• Listen to a special audio message from Bill Roper to the Hive Workshop community (Bill is a former Vice President of Blizzard Entertainment, Producer, Designer, Musician, Voice Actor) 🔗Click here to hear his message!
  • Read Evilhog's interview with Gregory Alper, the original composer of the music for WarCraft: Orcs & Humans 🔗Click here to read the full interview.

New WC3 exploit

Status
Not open for further replies.

Captain Griffen

Captain Griffen

Captain Griffen

Level 14
Joined
Nov 20, 2005
Messages
1,156
NearbyHermit said:
Last year I encountered a virused map!

It happens with the Custom Data contained,it was an infected Mp3 file,then game sometimes crashed when it played!

So I went in the Editor and Saved it,scanned it,and it had positive for infection :grin:
Click to expand...

Your virus scanner surely cannot scan map archives (unless it has an MPQ archiving tool)? This is highly unlikely. If you don't know how to decompress it, compressed files are as unreadable as encrypted ones.
 

Bloody_Turds

Bloody_Turds

Bloody_Turds

Level 18
Joined
Jan 23, 2007
Messages
1,302
honestly id love for this 'exploit' to stay, and theres not much they can do about it probably.... although blizz could have its own virusscan that scans a file after dl, for known virus's (only ones that are known to have been on wc3), they should also keep IP of the creator saved incrypted in the map at creation, this would be atleast a little protection, since maps could be traced back

really though, with this you can have actual save/load rpgs, without codes, all it has to do is save a file on the comp, in the wc3 folder, or possibly even ON A SERVER. that would greatly decrease the ability to cheat. btw no im not an rpg fan, im just useing rpgs since they would probably benifit the most from this.

that or maybe any executable file, could be registered by the owner at battle.net, then the virus scan would find any unregistered files, or files onlist as viruses. It would not have to be ran by blizz employies, but rather the comunity, except when a virus is detected (then blizz ban's the submitters key) not to mention, mods would be alot more widespread, if they could be dled over bnet, and or synced
 

NearbyHermit

NearbyHermit

NearbyHermit

Level 24
Joined
May 20, 2007
Messages
3,283
Bloody_Turds said:
honestly id love for this 'exploit' to stay, and theres not much they can do about it probably.... although blizz could have its own virusscan that scans a file after dl, for known virus's (only ones that are known to have been on wc3), they should also keep IP of the creator saved incrypted in the map at creation, this would be atleast a little protection, since maps could be traced back

really though, with this you can have actual save/load rpgs, without codes, all it has to do is save a file on the comp, in the wc3 folder, or possibly even ON A SERVER. that would greatly decrease the ability to cheat. btw no im not an rpg fan, im just useing rpgs since they would probably benifit the most from this.

that or maybe any executable file, could be registered by the owner at battle.net, then the virus scan would find any unregistered files, or files onlist as viruses. It would not have to be ran by blizz employies, but rather the comunity, except when a virus is detected (then blizz ban's the submitters key) not to mention, mods would be alot more widespread, if they could be dled over bnet, and or synced
Click to expand...

Dude,this sounds pretty anarchic,but efficient!
 

Billy the Cat

Billy the Cat

Billy the Cat

Level 18
Joined
Mar 13, 2009
Messages
1,411
DevineArmy said:
I don't play wc3 anyways.
Click to expand...
HFR said:
First the fail maps flood, now this!!!!

/me explodes is angreh!

At least I don't play on battle.net, he he...
Click to expand...
Grim said:
To be honest a large number of us no longer make warcraft III maps or resources, as well as many of us who no longer play warcraft III at all :)
Nevertheless this is indeed slightly worrying, and I hope Blizzard make patching this a priority.
Click to expand...

I see, just being addicted to the Hive? :wink:
This is a Warcraft-based community, but it just surprised me to hear a lot of people say that they don't play Warcraft 3 or B.Net. Why are there so many non-warcrafters on the Hive?

I could understand it if some played Warcraft, but stopped playing while still being attracted to the site.

I hope this exploit will be fixed, although an easier save option would be great. I usually dislike RPG's on B.Net, but if one would not be abuseable and would require no codes it would be awesome. Now most RPG's get boring with all those huge level heroes from players who did nothing except for some cheating.

If they fix the whole thing it's okay to, I don't need RPG's that badly and most people wouldn't be able to exploit it I think (unless people would release a how-to-abuse-the-exploit-for-saving tutorial). ^^
 

Dr Super Good

Dr Super Good

Dr Super Good

Spell Reviewer
Level 65
Joined
Jan 18, 2005
Messages
27,290
I fear we may regret blizzard fixing this, just like we would have if blizzard fixed the H2I bug. If they fix this I demand that they give some means of storing data in a file offline in multiplayer that can be synced at map start. Or atleast some other feature to allow for beter more complicated maps.

Yes sucerity is a problem, but this has the potential to be so handy as well. This could be the next greatest thing since H2I was found. Yes you would need to be more careful which maps you play, but who plays the sort of map that this is likly to be added to...

Remember that getting this to actually do anything financially useful (which is the only reason people would use this in a bad way) would need someone really skilled, and 95% or more of WC3 map makers can barely program JASS letalone machine code.
 

Dr Super Good

Dr Super Good

Dr Super Good

Spell Reviewer
Level 65
Joined
Jan 18, 2005
Messages
27,290
The fact is that you have to be a really good programer to use this in a dangerous way. The fact is also that 95%+ of programmers are too stupid to. Also a fact is that main stream custom maps will not abuse this as the makers want their maps to be popular and not to ruin peoples lives. Icefrog for example would have to be a complete idiot to implement a keylogger for stealing passwords as it would cause his map to lose all popularity near instnantly as well as several suicides.

As for the maps most likly to be affected? Loaps, other crappy open source maps and maps which promis ilegal or stupid things.

If they do remove such a bug that may turn out useful, they should atleast add something useful to WC3 like the ability to save a safe text file offline when playing multiplayer.
 

Eleandor

Eleandor

Eleandor

Level 21
Joined
Aug 21, 2005
Messages
3,699
Dr Super Good said:
The fact is that you have to be a really good programer to use this in a dangerous way. The fact is also that 95%+ of programmers are too stupid to. Also a fact is that main stream custom maps will not abuse this as the makers want their maps to be popular and not to ruin peoples lives. Icefrog for example would have to be a complete idiot to implement a keylogger for stealing passwords as it would cause his map to lose all popularity near instnantly as well as several suicides.
Click to expand...

Sure, but it's also a fact that you need only one guy to actually create an infected map. Even if the percentage of people able to do this is small, never forget that one guy is enough.

Not to mention the possibility that this one guy could also just write a tool that allows script kiddies (my own term for kids who know nothing of programming but use tools to "create" virusses and stuff) to infect any map they want. When any form of automation would be added, the threat will increase exponentially.

Even more importantly, many people start to know about this exploit, due to threads like this one. To blizzard, it's a matter of reputation now. Blizzard can't allow their own "clean" application to be a possible threat and be considered "unsafe".
 

Billy the Cat

Billy the Cat

Billy the Cat

Level 18
Joined
Mar 13, 2009
Messages
1,411
I thought of the subject and came with the same idea. If 1 player would decide to make a map that would erase all other player's maps or something it could be a big problem. Maybe worse if it would bug other players maps to have the same effects so that it would create an avalnche of problems.

I don't know all of the options, so what I am saying might be nonsense. My apologies if it is.
 

Eccho

Eccho

Eccho

Level 23
Joined
Nov 29, 2006
Messages
2,482
For those who haven't read yet - Fake Dota alert.

Source: Warcraft Custom Map Virus - Important! - Dota Allstars Blog
Warcraft Custom Map Virus, a Must Read! There's been a big fuss lately on Battle.net because a new exploit has been circulated amongst hackers. The exploits allows for a custom map to execute arbitrary code on a client and install trojans/viruses/keyloggers outside of the Warcraft III engine. In simple words, by just join an unknown person who host the Warcraft III virus map, your pc will be infected when the game started. And Dota is now become the largest target of this virus. This is not hoax or rumor, Dota-Allstars forums (and Battle.net forums) already stickied this topics. I really recommend that you read this article until finish for your own good.

Hackers created fake Dota maps that use the same file extension/directory as DotA 6.59d. Therefore you will see the loading screen displayed in your custom game list and it is effectively impossible to take precautions against, as it has no discernible difference from joining a normal DotA game. It is highly recommend that you stop playing public dota games until blizzard can patch this exploit. They have already had it brought to their attention.'

For those who doubt how dangerous this is; by mimicing dota, anyone who has already downloaded the legitimate map will see the game displayed in the custom game screen with the proper loading image, and it finishes downloading before you switch to the game lobby screen, as it is a tiny file size. Once you enter the game, the virus will unpack itself and infect your computer, allowing malicious code to be executed at the whim of the hacker. This means a malicious user will be able to grab everyone's cd-keys in a game, plant a keylogger in your computer, any known virus etc.

Props go to [email protected] forums for bringing this to attention.
Battle.net - English Forums -> Error

Don't join games of DotA hosted by people you don't know. This applies to public games, TDA, etc. The best precaution you can take at the moment if you want to continue to play DotA, is to keep your Warcraft III maps folder open, and see if any new files are downloaded when you join a game. If they are, immediately leave the game lobby, before the host can start the game (and infect you), and delete the new map file. If your computer has been infected, you should run the best antivirus software you can find, and Don't log into any accounts on your computer, Warcraft III, email, etc, as there is a high probability of getting your password keylogged. If you are certain your computer is infected, the only surefire way to eliminate it is to reformat your computer.


COMODO is the only known program at the moment to prevent Warcraft from running the malicious code as of now. Every other AV/firewall/anti-malware program other than that does not currently prevent this exploit from being used.
This is what ChildLikEmperor, Dota-Allstars forums moderator, said on his thread. But if you have another AntiVirus that can detect it, feel free to share it here.

Blizzard has been notified about the issue. The safest thing to do at the moment is to not play DotA or any other custom map until Blizzard release new patch. OR, you can carefully choose your host when joining a game even though certain risk is still there. Honestly, i prefer the second choice, because it will be hard to stop playing Dota ~_~

Update:
Thanks for anonymous who give this information.

Name of virus: HackTool.Win32.Sniffer.WpePro.w
Contaminated sites are here:
C:\WINDOWS\TEMP\omfg_wtf.dll

Looks like the virus file is on : \WINDOWS\TEMP\omfg_wtf.dll
Click to expand...

An advice from Karune (Blizzard poster)
Source: Battle.net - English Forums -> Warcraft III Custom Map Security Warning
Warcraft III Custom Map Security Warning
We have identified an exploit that could allow malicious software to be spread through Warcraft III maps. We have applied a temporary fix to address this issue when playing on Battle.net, and we are working on a patch to permanently address the issue when playing on a LAN or playing single-player custom maps. In the meantime, we recommend that players avoid downloading maps from unofficial sources or websites they do not trust -- be aware that corrupted maps may share the same name as other popular maps. If you encounter custom maps that no longer function or other issues related to this fix, please post details below.
Click to expand...

However, it seems Blizzard already made a temporary fix on the b.net servers (by Datth, Blizz poster)
Source: Battle.net - English Forums -> Dat, can you elaborate on this WC3 fix?
This fix patches the area of the game where it runs inappropriate scripts. Beyond that information, I don't have much else for you. You just need to log onto Battle.net to get an updated bncache.dat file, which contains that fix.
Click to expand...

So, outside b.net it's anything but safe...
 

Dr Super Good

Dr Super Good

Dr Super Good

Spell Reviewer
Level 65
Joined
Jan 18, 2005
Messages
27,290
They should much rather address the map curroption issue so that undownloaded maps do not appear downloaded. Also things like map size checks when you join would be good as you would not have like a 40 KB DotA. Equally well, they just have to stop WC3 running or starting other programs with this exploit, and restrict its domain to only a sub folder of WC3 and it will become pretty harmless.

The big problem is it is quite possiable they will eithor totally rework the function reference system so that that type no longer allows dangerous code to be run (possiably resulting in WC3 behaving differently and becoming buggy with existing systems) or they will fix the type conversion bug (the cause of this exploit) so that nearly every JASS spell and system stops functioning.

Thus if you do want the exploit removed, you better hope that they do not remove it and purly restrict its domain to that of it being unable to cause damage. Also hope that whatever they do, it does not slow WC3 down.

A rough guess would have me reconing that blizard will just add an exception preventing the type convstion of X to code and code to X, which may slow down other conversions slightly but will prevent the exploit form being used at all. They should atleast reward us if they do that by adding some new handy native to use, like built in faster type converters or better unit stat control natives.
 

syltman

syltman

syltman

Level 14
Joined
Jun 13, 2007
Messages
1,432
Dr Super Good said:
They should much rather address the map curroption issue so that undownloaded maps do not appear downloaded. Also things like map size checks when you join would be good as you would not have like a 40 KB DotA. Equally well, they just have to stop WC3 running or starting other programs with this exploit, and restrict its domain to only a sub folder of WC3 and it will become pretty harmless.

The big problem is it is quite possiable they will eithor totally rework the function reference system so that that type no longer allows dangerous code to be run (possiably resulting in WC3 behaving differently and becoming buggy with existing systems) or they will fix the type conversion bug (the cause of this exploit) so that nearly every JASS spell and system stops functioning.

Thus if you do want the exploit removed, you better hope that they do not remove it and purly restrict its domain to that of it being unable to cause damage. Also hope that whatever they do, it does not slow WC3 down.

A rough guess would have me reconing that blizard will just add an exception preventing the type convstion of X to code and code to X, which may slow down other conversions slightly but will prevent the exploit form being used at all. They should atleast reward us if they do that by adding some new handy native to use, like built in faster type converters or better unit stat control natives.
Click to expand...

I agree with this althought it's dangerous it's worth it. This could open for new better stuff (Sadly bad stuff aswell). Insteed off having it removed there should be a scanner in bnet that checks the triggers and if it finds something like this it would warn us first.
 

TheDivineBoss

TheDivineBoss

TheDivineBoss

Level 34
Joined
Jul 4, 2007
Messages
5,552
syltman said:
I agree with this althought it's dangerous it's worth it. This could open for new better stuff (Sadly bad stuff aswell). Insteed off having it removed there should be a scanner in bnet that checks the triggers and if it finds something like this it would warn us first.
Click to expand...

One huge flaw in your scanner idea: Most of the maps contain a shitload of triggerflaws.
 

Marshmalo

Marshmalo

Marshmalo

Level 7
Joined
Jul 1, 2008
Messages
1,024
This sucks ive just been downloading loads of maps from Bnet, already had to fix my comp after a virus stoped it booting up properly, trust the Russians to discover an exploit before anyone else does "rolls eyes*.

I saw someone advertising for the new version of map hack aswel, then played with some one who blatantly had it installed, he always knew exactly where the enemy was going to strike next, we won pretty easily. Makes me sick all these people using cheets, hope they burn in hell.
 

Alfred

Alfred

Alfred

Level 2
Joined
Apr 14, 2009
Messages
8
People, you forgot something important, if blizzard dont fix this, this hack may continue to SC2! that means the HAVE to fix it! or they may not sell anything.
 

Mooglefrooglian

Mooglefrooglian

Mooglefrooglian

Level 9
Joined
Nov 28, 2008
Messages
704
I would say they should not fix it completely.. the oppurtunities to do ANYTHING with this are endless.. text files with your score saved.. and the game could also check that.. although, sadly, the bug abuse is *huge*. Sigh...
 

Koromaru

Koromaru

Koromaru

Level 2
Joined
Jan 19, 2008
Messages
17
I hope something is done to solve this problem.

I read somewhere here that it uses JASS codes to hack your computers. What if the maps are made entirely in GUI? (With a few custom scripts)
 

Eccho

Eccho

Eccho

Level 23
Joined
Nov 29, 2006
Messages
2,482
It seems like battle.net and eurobattle.net is "safe" at the moment from executing the malicious code.
In order to be certain you wont execute a virus map in Lan/Single Player, log on to battle.net first, to get the temp fix file (I386Archimonde.mpq or something like that). This file will stay active as long as you dont exit the game.

Garena is still in the riskzone though.
 

syltman

syltman

syltman

Level 14
Joined
Jun 13, 2007
Messages
1,432
The mods on this site needs to check the maps then for this before approving in the future
 

Rising_Dusk

Rising_Dusk

Rising_Dusk

Level 14
Joined
Mar 7, 2005
Messages
804
I feel like you people are way too worried about this. It'll be dealt with, it's not the end of the WC3 world, just give it time and be a little more cautious about downloading porno maps. Seriously.
 

Rising_Dusk

Rising_Dusk

Rising_Dusk

Level 14
Joined
Mar 7, 2005
Messages
804
I feel that Blizzard recognizes the value of the return bug and is taking measures to avoid ending WC3 MapmakingDotA and is looking for alternatives.
 

kmde613

kmde613

kmde613

Level 5
Joined
Jun 7, 2008
Messages
141
Hmmm... Seems like Garena is still unsafe. As read from above.
By the way, if the "map flu" only occurs on the new WC3 Patch, can older patches like (1.20c which is mine) still get affected by it? I read from someone here that "Not updating" your WC3 "saved" you, but i don't think thats right.
 

Captain Griffen

Captain Griffen

Captain Griffen

Level 14
Joined
Nov 20, 2005
Messages
1,156
I believe that, due to the different compiler, attacks against 1.22/1.23 won't be effective against 1.21 and earlier. The attack still works, you just need to have different memory addresses I think. In effect, you should be safe, but that assumes no one will target that.
 
Status
Not open for further replies.

Similar threads

Dr Super Good
  • Locked
New Warcraft III security exploit...
4 5 6
Replies
252
Views
39K
PsycoMarauder
PsycoMarauder
best_player_88
  • Locked
[Role Playing Game] I hearby announce: Freedom force is no more
Replies
4
Views
1K
best_player_88
best_player_88
Veldrin
  • Locked
Join a new Development Clan
Replies
2
Views
1K
Veldrin
Veldrin
Bribe
  • Locked
Unable to install WC3 onto Vista
Replies
23
Views
5K
pyf
pyf
Kakerate
  • Locked
Can you run WC3 without an audio source?
Replies
1
Views
1K
Lizreu
Lizreu
Top