BSides SP 2025 - Vulnerabilidades na Distribuição de Jogos via Steam: Vetor de Ataque para Malware

Guys, our last speaker of the day is Luiz Henrique with the lecture "Analysis of Vulnerability in Distribution of Games via Steam: An Attack Vector for the Discrimination of Malicious Code" Welcome, Luiz! Thanks, guys! So, let's go! First, introduce myself. I'm Luis Henrique, I'm passionate about games. I've always wanted to get into the game development field, but I ended up migrating to other areas before I got where I am now. Today I work in the software quality field, a little bit focused on security, but not specifically on security. I'm also passionate about hardware hacking, mainly focused on the hospital area. First, I want to thank the company that I work for today, that allowed me to be here. We have several vacancies for those who are entering the

market or want to migrate. We have vacancies, and there is also a form that is being rolled out, and this form will give you a bonus, no bonus, there will be a draw with two vouchers from Google Play for R$100. I was going to put the Daistin, but I thought it was a joke what I'm going to present here, and then put Daistin, a little controversial with what I'm applying. So, can you pass? I'm getting there. Can I go? Let's go. First I'll tell you a little bit about the trajectory that we have in the gaming area here. Before 80, 90, who was already born, welcome to the club, but we had mainly software developed and passed through diskette, right? Probably

half of you didn't even know, but anyway. Then we had a series of CDs that were transferred, that had several games, and in them there was also a lot of virus. It was a bonus. You would go there, there was a game known, a million games there, bonus, that you didn't even know where it was, that was just a disgrace. It was, right? A little bit later, in the mid 2000s, we started with Famigerato Casar, which was a garbage factory. You downloaded everything you wanted, you would download a game there, or an MP3, and when you came there, MP3.exec. Ah, I don't know what, I ran it on the machine and... man, it's just a disgrace. Then we came to Torrent. Same thing,

just changed the strategy, right? Same... the virus was passed the same way. The difference now is that you had cracked games that no one cracks for free. You will always have the bitcoin miner, I don't know what the guy will send you. But there are those DLLs that you don't know what it is, that are running on your machine and life goes on. And we came now, after 2010, 2011, I think 2011, Steam was born, with the big "Oh no, now we have a company that will defend us". Maybe. And along with it, they even block both Hydra and Green Steam, which are Steam games for free. Since everything you download for free, which should be paid, you have to have a

certain concern. And let's start here, with the beginning of Steam's misfortune. What does she do? The way you send a game to her is very funny, because she says it's safe, but you send a zip to them. What's in the zip? Anything. literally anything and they don't validate what you send in there. It doesn't validate the DLL, it doesn't validate the patch, it doesn't validate anything. So you send it. And the beginning of my research there was not even sending the corrupted zip. It was trying to analyze the way it sends to see if I found any vulnerability to an RCE in there, to reach their servers, like a shell, anything that could point me in there to get something in there from Medicare. I

got it, then it goes to another one, which is still open with them, but it's another point. I'm going to show you now the basic principle, how their shipping is, and then I'll come back to that one. How do I play here? I don't think so. Steam hit me back now. And the worst little pin here in the machine.

Well, let me put the video on. In this basic principle, I made the most accurate code possible of the ransomware. Any detector that you see there by the total virus, it catches everything. Any time you send it, any antivirus you have, it catches it. But not Steam. This is a wonderful shipping platform. it doesn't even ask what it has, it simply opens the option for you to publish after you send the zip. It doesn't care about what it has, it doesn't do data sanitization, nothing. It simply doesn't validate anything. It's already for production, it shows that the graphics are bad, right? Anyway, that's it. Then the game is already on Steam. It's already for anyone who has an account on

Steam to download. That's what I'm going to show you now. The same game I sent, this one. Of course, I did this test with an open account, so there's no leak for anyone who uses the game. This game was developed by me. So I have control of what's going up there, theoretically. I downloaded the game from scratch, that is, there was nothing on the machine yet infected until I download it. Showing that the work area is normal until I execute the game. Then you already... Literally that. You already fucked your machine. And this is for anything. Then I did it with Ransom, but you can do it with RCE, you can send an RvShell, anyway. You

send anything. Be it compiled, then I made an executable inside the executable, but you can send it by DLL, within the code itself, Steam doesn't care. It doesn't care. And it's wonderful, I worked hard to report this and fight for almost three months. And this was their answer, simple and practical. The system was made for that, and it's a lot of struggle. And what's the problem with that? It's working, you described what it is to work, okay. I answered, I asked again, "But I'm telling you that it's a way to contaminate the matrix in mass." They said, "No, but that's it." I found the same answer. "Oh, that's right. All right. So, let's go." And

the interesting thing is that it doesn't only have this vulnerability. If you have patience to go to Steam to report, I found only four from last October. Two were reported and were really ignored by them. I'm also preparing a paper of the second one that was ignored. And two more that are in the process of evaluation. But Steam literally stopped importing from the end user. It imports with making money and with... So much that the other two are... Directly in their money transfer, they imported. But the one that doesn't import, which is the end user, So, that's it. It's Synthos using Steam as if you were in the 2000s downloading Torrent. It's the same thing. And that's it. The presentation

of Synthos was very good to explain that. If anyone has any questions, any doubts, you can send it. No? No, this one, in this case, is a zero-publication. It's because it's already in the cloud, but I did the process and publication of zero. It works for both. And there's a detail, not every game, but depending on the game, if it doesn't have an internal validation of the game mods, you do it in third party games too. Then what's cool, you contaminate third party games. Yes. In the case of CS, no, because in the case of CS, as it is Valve's son, it gets more complicated because they have a mod code analysis. More games like... I won't say game here, otherwise I'll end

it. But anyway, there are games that have open modes system, which is public mode, you can publish and that's it. If it's a popular game and you can popularize your mode, it's over. Any platform. The only difference is that you will have to do... for the platform, the build for the platform, but any platform. It's their upload system that is messed up. That's the difference you don't have in Google Play, Mac, Apple Store, there's none. Anyone else? Vulnerability, you can send anything to Steam. In short, that's it. Literally that's it. You, on your developer account, you can duplicate a mod or a game with a virus that Steam doesn't validate and sends to everyone who has the

game down and that's it. That was their answer. Google Play, Epic, Epic Store, all of them have a validation. You can do bypass, but if they send it wrong, like I did, this same code, if they send it at Epic, it will bar. It would be better than Steam. At this point, yes.

Can. What's the question there? The only thing you need to have and do is pass the initial validation of Steam. You will have to send a valid game, ok. The first time they will check and then the lower shelf. Even if you want to send a PDF inside the Zip, which will do nothing, send a photo library, it will also. The only thing that will be, as it will not have executable, when the client downloads, It will have it in there, it will have downloaded on the machine, but it will not run on Steam. In this case, I ran the game on Steam because I pull the game's executable, but I can send anything. Send without executable, it will hit, fuck it. The only difference you will have

is that it has, if it is not for their API, if it is for the browser, you have a the maximum limit you can send at once. But if it's through the API, if you want to send 40GB of file there, it's done. It's literally Steam Drive. Do it. No. Probably. When I started preparing this article last year, a guy had an idea similar to mine, but he applied it in practice. He made a game of "Idol of Life" that mined Bitcoin in his machine. So he had already applied what I'm saying as vulnerability and someone went there and applied it. He didn't have the good action of reporting before. If he reported, they would have to pay him, so it wouldn't be good.

She's not even there. Apparently, that's what she showed. I don't know how it will be in the future. And if she processes me, please help me. I... It works. It works because it will validate normally. But then, it's that famous one. It works, but you do bypass. This is what I showed, it was more to show that it is really a mess, it's like a business that, from 40, it got 31 vulnerabilities, so it has no criteria, the criteria is zero. So you can throw anything in there, this is worth it, especially to do the bypass, if you use, as I sent the executable inside the executable, it is easier for the antivirus to catch, but then it's that,

there are ways to make it pass, and that, what are you going to blame? the antivirus or the Steam, because it was already to be blocked by them. If I'm downloading from a platform that is insecure and that it criticizes piracy, theoretically it has to protect me from downloading crap and it's not doing that very well. Anyone else? So that's it guys. Dude, I'm even afraid when I'm going to laugh. So, let's go. Any user can make mods for any game, you don't need a developer account. There are games that have a validation, like CS, the CS as it is from Valve, they are a little more careful, because there is a lot of money in there. So they block the way you

do the malicious mode. But there are indie games that have a bunch of players that don't care about it. So you play Steam, Steam's Workshop, you go in there, someone downloads it and that's it. Just success. If you go there, does it make sense to play with the game or is it just a game that we're playing? So, I didn't study the defensive part, because I went by the principle that, as it is a tool that proposes security to you, to the end user, he has to worry about it. So, it's more or less like Google Play, they have this validation, they go there and validate, if your app is malicious, it already says right

away, and if you force too much friendship, it already blocks your account and says, oh my friend, leak, leak. Apple, the same way. So, if Steam, which today, if it's not the biggest, it's the second biggest, because there's the App, I don't know who's the biggest between them two, it's their fight there. So, they have to worry about it. So, I didn't go there, I went to report to them, and they didn't care. Anyone else?

In this one I will refuse to comment on it, okay? But it's a good study vector. Anyone else? Show? Send.

Dude, let's go. The first time I sent it, I didn't send it with malicious files, but it tests executable, it tests if it's working, if it's functional. But then I'll owe you the question if the first time it already tests if there's any malicious file or not. Because as it's an already published game, I was just subsequent, it had already passed through the initial stage. I don't know if it will check, but I don't think so. I don't think so. Anything else? Dolly one, dolly two, dolly three. Okay? Thanks guys, thank you very much.