Share this article on:
Researchers at Avast have uncovered a serious vulnerability in the video game Dota 2, whereby a set of custom game modes made by a malicious actor were able to execute code on players’ machines remotely.
The bug was based on a known vulnerability with an older version of the V8 JavaScript engine, which was the same version still running in the game.
Dota 2 is a popular game, played by millions of people around the world, and it is a very customisable title. Many users go to the Steam platform — run by Valve, which also develops the game — for various add-ons and user-made content, including game modes. In this case, four game modes were found to have been uploaded to Steam and passed verification despite their malicious payload.
The suspect game modes seem to suggest a progression in what the threat actor was trying to achieve. The first mode had no payload, but did have comments within the code on what it might be able to do. The mode was also clearly marked as a test by its author, and not intended for download.
“After discovering this first malicious game mode, we were of course wondering whether there are more such exploits out there,” Avast researcher Jan Vojtěšek said in a blog post.
“Since the attacker did not bother reporting the vulnerability to Valve, we found it likely that they would have malicious intentions and attempt to exploit it at a larger scale.”
And Avast’s team was not wrong.
After downloading all the JavaScript files from various custom modes, researchers were able to look for suspicious patterns within the code, which turned up three more modes from the same author, all containing a backdoor that could execute arbitrary code, which could then download the JavaScript payload from a command and control server.
However, at the time of testing, the C&C infrastructure was no longer responding, but Avast’s researchers are certain it was meant to download the known exploit.
“This is because all three backdoored game modes were updated by the same author within 10 days after said author introduced the JavaScript exploit into their first malicious game mode,” Vojtěšek said.
“However, we remain unsure about whether there was any malicious shellcode attached to the exploit.”
Avast contacted Valve, which immediately rolled out an update that addressed the vulnerability. According to the company, less than 200 players were affected. Avast’s researchers are unsure of the overall intent of the game modes but believe the intentions of the author were definitely less than pure.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.