Jump to content


Possible security gap/bitcoin mining

bitcoin mining security gap ingame browser 42

  • Please log in to reply
114 replies to this topic

Easha #1 Posted 20 February 2018 - 12:17 PM

    Second Lieutenant

  • Clan Commander
  • 35045 battles
  • 1,118
  • [WMA] WMA
  • Member since:
    11-04-2012
DISCLAIMER: The following information is based on assumptions and was translated from the German thread about that topic. A support ticket has been sent - no answer yet. I am just a mediator between the German thread and this one to share the information we got so far, for I lack the detailed knowledge about this topic.

"[...]It seems like someone attempted a cyber attack at my PC via CEF_BROWSER_PROCESS.EXE.

 

Name of the IPS attack: Web Attack: JSCoinminer Download 6

Attacking PC: 82.118.20.2, 80

Attacker's URL: search.linkmyc.com/js/timeCounter.js?v=20171102

Attack caused by: DEVICE\HARDDISKVOLUME4\GAMES\WORLD_OF_TANKS\RES\CEF\CEF_BROWSER_PROCESS.EXE "

[...]

 

"linkmyc.com/" seems to be used for advertisement and starts a .js linked to a bitcoin miner, so DO NOT OPEN IT MANUALLY.

Spoiler

The triggered process should be the one described here.

 

A detailed virus scanner log states:

Spoiler

The World Of Tanks Chromium Embedded Browser seems to be the INGAME browser who displays advertisements like those special offers and is used in the menus of the stronghold mode, too. It is not clear whether World of Warships and -planes are effected - the CEF_BROWSER_PROCESS.EXE excists there as well.


Again: No need to ready torches and pitchforks (yet), this is just meant to be an initial warning.

 

Yours sincerely,

 

Easha


Edited by Easha, 20 February 2018 - 12:50 PM.


Bora_BOOM #2 Posted 20 February 2018 - 12:25 PM

    Major

  • Player
  • 22695 battles
  • 2,940
  • [D0NG] D0NG
  • Member since:
    08-23-2014

Shouldn't you remove that link for "linkmyc" ?

I don’t know much about this kind of things, but why would you post an external link (like that one) in Forum so ppl can click and go where they should not? :amazed:


Edited by Bora_BOOM, 20 February 2018 - 12:28 PM.


MrClark56 #3 Posted 20 February 2018 - 12:28 PM

    Captain

  • Player
  • 6097 battles
  • 2,362
  • [WJDE] WJDE
  • Member since:
    09-17-2013

View PostEasha, on 20 February 2018 - 12:17 PM, said:

DISCLAIMER: The following information is based on assumptions and was translated from the German thread about that topic. A support ticket has been sent - no answer yet. I am just a mediator between the German thread and this one to share the information we got so far, for I lack the detailed knowledge about this topic.

"[...]It seems like someone attempted a cyber attack at my PC via CEF_BROWSER_PROCESS.EXE.

 

Name of the IPS attack: Web Attack: JSCoinminer Download 6

Attacking PC: 82.118.20.2, 80

Attacker's URL: search.linkmyc.com/js/timeCounter.js?v=20171102

Attack caused by: DEVICE\HARDDISKVOLUME4\GAMES\WORLD_OF_TANKS\RES\CEF\CEF_BROWSER_PROCESS.EXE "

[...]

 

...........................seems to be used for advertisement and starts a .js linked to a bitcoin miner:

Spoiler

A detailed virus scanner log states:

Spoiler

The World Of Tanks Chromium Embedded Browser seems to be the INGAME browser who displays advertisements like those special offers and is used in the menus of the stronghold mode as well.


Again: No need to ready torches and pitchforks (yet), this is just meant to be an initial warning.

 

Yours sincerely,

 

Easha

 

That's it.... i needed just this to unistall WOT... i mean.. i can live with type 5, 268, 257, 705.... but  i cannot accept getting hacked.!!! no sir....

 

Sarcasm oFF!!

 

thanks for letting us know OP


Edited by MrClark56, 20 February 2018 - 12:43 PM.


Strappster #4 Posted 20 February 2018 - 12:29 PM

    General

  • Player
  • 24116 battles
  • 9,019
  • [WJDE] WJDE
  • Member since:
    10-20-2015

View PostBravelyRanAway, on 14 October 2017 - 10:07 PM, said:

I downloaded a mod pack last year from the mod section of this forum to the laptop I use while on holidays........I didn't connect the overheating of the laptop to the mod, I don't really surf that much on the laptop, just gaming, but I did notice one time that the table top where it sat was really hot after lifting and putting it away. I noticed that the laptop vents were a lot hotter than usual. I ran a virus scan and found a bitcoin miner in the WoT res folder.....apparently I was making bitcoin for someone everytime I played WoT for about 2 months of that year. 

 

​There's no mention of mods in the OP but IMO that'd be the first thing to investigate.

OreH75 #5 Posted 20 February 2018 - 12:34 PM

    Captain

  • Player
  • 47897 battles
  • 2,137
  • [RANGR] RANGR
  • Member since:
    05-29-2013

View PostStrappster, on 20 February 2018 - 12:29 PM, said:

 

​There's no mention of mods in the OP but IMO that'd be the first thing to investigate.

 

Could also be a nice one to investigate when some complains about lag while playing WoT.. I used to run a lot of distribute computing programs like SETI and some of them were also network intensive.  

Easha #6 Posted 20 February 2018 - 12:36 PM

    Second Lieutenant

  • Clan Commander
  • 35045 battles
  • 1,118
  • [WMA] WMA
  • Member since:
    11-04-2012

View PostBora_BOOM, on 20 February 2018 - 12:25 PM, said:

Shouldn't you remove that link for "linkmyc" ?

I don’t know much about this kind of things, but why would you post an external link (like that one) in Forum so ppl can click and go where they should not? :amazed:

My apologies, copypaste included it. I changed it and added an additional warning.

 

View PostStrappster, on 20 February 2018 - 12:29 PM, said:

 

​There's no mention of mods in the OP but IMO that'd be the first thing to investigate.

Mods were used but already checked. The installed mods do not manipulate the RES path (the problematic area) in any way. Even the Python files do not contain any reference of this .exe or its path. if anyone could test it vanilla, we could be sure. Even IF it was caused by mods: If mods can abuse the ingame explorer for such shady business, it is still up to Wargaming to deny that access.

 

Yours sincerely,


Easha


Edited by Easha, 20 February 2018 - 01:12 PM.


Igor_BL #7 Posted 20 February 2018 - 12:51 PM

    Second Lieutenant

  • Player
  • 39624 battles
  • 1,348
  • [GX] GX
  • Member since:
    06-10-2015
I dont understand too much in this hackery thing... but i know i cant block [edited]WG center.
I turn it off, delete from msconfig-startup, and after some time, that f program activate itself again and work in background, sometimes download updates etc.
automatic updates are turnedoff, program is blocked on startup, and somehow it still turn itself on.

Strappster #8 Posted 20 February 2018 - 12:57 PM

    General

  • Player
  • 24116 battles
  • 9,019
  • [WJDE] WJDE
  • Member since:
    10-20-2015

View PostEasha, on 20 February 2018 - 11:36 AM, said:

Mods were used but already checked. The installed mods do not manipulate the RES path (the problematic area) in any way. Even the Python files do not contain any reference of this .exe or its path. if anyone could test it vanilla, we could be sure.

 

Don't you think the responsible thing to do would be to test it yourself on a vanilla client before posting about a security gap, given that you know mods have been used? Or is the security gap you're highlighting the fact that WoT doesn't perform sanity-checks on installed mods?



Search_Warrant #9 Posted 20 February 2018 - 01:04 PM

    Lieutenant General

  • Player
  • 27192 battles
  • 6,159
  • [LEWD] LEWD
  • Member since:
    02-08-2011
Hmm hope its just a dodgy mod and not some global infection going on. id hate to uninstall WoT over this.

pecopad #10 Posted 20 February 2018 - 01:07 PM

    Warrant Officer

  • Player
  • 23570 battles
  • 946
  • [UGN] UGN
  • Member since:
    09-04-2015

View PostStrappster, on 20 February 2018 - 12:57 PM, said:

 

Don't you think the responsible thing to do would be to test it yourself on a vanilla client before posting about a security gap, given that you know mods have been used? Or is the security gap you're highlighting the fact that WoT doesn't perform sanity-checks on installed mods?

 

What is the difference, if the exploit/security gap that is being used is from WOT?

 

Don't think mods are relevant here, sure its a direct way of installing the virus/trojan etc, but there are many easy ways to do it.



BravelyRanAway #11 Posted 20 February 2018 - 01:16 PM

    General

  • Beta Tester
  • 22595 battles
  • 9,354
  • [H_I_T] H_I_T
  • Member since:
    12-29-2010

View PostEasha, on 20 February 2018 - 11:36 AM, said:

Mods were used but already checked. The installed mods do not manipulate the RES path (the problematic area) in any way. Even the Python files do not contain any reference of this .exe or its path. if anyone could test it vanilla, we could be sure.

Fair play to Strappster' s memory.

At the time I was using a mod from this forum that I don't normally use as OMC's mod pack was always a few days behind with updating(no fault of theirs as life come before gaming)...I think it was JOVE's modpack I used as a 'stand in' at the time. The computer had been running hot without me realising until my wife pointed out how hot the vents were after she pick up an item left beside the vent. Did a full scan at the time and it pointed to a bitminer and linking the WoT res_mod folder as the culprit.....which the program asked me if I wanted to remove......which I did instantly.(It was her computer I was using as we were at our holiday home)

The computer ran faster and cooler immediately after that.



Balc0ra #12 Posted 20 February 2018 - 01:16 PM

    Field Marshal

  • Player
  • 66296 battles
  • 16,313
  • [WALL] WALL
  • Member since:
    07-10-2012
The whois on that IP is owned by Ripe NCC. The same company that Wargaming.net uses as a regional registry for their IPV6. I doubt they did hack anyone. Or did they get a JS:Miner-C Trojan from one of their .exe mod packs?

Flax78 #13 Posted 20 February 2018 - 01:17 PM

    Corporal

  • Player
  • 28757 battles
  • 158
  • [BLUTE] BLUTE
  • Member since:
    11-02-2012

Lets asume there is a security issue in MS Windows.

What will happen first?

Go after the hacker who abused this issue?

OR close it with a patch and be done?

Right.. fixing the issue.

So even IF there is a mod in QB´s Modpack which abuses the security issue then its still the fault of the ingame browser from wg.

 

So my advice in first step is to BLOCK all internet traffic related to CEF_BROWSER_PROCESS.EXE

 

 

 

BTW THX EASHA for the translation and link  into engl. comm

 


Edited by Flax78, 20 February 2018 - 01:18 PM.


Strappster #14 Posted 20 February 2018 - 01:18 PM

    General

  • Player
  • 24116 battles
  • 9,019
  • [WJDE] WJDE
  • Member since:
    10-20-2015

View Postpecopad, on 20 February 2018 - 12:07 PM, said:

What is the difference, if the exploit/security gap that is being used is from WOT?

 

Don't think mods are relevant here, sure its a direct way of installing the virus/trojan etc, but there are many easy ways to do it.

 

Because if there's a built-in bitcoin miner on a vanilla client, WG are responsible. If it's there because of a dodgy mod-pack, WG aren't. My money's on the dodgy mod-pack because WG appear to be doing just fine without mining bitcoin on the side, which means that it's not so much a security gap, it's a user error that's being dressed up as something different.

 

I can see the argument of WG "allowing" the miner to be installed but that's like blaming Microsoft for a virus that over-writes part of the Windows code.



MaxxyNL #15 Posted 20 February 2018 - 01:23 PM

    Warrant Officer

  • Player
  • 11349 battles
  • 979
  • Member since:
    04-05-2013

:ohmy:


Edited by MaxxyNL, 20 February 2018 - 01:25 PM.


pecopad #16 Posted 20 February 2018 - 01:24 PM

    Warrant Officer

  • Player
  • 23570 battles
  • 946
  • [UGN] UGN
  • Member since:
    09-04-2015

View PostStrappster, on 20 February 2018 - 01:18 PM, said:

 

Because if there's a built-in bitcoin miner on a vanilla client, WG are responsible. If it's there because of a dodgy mod-pack, WG aren't. My money's on the dodgy mod-pack because WG appear to be doing just fine without mining bitcoin on the side, which means that it's not so much a security gap, it's a user error that's being dressed up as something different.

 

I can see the argument of WG "allowing" the miner to be installed but that's like blaming Microsoft for a virus that over-writes part of the Windows code.

 

And who was here trying to determine the responsibility? The Op was/is warning us to a possible exploit on Wot...


And by the way, if the exploit is from WOT, the "responsibility" is from WG, and they have to patch it... Like Microsoft does...

 

At this time, I don't even consider the possibility of this exploit to have been created by WG, I don't think anyone is doing that.



Flax78 #17 Posted 20 February 2018 - 01:25 PM

    Corporal

  • Player
  • 28757 battles
  • 158
  • [BLUTE] BLUTE
  • Member since:
    11-02-2012

View PostStrappster, on 20 February 2018 - 12:18 PM, said:

 

Because if there's a built-in bitcoin miner on a vanilla client, WG are responsible. If it's there because of a dodgy mod-pack, WG aren't. My money's on the dodgy mod-pack because WG appear to be doing just fine without mining bitcoin on the side, which means that it's not so much a security gap, it's a user error that's being dressed up as something different.

 

I can see the argument of WG "allowing" the miner to be installed but that's like blaming Microsoft for a virus that over-writes part of the Windows code.

 

i see this totaly different.

See my post above.

 

if there is a security (hole) then it needs to be fixed ! Like Microsoft and every body else does this when they find some issues and abuses. 

 

If the browser get abused by a MOD, then the browser needs to be secured and be untouchable for mods.

Mods should NEVER ever be alowed to do something outside of the WOT.

 

But again... who said that is was a MOD?

no one.. its just the easiest excuse to say.



Pvt_Duffer #18 Posted 20 February 2018 - 01:28 PM

    Lieutenant Сolonel

  • Player
  • 16658 battles
  • 3,145
  • [WJDE] WJDE
  • Member since:
    05-11-2011

View PostBalc0ra, on 20 February 2018 - 12:16 PM, said:

The whois on that IP is owned by Ripe NCC. The same company that Wargaming.net uses as a regional registry for their IPV6. I doubt they did hack anyone. Or did they get a JS:Miner-C Trojan from one of their .exe mod packs?

 

Ermm, nope.

 

It's a Ukrainian VPN company xpressforward.net

RIPE NCC issues internet numbers, they like *are* the actual internet in a way, at least for Europe anyway.

 

 

My bet is the CEF_browser process has been hijacked alongside whatever other browser process the user uses.

 

CEF is just another tool for rendering HTML5, and will probably get returned in a list alongside firefox/IE and Chrome when Windows is asked  for a list of renderers.

And it's then hijacked in the same way your browsers are.

 

I would bet the computer is infected, and the fact that CEF is returning a scan hit is just a symptom of a much wider infestation.

 

 

There are many many websites currently experimenting with inserting currency mining code into a web page as a replacement for advertising


Edited by Pvt_Duffer, 20 February 2018 - 01:35 PM.


Strappster #19 Posted 20 February 2018 - 01:30 PM

    General

  • Player
  • 24116 battles
  • 9,019
  • [WJDE] WJDE
  • Member since:
    10-20-2015

View Postpecopad, on 20 February 2018 - 12:24 PM, said:

And who was here trying to determine the responsibility? The Op was/is warning us to a possible exploit on Wot...


And by the way, if the exploit is from WOT, the "responsibility" is from WG, and they have to patch it... Like Microsoft does...

 

At this time, I don't even consider the possibility of this exploit to have been created by WG, I don't think anyone is doing that.

 

View PostFlax78, on 20 February 2018 - 12:25 PM, said:

i see this totaly different.

See my post above.

 

if there is a security (hole) then it needs to be fixed ! Like Microsoft and every body else does this when they find some issues and abuses. 

 

If the browser get abused by a MOD, then the browser needs to be secured and be untouchable for mods.

Mods should NEVER ever be alowed to do something outside of the WOT.

 

Yeah, fair points. I still see the user as being responsible for their own machine and whatever they choose to install on it but I can see what you mean about WG patching to prevent the possibility of a mod taking advantage. But then I don't know enough about mod writing to say how much freedom they need to be given to provide functionality to the client in the first place.

 

View PostFlax78, on 20 February 2018 - 12:25 PM, said:

But again... who said that is was a MOD?

no one.. its just the easiest excuse to say.

 

Yes, I said to check mods and OP admitted that mods were used and a vanilla client hasn't been checked. Occam's Razor.



pecopad #20 Posted 20 February 2018 - 01:45 PM

    Warrant Officer

  • Player
  • 23570 battles
  • 946
  • [UGN] UGN
  • Member since:
    09-04-2015

View PostPvt_Duffer, on 20 February 2018 - 01:28 PM, said:

 

Ermm, nope.

 

It's a Ukrainian VPN company xpressforward.net

RIPE NCC issues internet numbers, they like *are* the actual internet in a way, at least for Europe anyway.

 

 

My bet is the CEF_browser process has been hijacked alongside whatever other browser process the user uses.

 

CEF is just another tool for rendering HTML5, and will probably get returned in a list alongside firefox/IE and Chrome when Windows is asked  for a list of renderers.

And it's then hijacked in the same way your browsers are.

 

I would bet the computer is infected, and the fact that CEF is returning a scan hit is just a symptom of a much wider infestation.

 

 

There are many many websites currently experimenting with inserting currency mining code into a web page as a replacement for advertising

 

When you put a web browser in your game, then you are creating problems...

 

So at least ask the user if he wants the WG browser, because I don't see the need for him...

 

Still, rather than excusing WG is actually makes me more concerned, because now we are open to all web exploits...






1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users