they found another backdoor...

I remember downloading minecraft hacked clients from the web as a kid with no care about security on my moms computer.

vincentbrumfield

In Factorio, all mods are Lua scripts which are executed by the custom patch of Lua engine with all I/O removed.

PeterZaitcev

I thought it was ridiculous that a game mod would be distributed as a DLL binary, then I realised all of Skyrim's most versatile mods are DLLs for SKSE.

muizzsiddique

8:50 Interesting thing about the second stage is because it's done dynamically, it doesn't get caught as packed by most tools (IE DIE).

EricParker

As someone who has dedicated half a lifetime into modding (about 25years now), I think they key problem is modding environments that allow direct computer access to be the major problems. Games that provide a sandbox as their moddable environemnt are generally safer. I still lament this perception agaisnt this hobby, since I think the benefits to the community outweights its potential harms. I do agree more scrutiny should be held for mods that go alter stuff like DLLs (even if part of the modding I did when younger involved such, alongside direct memory injection), but to outright dismiss the ecosystem that has allowed games to floursih for several decades and not be subject of the Live Service model feels harmful in the long term

Alevice

While the overall intro has good points - I want to push back a little bit on it. A large portion of mods are not, in fact code. And a bigger portion of them do have code, but not code with free reign.

What do I mean? A ton of mods fall under (aka: assets only):
- Textures
- Models
- Data files that feed into the game's engine to do quests, etc.
- Some combination of the above.

These are nearly completely safe. Of course there's always the possibility of a vulnerability in one of the game's libraries used to parse/load those assets, then a mod shipping a maliciously malformed asset to exploit that vulnerability.

The next level of mostly safe mods do include code, but:
- It's either a custom language or
- Some interpreted language run within a sandboxed interpreter, so it only has access to the game data itself

These are still usually safe, but again could exploit a vulnerability in the game's script running engine to break out and access your system.

The ones that you absolutely need to be careful about are ones that *do* ship outside code: exe's, dll's, etc. Common ones here are some generic (as in they are not game specific) injectors that are meant to provide better graphics. ReShade, FXAA injectors, GShade, etc.

Users of mods should be aware of what kind of data they're downloading, and know when they have to be more careful with them.

jacoblojewski

Its worth noting that not all game engines are the same and that mod support doesn't have to mean arbitrary execution of code. Some game engines offer a modding API that only lets you interact with the game and not the machine, take note of 7 days to die's XML config based "modlet" approach (people have made injection mods into the unity dlls), or factorio's prototype mod system. Other game engines allow arbitrary code execution but run all mods under a sandboxed environment / VM.

KieranDevvs

This is such a prime example of why game developers should encourage actual support for modding inside of their games; when you say "when you install modifications to games, depending on how the game's written, most of the time you just install a DLL" this right here is the core issue. Games with proper mod support provide you with tools to create mods via a tailor made set of API functions you can call. In the case of Skyrim, they have a limited scripting language called Papyrus. In the case of many other games, it's usually stripped down Lua with a game specific API.

The second you need a DLL to mod a game, you're already entering "unofficial" territory. GTA's modding scene for instance, is absolutely full of DLLs, DLLs which provide an API to write mods in C# and load .NET DLLs even, none of which is officially supported and had to be reverse engineered. Skyrim is completely safe except for one attack vector: SKSE, Skyrim Script Extender, which as the name suggests, extends Papyrus because its limited functionality makes it a pain to work with, but the extensions themselves are perfectly safe, but now we're entering unofficial territory where you need a DLL in order for 90% of the mods on Nexusmods to work, because they all depend on SKSE. Attack that and you've screwed everyone over.

If the developers simply provided the means, there'd be no need for ScriptHook, SKSE, and other such nonsense. By discouraging mods (which was GTA's stance up until a while ago, yet they've yet to provide any tools), you're not changing the fact that people are going to mod your game, you're just making it more dangerous to do so by forcing users to inject third party executable instructions into your game's memory with the same privilege as the game itself and not providing a sandboxed environment that meets the requirements of the modders (which Papyrus doesn't, it's almost *too* sandboxed, hence SKSE.dll)

kyouko

Why in 2024 desktop operating systems still let most applications run with no sandboxing is beyond me.

Decateron

I just had a little panic attack because I was playing Cities: Skylines 1 with a Traffic Manager mod earlier.

ItsErikCubed

This is the one point where Lua is a good thing: it's sandboxable. That makes it ideal for game mods because it's easyish to read/write and can be run untrusted with virtually no security risk.

awesomecronk

The problem with something like this is that people will see the "support" number (the number of downloads, reviews, subscriptions, likes, etc), and they'll equate a high number (such as 300k in this example) with a high level of trust, especially if they have no other way to measure trust.

nomore

My intuition is that while this can happen, getting infected by an npm or pip package is still far more likely.

seeibe

Please don't do fearmongering. Most mods are not distributed via dll but various scripting languages like lua or other custom solution. Any DLL in modern modding scene is usually a single helper dll that provides framework for other mods to take advantage of by expanding the modding API.

otso

Supply chain attack injecting payload into a game mod. Surprised it took this long. Pretty obvious target rich environment to capture a whole lot of gamer machines on a zombie net.

matthewstott

I run a separate machine for games, but modding is kinda half the joy of most of my favorite fames. Far too many games lock all their stuff down so that you can only have fun The Correct Way.

TheLexikitty

2:11, you only install DLL some of the time. Most games use scripts that access the game's API and that's a most safer way of doing it.

bryanx

hey low level, i'm just wondering: did you really quit league after vanguard? i quit and my friends still think i'm being extreme, but i came to the same conclusion as you, i'm not installing a root kit in my pc, that's just asking for trouble

dudaseifert

I feel like the smarter takeaway would've been just don't bank or handle sensitive data on the same machine you consume media on. Some game devs take cyber-security seriously, but they're the exception. Serious media decoding bugs are also a dime a dozen.

FireStormOOO_

FYI DLLs have entry points. DllMain is called when the DLL is loaded, the intention being initializing whatever state it might need

inzanozulu