Steam could easily gave automation the installs and runs games in a sandbox. Then watches what they do. The things it needed to do to steal the crypto should be vastly different than what a game should be allowed to do.
Why so? Assuming this is the 1st complaint against the game, what was steam supposed to do in the past month?
Modern_medicine_isnt@lemmy.world 2 weeks ago
dafta@lemmy.blahaj.zone 2 weeks ago
This isn’t foolproof. A lot of malware these days is resistant to analysis because they can detect that they’re running in a sandbox and refuse to run the malicioua code.
Modern_medicine_isnt@lemmy.world 2 weeks ago
I chose not to spell out the full test. The fact is, valve could do it. It is just somewhat expensive. Make a law that game distributors are liable for losses if they distribute malware and you would see how well they could do it.
Die4Ever@retrolemmy.com 2 weeks ago
There are so many ways malware could get through that. What if it waits for a specific date or a certain amount of progress in the game? This automated sandbox probably wouldn’t be smart enough to beat the game, certainly not with as many games as they have.
Modern_medicine_isnt@lemmy.world 2 weeks ago
I chose not to spell out the full test. The fact is, valve could do it. It is just somewhat expensive. Make a law that game distributors are liable for losses if they distribute malware and you would see how well they could do it.
dogs0n@sh.itjust.works 2 weeks ago
It isn’t easy as you say.
If they could let us run games in a sandbox/virtualised area that would be amazing though. That’s a very big ask though.
I do know that xbox consoles run games in their own hyper-v vm which gives extra protections to us from most malicious code.
Obviously this would be hard for Steam to implement, but it would be a very nice measure.
Modern_medicine_isnt@lemmy.world 2 weeks ago
I didn’t say it was easy. The fact is, valve could do it. It is just somewhat expensive. Make a law that game distributors are liable for losses if they distribute malware and you would see how well they could do it.
dogs0n@sh.itjust.works 2 weeks ago
I believe you said it was easy in the first sentence of the comment I replied to, though maybe I am reading it wrong and you are speaking on something else.
Nevertheless, they surely have the money to make some type of sandboxed environment for us to run games in, but I can also see why they haven’t since they have so many other things in the works right now and I believe they famously don’t have that many employees (they could hire more, but that could ruin their workflow, etc, not sure). Still, I would like to see this somewhere in the future so I can be a bit more carefree when running less known games.
Maybe this is something that operating systems need to do for us though, I don’t know. Xbox can do it because Windows/HyperV allow it to, but they are created by the same company so the lines are blurred a bit. Not to mention use cases for PC gaming are much wider in scope, so the sandbox environment would have a lot more things to consider (probably).
Anyways I still think this would be sorta far fetched, but I can dream it will soon exist.
Not sure how I feel about making software distributors liable for the malware (it would make any smaller stores go out of business straight away for sure).
ryathal@sh.itjust.works 2 weeks ago
Malware creation and detection are billion dollar industries playing an eternal cat and mouse game with each other. These programs don’t just instantly try to steal every file the second they run.
Modern_medicine_isnt@lemmy.world 2 weeks ago
I am decently versed in the game of cat and mouse. The fact is, valve could do it. It is just somewhat expensive. Make a law that game distributors are liable for losses if they distribute malware and you would see how well they could do it.
Nibodhika@lemmy.world 2 weeks ago
Have you seen the malware? It would have passed that test.
pulsewidth@lemmy.world 2 weeks ago
It had a password protected zip file in an update that hid the payload. That is pretty damn basic and would not have gotten past any retail antivirus program’s heuristic detection.
Chances are that Valve is treated as a ‘trusted publisher’ by Microsoft Defender and thus it bypassed the scan. The malware even payload explicitly checks that no retail antivirus was installed, and that Microsoft Defender was active, prior to attempting to extract and run its payload.
(See comments about for explicit details regarding the malware)
Nibodhika@lemmy.world 2 weeks ago
Password protected zip file is also a way to deliver content an indie dev might use to lock content, so that on its own is not enough, but also the “payload” was connecting to a remote server, which is not indication of bad behavior, lots of games connect to remote servers and receive commands from there, e.g. event X starts now, or something. Except in this case it allowed a reverse shell.
Modern_medicine_isnt@lemmy.world 2 weeks ago
Clearly it passed thier test. But it was not undetectable.
kbobabob@lemmy.dbzer0.com 2 weeks ago
Obviously, Steam is supposed to vet the source code of every game thoroughly before it ever gets put up for sale.
AwesomeLowlander@sh.itjust.works 2 weeks ago
I wonder how many people are taking your statement at face value without recognising the sarcasm…
KuroiKaze@lemmy.world 2 weeks ago
It’s not sarcastic. That’s exactly how most of these platforms work behind the scenes. They run automated, dynamic and static analysis against all the app code looking for potentially harmful signatures.
AwesomeLowlander@sh.itjust.works 2 weeks ago
Pretty sure Steam already does that. And no automated (or even manual) analysis is going to be 100% foolproof, or we wouldn’t be worrying about supply chain attacks in Linux. So that puts us back at square one.
Nibodhika@lemmy.world 2 weeks ago
That’s not analyzing the code. Also almost assuredly steam does that. Finally that wouldn’t catch this since it was a back door, as long as the attacker didn’t use it it would not be detected by any automated means.
pulsewidth@lemmy.world 2 weeks ago
Dumb take. There are many ways to scan software without needing access to the source code.
Do you think retail antivirus providers approach every developer of every program version to request a copy of their source code for review before they can verify it’d safe?