An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that runs in the Windows kernel context, and on initial release that module kept running even after the game was closed.
That anti-cheat driver is back in the news, with Trend Micro discovering a ransomware campaign that includes mhyprot2.sys
, the anti-cheat driver, as a component of the infection. The module is known to have vulnerabilities, and is still a signed kernel driver, so the malware campaign loads the driver and uses its functions to disable anti-malware protections.
The rest of the campaign is straightforward. Starting with access to a single domain-connected machine, an attacker uses that foothold to gain access to the domain controller. The malicious script is hosted on shared storage, and PsExec is used to run it on all the domain member machines. The real novelty here is the use of the vulnerable anti-cheat kernel driver as the anti-malware bypass. As far as we can tell, this driver is *still* signed and considered trustworthy by Windows. We join the call to Microsoft, to revoke this vulnerable driver, as it’s now actively being used in ongoing malware campaigns. For more on security, check out our weekly column on the topic,
How we reached the point that consumers thought that anti-cheat in the form of a root-kit is acceptable, I’ll never know.
There are many games that abuse this attack and it needs to be ended at the source.
Because most consumers of garbage like this have no idea whatsoever that it is happening, or even what a root-kit is. Many of them are just kids looking for the next big game to play, and don’t know anything about online security and probably wouldn’t care if they did as long as the graphics look good.
Companies that pull this sort of crap need to be fined out of existence.
i agree there should be a punishment for this behavior and the people involved.
“Starting with access to a single domain-connected machine, an attacker uses that foothold to gain access to the domain controller. The malicious script is hosted on shared storage, and PsExec is used to run it on all the domain member machines.”
Seems to me that part of the problem is people running the game on computers that are part of a domain. Who has an extensive domain in his house and uses it for gaming?
May be people are running this on corporate environments?
I’m not allowed to install programs in my job computer, let alone games.
No, it’s not about the game. It’s a malware kit that include the game’s anti-cheat kernel driver because it’s signed and Windows will allow its installation. You still need admin rights to install the malware, which might be disguised as an update or whatever. The malware is then using the kernel driver to bypass antivirus on the machine.
Microsoft should revoke the cert on that driver. Yes, it would break the game for everyone until a fix is created, but that’s fine. Maybe next time the publisher will think twice before shipping a nightmare like this.
Yep, I can’t understand why Microsoft do not revoke certificate of signed code that went wrong…
Because if there’s one thing you need to understand about Microsoft, it’s that they cant. break. anything. Not ever.
If you thought the kernel’s promise of never breaking userspace was severe, it has nothing on windows. Microsoft has a rule about never removing OR ADDING symbols to DLLs. The will ship multi-KB DLL files just for them to contain one symbol. Microsoft ships a database of every application they know about with every copy of windows, just so it can employ workarounds custom made for each and every version of every program.
Adobe 2013 asks what color the title bar text is? windows lies and says it’s white. Program makes a particular GDI call where specific compilers screwed up the ABI? Windows reaches into the program and repairs it’s heap.
If Microsoft killed this module and rendered millions of players around the world unable to run the game, it would literally be their nightmare PR scenario. They routinely and consistently choose to leave people open to infection rather than blacklist vulnerable drivers, DLLs, and applications.
Where is this “database”?
@Lily:
There’s no “fix”. It is a basic conflict you can see all over the place (DRM, I’m looking at you).
Does your computer belong to you? Or to the company whose software happens to be running on your computer?
If the latter: to which one?
Depending on how you answer those questions, the above will be constantly happening (software is like that; complex systems are like that) — or not.
BTW: this has tradition. Remember Sony BMG and those “audio” CDs which took over your audio drivers (if you happened to be running a Microsoft “powered” PC, that is)?
Ye gads. That was back in 2005 [1]. Sony is on my no-buy list since then.
[1] https://en.wikipedia.org/wiki/Sony_BMG#Rootkit_scandal
Urgh, F*#% Sony. Not only did they release a root kit that malware used to hide, they also killed off the whole industry of content protection on audio CDs, costing lots of responsible developers elsewhere their jobs.
The answer to rootkit anti-cheat stuff is to run the game on a platform which the user doesn’t have full control of – a console.
don’t think for a second hackers don’t find holes to exploit in consoles.
I think I’d argue a console is actually worse – as its a black box that is nearly impossible to audit, run your own code or inspect in general so you are very much trusting the corpo that built it to give a crap about your security and not be evil with the level of control you give them, which is nearly absolute – as you connected it to your home network, with your work computer and private data etc did you not?
Ultimately this is the argument that all games and trivial-entertainment use of a computer should be done on a separate network and device so nothing important is exposed or at least in a VM/container and on a VLAN. But both are such a hassle and most wouldn’t understand how to set it up correctly anyway..
of course there is a fix: Let the game run without the anti-cheat thingmabob in kernel mode.
That leads to a lot of cheaters which leads to gamers being forced to cheat as well just to keep up. A real fix would be redesigning the network interface in such a manner that cheating isn’t possible.
Obviously!
Or just let people host their own servers, at their own responsability… just a thought..
Not really, there are heaps of games out there that never had major cheating problems despite no specific safeguards. And anything PvE with a vote kick/ban system in place or so means the cheaters just get stuck playing with other cheaters as the genuine players don’t want ’em… Nobody is bothered by that, let those that don’t want to actually play the game waste their time together and those that enjoy the gameplay challenge do that…
All anti-cheat does most of the time is fail miserably to stop cheaters, while perhaps protecting the pay-to-win/play business model so many games have implemented…
A lot of commenters here don’t realize that this is the most expensive game ever made and it’s generating billions of dollars in revenue. Microsoft is not going to revoke the certificate and break the game
At some point it becomes a legal liability. Gross negligence and all that.
It’s also Free-to-play
Is the Android version affected?
the android version has sleep issues.
so i would guess, it’s also doing something.
It’s not the game that is affected, but a malware using a game file from the Windows version. So Android is not affected by this issue.
Yep, and to be fair, the problem is not that it’s a bugged kit, the major issue is that it’s bugged and that window gives it full trust and access to pretty much anything…
It’s probably worth mentioning that exploiting the kernel mode driver does not require the game to be installed, or to have ever been installed. Once you have a copy of that .sys, you can distribute it with your malware. This is why any ‘fix’ that tries to target the game (e.g. “just let the game run without the anti-hack protection!”) is missing the problem entirely.
*Never* load games on a production work system. Use another computer, a cloud game streaming service, a virtual machine, or a game system.
Just a bonus: the driver was reversed engniered and cheat developers for games that use EAC and BattEye are using the mhyproth to run cheats a Kernel level, bypassing the anti-cheat.