lax nowadays admins can be, I'm not sure if it's still a thing.

Second, if you take the Ren'py case, in general antivirus scanners are most likely to look at the .exe file (to use the Windows example) that comes with a game.

They do more than this, and I don't talk about their behavior scanner.
When I changed my computer, I used my LAN to transfer part of my files. And my anti-virus remembered me about my collection of Perl and Vscript exploits ; most of them being in txt or msg file, since they were directly coming from old mailing lists and/or specialized sites.
It doesn't mean that you're totally protected, but generally if it's in an archive, you're safe even if it's not explicitly an executable.
We should probably thanks the many exploits in the archive tools that, time to time, have permit to change the extension during decompression and/or to execute whatever was stored inside. As well than the JPEG virus I was talking about, that clearly revealed that it's not just executable and documents embedding macros that are at risk.

[...] to get on the AV companys' radars, particularly the additional work that would be required.

How many Ren'py game is there now on Steam ? They surely never deeply studied the engine, but they probably know that it exist, where to find it if needed, and that it rely on a text-like format and two pickles variations.
Anyway, while they run many sandboxes to catch the viruses, they also rely on the help of the community. They all have a way for us to submit them suspect files (just ask google how to "submit suspected virus"), and they study them all. So, if they don't catch the virus by themselves, it would be you, me, or someone else that will point it to them.

In any event, my own judgment is that the risk of this kind of thing is not high, but obviously it's not zero. So (personally) I take a few extra levels of defense.

It's always a good thing to do. I mean, my network related programs run inside sandboxie, I have an IP filter on my computers and one on front of the LAN, plus all HTTP traffic pass through a filtering proxy, so I'll not be the one to blame someone because he have too much safeties.

But what I was saying is more that by being an average Joe, your risk to be targeted by totally unknown malicious code is near to 0. There's stealth code, there's exploits used since long that are still unknown from the community. But their value is way too high for them to be used on small targets and/or spread widely. What we can encounter is basic attacks, and 99,9% of the time basic counter measures are enough for this.