City: Skylines developers warn of rogue mod

Credit to Author: Christopher Boyd| Date: Mon, 14 Feb 2022 18:32:19 +0000

Players of the popular city-building simulator and video game City: Skylines need to check devices for rogue code lurking in mods related to a rework of something called Harmony, essential for modding across several titles.

The threat arrives in a broader landscape—video game modding—already known for scams and malware. Whether looking for patches and fixes, or just more general alterations, gamers have to be careful when modifying how their games run. There’s a few long-standing sources for game modders, viewed as being safer than other ways of grabbing the latest mod. Even then, problems can arise due to site aspects unrelated to the mod files themselves.

That’s just how it goes in modification land.

What is Harmony?

Harmony is a “library for patching, replacing and decorating .NET and Mono methods during runtime”. As with many things mod related, people occasionally go off and make their own versions of mods, frameworks, individual files, the works. Sometimes it’s better, sometimes it’s worse. Occasionally it’s a necessity if a game has changed so much the original no longer works, and the author has abandoned the project. Of course, sometimes people do this without asking permission if needed first which is a whole other can of worms.

This particular can of worms is exclusively rogue file related.

A statement of (bad) intent

From the game developers:

In TM:PE 11.6.4.8 we are marking _all_ mods by Chaos / Holy Water / drok (same person) as incompatible for the following reasons:

  • Network Extensions 3 contains malware which directly targets multiple members of our team, dozens of other modders, employees of Colossal Order, and dozens of Steam users many of whom will not be aware that they are targets of malware.
  • While the malware is trivial (it randomly alters speed limits), it’s caused a lot of excess support workload and raises concerns about what other malware may be present (particularly in the Harmony “Redesigned” mod).
  • Network Extensions 3 was modified with “tripwire” code specifically designed to cause bugs in other mods.
  • Those bugs are affecting TM:PE users (we have several confirmed cases) and when TM:PE team go in to investigate we are hit by malware.
  • Upon bugs appearing in other mods, Chaos claims that they are badly written in order to gain more users for his mods – which in turn are designed to cause bugs in other mods.
  • Chaos has blocked former members of Network Extensions mod, including myself, from creating derivative works on his version of the mod.
  • Chaos has added code to his Harmony “redesigned” mod’s reporting tool which is highly misleading (often indicating the wrong mod being responsible for an error, when in most cases it’s _affected_ by an error from somewhere else)
  • Chaos is doxing and harrassing anyone who calls him out on his behaviour, adding them to his targeted malware system, and then claiming that _he_ is the actual victim (a technique called “DARVO” = deny, attack, reverse victim and offender)

In the interim there is a high likelihood that Holy Water will release his own version of TM:PE. It’s not our place to tell you which mods to use, but at least wait for the additional detail before making a decision.

What’s the short version?

To summarise, from the same thread (bold added by me):

  • When someone starts the game with the NExt3 mod enabled, it checks if the game is running in Steam portal and, if so, then checks the player’s Steam ID against two lists of Steam IDs[github.com].
  • One of the lists appears to be mostly modders and CO employees; the other is a list of ordinary steam users many of whom will not be aware that they are direct targets of malware.
  • If the player ID matches an entry on the list, the mod proceeds to change road speeds to a random – but always slow – value[github.com].
  • This gives the false appearance that it’s the other mods which contain bugs – a topic which I’ll cover in a later comment.

This is quite the attempt at discrediting rival mods, while also taking a peculiar swing at developers and what seem to be random Steam users. Have they annoyed the mod creator in some way? Or are they genuinely just random City: Skylines players? At any rate, this plus word of some sort of automatic updater thrown into the mix has made players and developers very wary at time of writing.

Rogue mods down, and hopefully out

The mods have apparently since been removed from the Steam Workshop by Valve. As many as 35,000 people may have subscribed to the rogue files before being taken down. Anyone who may have grabbed this version of Harmony is advised to unsubscribe to the mod, and then run full security checks and malware scans as a precaution.

It’s hoped that the aggravating speed up / slow down “feature” of the mod is about as bad as things get for anyone affected, but an abundance of checking won’t hurt at this stage.

Usually we warn about suspicious standalone mods from sites you’ve never seen before, or files on sites such as Nexus Mods with bad reputations and poor reviews. It’s a little unusual to have to warn about bogus mod actions offered up directly from the Steam Workshop, but sadly that’s how things are sometimes. Keep an eye on developer commentary, read reviews before downloading, and keep your security scanners handy before allowing unknown code to run on your PC. Stay safe and have a hopefully malware-free time of it while modding your games.

The post City: Skylines developers warn of rogue mod appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/

Leave a Reply