Forgot your password?
typodupeerror
Security Software Games

Ubisoft Uplay DRM Found To Include a Rootkit 473

Posted by samzenpus
from the a-little-something-extra dept.
An anonymous reader writes "It has been discovered that the Uplay system Ubisoft uses to both check a game is legal and offer up gaming achievements, multiplayer, and additional content, actually contains a rootkit. The discovery was made by Tavis Ormandy, an information security engineer at Google, when he installed Assassin's Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user's consent."
Update: Ubisoft has released a statement saying it has issued a forced patch to correct the flaw in the browser plug-in for the Uplay PC application.
This discussion has been archived. No new comments can be posted.

Ubisoft Uplay DRM Found To Include a Rootkit

Comments Filter:
  • by Joe_Dragon (2206452) on Monday July 30, 2012 @09:38AM (#40817191)

    under the DMCA any antivirus software companies can get sued for remove or even marking this.

  • That's awesome (Score:5, Interesting)

    by the_Bionic_lemming (446569) on Monday July 30, 2012 @09:41AM (#40817231)

    I started boycotting several manufacturers over the games that required a constant online connection. I can't wait to tell my buddy that thinks that the boycott is stupid how his system is rooted (again)!

  • this sounds familiar (Score:4, Interesting)

    by slashmydots (2189826) on Monday July 30, 2012 @09:57AM (#40817411)
    Rootkit = hidden from the file structure of an OS, typically by intercepting explorer display calls. So it's not that but definitely a trojan, as it is a game on the outside and secret remote control browser plugin on the inside. By the way, there is no such thing as a hidden browser plugin. IE9 pops up and says that there's a new browser plugin and asks to enable it or not. Does it get around this? I think Firefox is a little more inviting to whatever the hell wants to hop in, as is Chrome, but no matter what, you can see all add-ons listed in all 3 browsers.

    By the way, if you're thinking "hmmm, where have I heard Ubisoft news before?" they used a hacker team's no-CD crack, as-is, in one of their official updates to Rainbow 6 Vegas 2 to solve a problem with the game calling their own legit CD a fake CD.
  • by jones_supa (887896) on Monday July 30, 2012 @10:00AM (#40817433)
    I don't know if it's anymore there, but along C drive residing in '~/.wine/drive_c/' Wine has defaulted to mapping Z to '/'. So for some extra protection be sure to remove that. And in this case, just remember to move all the installers and stuff in the virtual C drive before starting them.
  • by Tridus (79566) on Monday July 30, 2012 @10:08AM (#40817491) Homepage

    Based on what data? NPD says that game sales are slumping, but NPD's numbers are shit. They're based on retail sales at big stores. They're of little to no use when tracking the growth areas of the gaming market: anything digital. Game sales are likely not down at all, just people buying shiny disks at Walmart.

    Besides that, 2012 has featured a lot of big name letdowns compared to 2011. The fall season will likely do better.

  • by bluefoxlucid (723572) on Monday July 30, 2012 @10:08AM (#40817499) Journal
    Wine doesn't run as root though (I tried, it actually screams and exits immediately). Wine has a mapping to $HOME that you need to remove though...
  • Prosecute? (Score:4, Interesting)

    by MattW (97290) <matt@ender.com> on Monday July 30, 2012 @10:23AM (#40817687) Homepage

    I'm going to contact my Congresspeople, and ask them to ask the Department of Justice to investigate and prosecute any violation of wiretapping and/or computer crime laws which may have occurred.

  • Re:That's awesome (Score:5, Interesting)

    by oneandoneis2 (777721) on Monday July 30, 2012 @10:27AM (#40817737) Homepage

    As somebody who hasn't bought (or pirated) any games in about a decade (other than a few of the Wii Lego series) I have to say that the only downside of boycotting all modern games is that you have to find something to do with all the extra free time and money.

  • by cheekyjohnson (1873388) on Monday July 30, 2012 @12:16PM (#40818965)

    I dislike DRM, but will defend a software company's right to encrypt their software, and even allow them to require an Internet connection to "unlock/decrypt" that software so that it can be used.

    I would too. But I would also defend the right of people to modify their copy of the software to remove said DRM and even distribute cracks for it.

  • by causality (777677) on Monday July 30, 2012 @01:06PM (#40819587)

    So do you actually install it as a different user, or do you just feel warm and fuzzy that they can't modify your system, even though most of what you probably care about exists within your user account?

    Even if you install it as a different user, you would need to log out of your main account every time (or, I suppose, run a secondary X server) as the rights required to display to your X server pretty much give full access to your account.

    My own setup has a user account specifically dedicated to Wine. This user doesn't run anything else. That user has no network access at all because of iptables. There is a PAM module that gives this user access to draw on the X display when I switch to it (Gentoo does this by default; on most Debian-derived distros you have to configure PAM with a one-liner in /etc/pam.d/su -- add "session optional pam_xauth.so" to that text file).

    I use a Gentoo Hardened system so I place extra restrictions on it. The Wine user cannot see processes of any other user and the permissions on anything outside of its home directory are quite restrictive. Back when I played WoW (and had to allow network access, but only just what it needed), it would scan the running processes as an anti-cheating measure; on this system it would see only itself and a couple of Wine processes. On a normal Linux system, any user can view every user's running processes. Also, Wine is compiled with SSP and has NX and other hardening features applied to it.

    That's not an exhaustive list but it covers the main steps I took. You can probably gather that I don't trust binary Windows programs.

  • by mcgrew (92797) * on Monday July 30, 2012 @01:51PM (#40820107) Homepage Journal

    Actually they were sued by several state's attorneys, and settled. Personally, as a victim of XCP (I didn't agree to their god damned eula, my daughter installed it, never imagining that a big respected company would deliberately install MALWARE) I'd like to meet Sony's President in Felbers' beer garden and beat him to death with a two by four. I'm still pissed, and it's almost been ten years. I will never EVER be stupid enough to buy another Sony product. I want the company broken up and its board of directors impoverished. Nothing's too bad for those evil sociopaths. Cancer and AIDS are too good for 'em.

    A rootkit is MALWARE. The president of Sony should have gone to prison, and the President of Ubisoft should, too. If I did to Sony what Sony did to me, you can bet your ass I'd go to prison. But it's OK for the 1% to fuck over the 99% any way they want, but if you mess with them, well, you're screwed.

    And you stupid people should quit buying their damned games! Jesus, stop letting these assholes take advantage of you! You would buy from a company that deliberately installs malware on their customers' computers??? How goddamned stupid can you get????

  • I don't kn ow about the other McGrew but I haven't bought a single Ubisoft title since they started including extra DRM crap and always online garbage instead of just using Steam. In fact I came THIS close to buying a good $75 worth of games on the Steam sale...until I saw it was Ubisoft and their extra bullshit and instead gave it to other companies.

    I'll buy Steam, i'll buy games that have GFWL (although I won't buy from GFWL, MSFT still can't design a UI for games for shit and I hate the way it keeps trying to sell me Xbox games) but I won't be buying from any company that piles on the DRM and that goes for my friends and family. Just talking to them on Steam chat there was a good couple of grand that would have been spent on game packs that would have went to Ubisoft that instead went to other companies. Its not much in the grand scheme of things but at least our systems run stable and doesn't have backdoors you could drive a truck through.

    BTW OT but for all those that have recently switched to X64 or haven't ran into this problem yet? A little word of warning...avoid older games that have DRM like Starforce and SecuROM on them! The older DRM didn't recognize 64 bit and would try to jam a 32bit kernel hook into a 64 bit kernel with disastrous results and the uninstaller they host on their website? DOES NOT WORK ON X64. So if you don't dual boot so you have an uninfected OS to work from its a royal bitch getting it cleaned up and will make your system as unstable as Win9x which is why I ended up going Steam.

    I'd love to hear from those with exp with Ubisoft DRM as I've found those that jam in deep level hooks like that tend to make things more than a little unstable. If you've installed a Ubi game and are experiencing hangs, lock ups, BSODs, weird errors, you might want to remove the DRM and see if that clears it up, because you'd be surprised how many times I've seen machines at the shop that were "infected/broken/crashing" that turned out to be a shittily written DRM hosing the system. The only "nice" thing I can say about the non Steam DRMs is they don't seem to burn out drives like the old Starforce did, but that's like saying "well at least it just shat on the bed instead of the floor".

  • by Anachragnome (1008495) on Monday July 30, 2012 @04:25PM (#40821825)

    Maybe they'll actually get sued this time...

    I play Everquest 2 on this machine, and look what I just found (installed yesterday). Firefox never informed me that it was being installed.

    FF - HKLM\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3: C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\5kpvldeq.default\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}\plugins\npsoe.dll ()

    In the Firefox browser Add-on pane it is listed as SOE Web Installer 1.0.3.171. It can be disabled, but I have not attempted to remove it yet. I want to keep it around while I figure out what it is doing. A web-search is inconclusive as it appears to have just been released, although I did find several links to a "test page" that belongs to Sony that instantly tries to install said plug-in. No-script blocked these attempts, so I have to assume it was served to me via the EQ2 GAME updating system. If so, complete bullshit.

    Again, I never got any sort of plug-in install warning when running Firefox, and I have my browser warning settings at maximum verbosity. This plug-in was just "there".

  • by rtb61 (674572) on Monday July 30, 2012 @06:26PM (#40823115) Homepage

    You have to be careful about what you consider to be waiving your rights ie. I wave my rights, sorry changed my mind, waived them again, changed my mind again, waived, not waived, waived, mine again.

    Waiving your rights means pretty much nothing because the very second you claim them back, they return with full force of the law, constitutional and criminal law both of which out weigh contract law. There is no legal condition of contract that can prevent you from reclaiming your rights, at any time you choose.

  • by Anachragnome (1008495) on Tuesday July 31, 2012 @05:10AM (#40826373)

    Update, if anyone cares.

    You can uninstall the plug-in, SOE Web Installer, by using the provided "Uninstaller" you get at the same webpage that installs it.

    Or, you can do what I did. Manually uninstall the game then spend 2 hours scouring out the 67 registry entries the "uninstaller" left behind. (The game uninstaller didn't actually remove a single file...not a single one. The plug-in uninstaller simply appeared to remove the plug-in from the control panel--all of the registry entries remained. CCleaner only found four of the 67 I removed.)

    That shit is pure rootkit. Considering you can't even firewall out the outbound data without also firewalling your browser, this one is worse then the Sony/BMG rootkit. I've had to remove both and this one was spread all over the damn place, with redundant registry entries everywhere.

    Never again, Sony, will any of your products enter this household.

No amount of careful planning will ever replace dumb luck.

Working...