this post was submitted on 28 Nov 2024
54 points (80.0% liked)

Godot

6010 readers
35 users here now

Welcome to the programming.dev Godot community!

This is a place where you can discuss about anything relating to the Godot game engine. Feel free to ask questions, post tutorials, show off your godot game, etc.

Make sure to follow the Godot CoC while chatting

We have a matrix room that can be used for chatting with other members of the community here

Links

Other Communities

Rules

We have a four strike system in this community where you get warned the first time you break a rule, then given a week ban, then given a year ban, then a permanent ban. Certain actions may bypass this and go straight to permanent ban if severe enough and done with malicious intent

Wormhole

[email protected]

Credits

founded 2 years ago
MODERATORS
 

cross-posted from: https://lemmy.zip/post/27055106

​Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,000 systems in just three months.

top 16 comments
sorted by: hot top controversial new old
[–] [email protected] 63 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

From Rémi Verschelde:

As the Check Point Research report states, the vulnerability is not specific to Godot. The Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language. We do not believe that Godot is particularly more or less suited to do so than other such programs.

Users who merely have a Godot game or editor installed on their system are not specifically at risk. We encourage people to only execute software from trusted sources.

For some more technical details:

Godot does not register a file handler for ".pck" files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime. There is no way for a malicious actor to create a "one click exploit", barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.

This is similar to writing malicious software in Python or Ruby, the malicious actor will have to ship a python.exe or ruby.exe together with their malicious program.

[–] [email protected] 43 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

I think its malicious to even mention Godot in a headline with this weak context. It will confuse and scare people into thinking godot is unsafe. Some stupid people downloading and executing code from a malicious source is not noteworthy enough to justify a headline like this. It almost sounds like godot has a RCE from how clickbaity this headline is written.

[–] [email protected] 21 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

This is probably the larger story from the OP link:

The Stargazers Ghost Network uses over 3,000 GitHub "ghost" accounts to create networks of hundreds of repositories that can be used to deliver malware (mainly information stealers like RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer) and star, fork, and subscribe to these malicious repos to push them to GitHub's trending section and increase their apparent legitimacy.

Edit: a bit more info:

The malicious GodLoader is distributed by the Stargazers Ghost Network, a GitHub network that distributes malware as a service. Throughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware. 

https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/

My take is that Godot has never claimed to be sandboxed, as long as OS.execute() is enabled by default then running arbitrary code in the user context is trivial. The solution of course is to only run code that you trust.

[–] [email protected] 2 points 3 weeks ago

Yeah that is more headline worthy indeed.

[–] [email protected] 48 points 3 weeks ago

This is a non issue. It's like saying hackers used a programming language to write malicious code.

Of course they did. How else would they do it?

They're just using the Godot engine (C#) to do it instead of the python interpreter.

[–] [email protected] 15 points 3 weeks ago

Yeah not much to see here. GoDot just makes it easier to bypass the antivirus because of the code it outputs. It'll take a while and future malware that uses it will be detected the same way other malware is. I'm guessing antivirus companies will start unpacking and scanning the .pck files. Just like they do with similar archives.

One should not put their full trust in their antivirus anyways.

[–] [email protected] 14 points 3 weeks ago

@recursive_recursion Godot was not abused. What I understand:

What actually happened: Bad actors realized that they could use Godot to code Malware that is not detected by antivirus software. They create open source tools on Github (Cracks, Twitch manager for example, and 188 others), but that tool is a Malware coded in Godot that downloads and runs additional malicious software.

What could happen, but probably didn't: Bad actors could change the data of a Godot game, turning it into malware.

[–] [email protected] 11 points 3 weeks ago

Storm in a teacup.

[–] [email protected] 9 points 3 weeks ago (4 children)

But this is bad news for game jams. Participants are not really trustworthy and those who do not build for HTML5 should not be evaluated.

[–] [email protected] 12 points 3 weeks ago* (last edited 3 weeks ago)

A web version is often a requirement (in my limitted jam experience).

[–] [email protected] 4 points 3 weeks ago

This has always been true. If you are downloading an exe off the internet, it can be malicious. I am amazed by the streamers and Youtubers that seem willing to run anything. When I gamejam, I only write games that work in the browser and I only test/rate games that do the same. Unless you have a quarantine machine purpose built for running unknown code, it is really the only option.

[–] [email protected] 3 points 3 weeks ago

I mean... Every game you download and run can do almost anything on your computer, no matter what it's written in. It's just code.

My first C2 agent I made for our malware to use in Red Teamings was a Unity Engine headless server.

[–] [email protected] 2 points 3 weeks ago (1 children)

Last time I checked you can spawn processes from any game engine, making this a moot point.

[–] [email protected] 4 points 3 weeks ago (1 children)

Thats true for anything that runs as a native app, but html builds will be sandboxed by the browser.

[–] [email protected] 2 points 3 weeks ago

True, but the comment I was responding about not trusting non-web builds. This could imply that it's only for non-web build Godot games while you could easily do this with any engine.

[–] [email protected] 4 points 3 weeks ago