Unity is merging with ironSource a know malware provider

[OsamiWorks]

You expect to test potentially malicious code, and at no time you chroot before starting it ?
Hmmm, not really interested by Linux, did they finally have jails, or is chroot still their best solution ? Not that it's a bad one.

I didnt know so I googled it, there is a chroot jail command, it isolates the process and its children but it still looks like its kinda vulnerable to privesc since it only hides the rest of the filesystem and is really dependent on what youre giving access to


I liked this guys approach where he just says

You must be registered to see the links

and then limits perms, i still think its vulnerable in the same ways but the idea is better. Linux is like a weird area where people like me picked it up because it seemed like there was more info on how it worked and it felt like it was easier to get help than with windows, now I wish I understood more about the windows userland.

 

[Meaning Less]

Amazing how people bite into fearmongering so easily, this sale means almost nothing.

As if any company would spend 4.4b to instantly tank the product they just bought, save your complaints to when/if anything actually happens instead of reading too deep into another conspiracy...

 

[Lerd0]

You must be registered to see the links

 

[jkj54]

Great video thanks 4 the share

 

[anne O'nymous]

I didnt know so I googled it, there is a chroot jail command, [...]

I did some search myself after writing this, and there's Linux Containers (LXC). Not something new, but as I said I'm not really interested by Linux. They don't seem to have the same efficiency (I include the ease of use) than

You must be registered to see the links

, but I haven't looked deeply into them, while I have years of experiences with jails, so I can be wrong.
This said, my question was more curiosity to update a bit my knowledge, because even jails aren't enough for an effectively secured analyze of malicious code.

[...] now I wish I understood more about the windows userland.

Oh, it's really easy: Click to launch, and for everything else rely on google.
I started with DOS, and globally used all Windows versions from the 3.1 to the 10 one. It's what ? Near to 30 years of use, and I still don't really understand its userland ; partly because it don't just evolve, like with Linux, it also change, sometimes radically.
Not that it's impossible to understand it, but there's too much abstractions for this to worth it if your job isn't to administrate it on a large scale. So, yeah, you use google to find the tools that will change this or that behavior (by example I use Windows 10, but mostly still have the XP user interface), and to tweak, or secure, the parts that you really need to change or secure. For the rest you learn to not care, it's now strong enough for that.
But I admit that I cheat. My main computer is behind a gateway and firewall powered by *BSD, it partly help to not care.

 

[OsamiWorks]

I did some search myself after writing this, and there's Linux Containers (LXC). Not something new, but as I said I'm not really interested by Linux. They don't seem to have the same efficiency (I include the ease of use) than

You must be registered to see the links

, but I haven't looked deeply into them, while I have years of experiences with jails, so I can be wrong.
This said, my question was more curiosity to update a bit my knowledge, because even jails aren't enough for an effectively secured analyze of malicious code.




Oh, it's really easy: Click to launch, and for everything else rely on google.
I started with DOS, and globally used all Windows versions from the 3.1 to the 10 one. It's what ? Near to 30 years of use, and I still don't really understand its userland ; partly because it don't just evolve, like with Linux, it also change, sometimes radically.
Not that it's impossible to understand it, but there's too much abstractions for this to worth it if your job isn't to administrate it on a large scale. So, yeah, you use google to find the tools that will change this or that behavior (by example I use Windows 10, but mostly still have the XP user interface), and to tweak, or secure, the parts that you really need to change or secure. For the rest you learn to not care, it's now strong enough for that.
But I admit that I cheat. My main computer is behind a gateway and firewall powered by *BSD, it partly help to not care.

Your knowledge probably isnt as dated as you think, things do change, but generally its the same stuff with a new name and made more efficient. Real changes either get split up to allow for something more complex that still functions on all the old tech, or it gets split into different things, giving new terms to things you do a lot, and made easier. Really, if you understand the concept you understand it down the line, like when I googled jails I realized that its just the predecessor to docker and containerization. I never got deep into the area of digital forensics but I was interested in reverse engineering so I had little bit of crossover, this is a pic taken from the malware analysts cookbook of what a lab looks like.

Spoiler: malware analyst lab setup

You don't have permission to view the spoiler content. Log in or register now.

There is a bit of backend setup for routing your network traffic, not only with how they communicate but the ids, firewalls, simulating interacting with the internet, and other systems. Then more tools for damage control and reverting things back to a previous state.

It seems a little bit dated but not too far off from what I'd expect, I might be speculating on a bit because Im not sure about how aware the security community as a whole is, but I imagine that updating this to a modern lab would be having a mix of different commercial virtualization solutions. With the main change being that you can place everything into a virtual network, then start executing malware on a machine, and watching both how it interacts with each system as well as its behaviour traversing across a network and how it enumerates and attacks new targets, hopefully we'd be seeing newer cooler things like a jump to different subnets through something like misconfigured routing equipment.

Spoiler: The cycle for automating malware in a reuseable sandbox

You don't have permission to view the spoiler content. Log in or register now.

Its a little more familiar after you execute the malware, youre looking at logs from the ids generated by inetsim, tcpdump/wireshark to analyze traffic, volatility to analyze the memdumps . That gets followed by a bunch of stuff I dont know about but you might Chapter 9 onwards mentions a lot of tools that are relevant to people here imo, but its also a ton of gibberish that Im not knowledgeable enough in

Spoiler: loooong table of contents dump

You don't have permission to view the spoiler content. Log in or register now.

 

[gingisep]

You expect to test potentially malicious code, and at no time you chroot before starting it ?
Hmmm, not really interested by Linux, did they finally have jails, or is chroot still their best solution ? Not that it's a bad one.

Well you answered that yourself: the containerization technology can be used to test some part of security, but opens up for more security holes than ever.
The most popular implementation nowadays is

You must be registered to see the links

... basically holds the cloud services alive.

My selection in this case is apparmor.
I've seen it protect from supply chain attack I mentioned before,
the code was supposed to steal ssh keys from user home.

Without at least tcpdump it will be totally useless. You'll never know if the game is checking if an update is available, or if it's doing something malicious. And also, do not expect DNS queries from malicious code. A connection that wasn't preceeded by one is the first thing you should looks for.

I think we need to set the bar a bit lower:
I do not expect an offline game to do any connection, unless its own author tells me "yes I added telemetry, self-updating content" or similar.

But yes, tcpdump helps if we want to dig into the connection content... even if a simple netcat can drop the raw data on a local file.
I'd need to work a little bit more if they use a secure connection, with a man-in-the-middle that performs a local negotiation, nothing big trouble nowadays.

Dissection that would lead nowhere. There's a reason why security labs analyze live code and not raw binary, or even raw disassembled code.

If you want to dissect the game, use the tool adapted to it, dnSpy. What you'll get wouldn't necessarily be more trustworthy. But at least it would be readable enough to see if something is odd and surely not the code that will be effectively proceeded. And, of course, if the code is not mutated, you'll find it relatively easily if you're familiar with C# and dotNet.

I don't think dealing with the C# part of the game could lead anywhere:
If there is anything telemetry related is in the engine part of the game (libraries, compiled part coming from c++ proprietary code).

Given that: you're absolutely right about having limited possibility to catch this kind of bytecode.
To do what I want to do with the analysis you are proposing, I should access to the Unity source code itself, not the game source;
and I believe that's impossible unless you know somebody at the company willing to risk and give us a copy.

Amazing how people bite into fearmongering so easily, this sale means almost nothing.

The impact of this decision can be seen everywhere gamedev is treated as an topic.

This poll alone has received 31 votes from concerned players,
the impact is there regardless our little exchange about it.

But I admit that I cheat. My main computer is behind a gateway and firewall powered by *BSD, it partly help to not care.

;-)

 

[Laikhent]

Just to clarify, Ironsource never created any malware. It created an installer (8 years ago) that some people (not affiliated with Ironsource) used to create malware.

The risk of you getting malware from Unity games as a result of the Ironsource acquisition is basically zero.

 

[Winterfire]

Just to clarify, Ironsource never created any malware. It created an installer (8 years ago) that some people (not affiliated with Ironsource) used to create malware.

The risk of you getting malware from Unity as a result of the Ironsource acquisition is basically zero.

Fear Mongering and clickbait titles go hand in hand.

 

[gingisep]

Winterfire as you expected your game does not appear to have any maleware in it (at least to my capability and willingnes to test it),
and shows no strange behavior during a short usage ( 5~10 minutes).
I needed no network analysis tool, as your Linux build never asked for connections.

The apparmor configuration tested is pretty default:

#include <tunables/global>

# vim:syntax=apparmor
# AppArmor policy for Legacy of Hestia.x86_64
# ###AUTHOR###
# gingisep
# ###COPYRIGHT###
# ###COMMENT###
# No template variables specified


## Substitute ##HOME## with your own installation place

"##HOME##/hestia_debug/Legacy of Hestia.x86_64" flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/lxc/container-base>

}

From the strace log I found the program mostly access just its own file, and some `pulse` files for audio.

stat("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia/Player.log", {st_mode=S_IFREG|0664, st_size=10586, ...}) = 0
stat("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia/Player.log", {st_mode=S_IFREG|0664, st_size=10586, ...}) = 0
stat("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia/Player.log", {st_mode=S_IFREG|0664, st_size=10586, ...}) = 0
stat("{the_home}/.config/unity3d/Winterfire", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
openat(AT_FDCWD, "{the_home}/.config/pulse/client.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0
access("{the_home}/.config/unity3d/Winterfire/Legacy of Hestia", F_OK) = 0

(this is narrowed down to the `.config` directory, the actual run accessed files ~3800 times)

This proves very little, except the fact that your game runs with minimal permission, purely offline, and it seems to mind its own business without poking around in my stuff

The game is shipped with debug symbols active: this could affect the inspection, as the game framework is aware of being inspected and debugged.


The resolver was loaded, but that doesn't mean anything on itself:

openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 32

There is plenty of space for a more sophisticated maleware to hide into peripheral systems (audio device, graphical drivers and such), so this isn't an exhaustive and detailed drill down.

Hope this clarify my intention was to raise awareness on the topic, invite to do own inspections and share tooling; not undermine existing games.

 

[Winterfire]

I needed no network analysis tool, as your Linux build never asked for connections.

It would if I imported the analytics (Completely safe and private) or ads packages, the latter completely useless for desktop games/nsfw scene.
Professional devs and/or big brain ones use analytics to know if a player stopped playing at level 1, if they couldn't progress past a certain point or so on... All "Useful" data which I am sure all AAA games do have.
As for me, being only a game dev for hobby, I couldn't care less reading through that data... I do it the old fashioned way: Wait for someone to tell me "hey i found a bug here, pls fix."

From the strace log I found the program mostly access just its own file, and some `pulse` files for audio.

Yeah, for performance reasons, audio has different settings (Decompress on load, streaming, and so on...) for long tacks used in the background (such as the title music) it is streamed from disc.

This proves very little, except the fact that your game runs with minimal permission, purely offline, and it seems to mind its own business without poking around in my stuff

As all single player games should.
Aside from analytics which can be easily opted off, I find the recent culture of requiring internet access to play single player games really stupid, especially with what Ubisoft has done recently.

Hope this clarify my intention was to raise awareness on the topic, invite to do own inspections and share tooling; not undermine existing games.

I mean... It does not really change my stance, even with the recent news that Ironsource was not even directly involved with the malware thing, and it was just misinformation spread because clickbait generates revenue, and people hate reading.

Just as before: I still think that their recent choices are stupid, their acquisitions are useless to most game devs, and if I were to give a suggestion to new devs, it would be to not pick Unity (and not even because of their recent choices).

However, just like mine, I am pretty confident that all Unity Games are just as likely to not have (or have, depending if you are optimistic or not ) malware as with any other game engine used.
Unity is good, and it has been used for many AAA games, it has just been in the wrong hands for a very long time and better alternatives have already started to show up.

 

[Incontinent Cell]

Amazing how people bite into fearmongering so easily, this sale means almost nothing.

As if any company would spend 4.4b to instantly tank the product they just bought, save your complaints to when/if anything actually happens instead of reading too deep into another conspiracy...

This. People who know nothing about the subject are really overreacting. Unity most likely will just add some OPTIONAL monetization tools. If you are so upset about that and you are using windows/google/discord/any modern social media I have some bad news for you.

 

[Winterfire]

This. People who know nothing about the subject are really overreacting. Unity most likely will just add some OPTIONAL monetization tools. If you are so upset about that and you are using windows/google/discord/any modern social media I have some bad news for you.

Not even that, if they play literally any modern game... Some of which do actually use Unity (Genshin, Cuphead, Hearthstone...). Those require constant internet access. Not to mention the mobile games, which is what you'd be using monetization in anyways, and they'd have to be SFW.

 

[Arrchman]

For anyone who dislikes the recent decisions made by Unity and desires an alternative, there's Godot, which is open-source and therefore unlikely to ever do anything like that (if a seriously controversial decision was ever to take place, it would probably result in a new fork). Note however that Godot is not a clone of Unity and therefore has its own advantages and disadvantages and you should not expect all things that Unity offers to be also offered by Godot.

 

[jkj54]

For anyone who dislikes the recent decisions made by Unity and desires an alternative, there's Godot, which is open-source and therefore unlikely to ever do anything like that (if a seriously controversial decision was ever to take place, it would probably result in a new fork). Note however that Godot is not a clone of Unity and therefore has its own advantages and disadvantages and you should not expect all things that Unity offers to be also offered by Godot.

Good tip i have yet to play a game on that engine is it using the lastest tech? like rtx/dlss support or ai upscale tech? like the crytek/unreal engine

 

[Winterfire]

Good tip i have yet to play a game on that engine is it using the lastest tech? like rtx/dlss support or ai upscale tech? like the crytek/unreal engine

There are quite a few Unreal Games, but using Crytek is a bad idea.
The license is bad, the documentation is bad, the tools are bad, and so on... If you need to use a bulky engine and powerful engine, go for Unreal instead.

Godot is a good alternative and suggestion, but nowdays, there are tons of game engines you can use which are lesser known than Godot but equally (if not more) powerful.

 

[anne O'nymous]

Professional devs and/or big brain ones use analytics to know if a player stopped playing at level 1, if they couldn't progress past a certain point or so on... All "Useful" data which I am sure all AAA games do have.

Of course they have them. It's just that they were creative and gave a name to those analytics, calling them "achievements". Ones don't even try to hide it, having "congratulation, you completed the tutorial" as first achievement, followed by a bunch of "congratulation, you completed the level/chapter X" ones.

However, just like mine, I am pretty confident that all Unity Games are just as likely to not have (or have, depending if you are optimistic or not ) malware as with any other game engine used.

This fallback on what I said previously. Whatever if it's the trust we have on the dev, or the lack of trust in their ability to code something like that, we globally are safe.
And this will not change now, even if future versions of Unity come with a bunch of analytics malware like tools. The majority of devs will not know how to use them efficiently, and if Unity decide to hijack the data, they'll just have a bunch of raw numbers that will not tell them much.

 

[♍VoidTraveler]

You must be registered to see the links

Only reinforced my belief that it's time to say bye-bye to Unity.
Fuck John and his shit-eating monetization scheming, wouldn't support anything that guy is part of even if they paid me.
Didn't know he went and insulted honest people like that, what an asshole.

 

[jkj54]

That poll looking like unity made the wrong call

 

[Laikhent]

That poll looking like unity made the wrong call

People are probably voting thinking the title of the topic is true, but again, Ironsource is not a malware provider and there is absolutely no reason to fear future unity installs because of this merge. (The whole malware thing is just a click bait tactic)

I will leave below a video explaining the whole story from the point of view of one unity developer



This merge is good for developers that want to monetize their mobile game, but for most of us this merge simply changes nothing.