I Found Malware in a BeamNG Mod(lemonyte.com)

175 pointsby davikr7 days ago8 comments

lionkor7 days ago
I worked on BeamMP[0][1], for 5 years, both as a project manager and lead developer for the server and client. BeamMP is a wildly popular multiplayer mod for BeamNG (1M registered players, always at least 3k concurrent players, also it's AGPL licensed). I left the team this year, but I can tell you: Mods, if they manage to break the sandbox in any way, can do anything, and the BeamNG sandbox will never be perfect. To their credit, the BeamNG devs have hired people from the community who do a lot of security research, and they have found numerous issues and fixed them before they could be exploited.
We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of those exploits are fixed, now.
The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.
BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.
Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)
[0] https://beammp.com
[1] https://GitHub.com/BeamMP
- snickerbockers6 days ago
  I'm not familiar with lua, but when it's embedded as a scripting engine is it really just allowed to import whatever packages it wants and have full access to the host computer's resources? If so it seems like a really poor fit for any game that intends to have user-created mods (and yes I'm aware that it's one of the most popular scripting engines in gamedev-land and has been for about two decades).
  I remember when FPS games first embraced the mod community back in the late 90s many of them had their own dedicated scripting engines (QuakeC, UnrealScript, later quake 3 arena had "real" c programs but they were compiled to a custom bytecode interpreter) that didn't have free reign over anything but the game state and that seems like a much better way to do things. Games used to have options to let you automatically download requisite mods from servers and it was safe to do so, at least in theory. I have no doubt that at some point in time there was a ROP vulnerability that could've been used to turn this into a devastating malware vector but at least then the scripting engine wouldn't be functioning as designed.
  - lionkor6 days ago
    You can lock down Lua, but you need ffi to achieve really good performance. This is what BeamNG.drive does, and that does theoretically open up the sandbox quite a bit. Suddenly you allow Lua to call C++ functions, and naturally vice versa. That could be a problem, and that's not the end of it, the Lua standard library (if you wanna call it that) contains io, command execution, etc. so you need to be selective about what you allow mods to do, while still making it possible for people to make mods.
    In short; you need to give Lua power over your program in some way, and that's the weak link. Lua itself can run with zero access to the world, but then you have nothing more than a calculator or config file.
  - whatevaa6 days ago
    Pretty sure it was not safe, people just cared less.
    darkmighty6 days ago
    Indeed before online banking and widespread online shopping there wasn't much to care for in computer security. Also before ransomware were invented. I guess the biggest application was stealing passwords (and an occasional credit card #), botnets for DDoSing game servers and such, in which case user wasn't much affected. Nowadays specially with crypto wallets you can get crazy essentially unbounded prizes, maybe millions. Don't do cryptocurrency, kids (unless losing all your funds is the least of your concerns[0]).
    [0] Like you're some kind of activist or maybe in an oppressive regime
- registeredcorn6 days ago
  I don't have anything meaningful to add to the discussion, but just wanted to say "Thanks!" to you, and the work that the Beam people have done to try and keep things as secure as they can. It'll never be perfect, but doing that work is important, and if it's done correctly the end user doesn't even know you did anything at all.
  It's also really good to hear such an open and direct description of how things were/are, too. Clarity defeats the risks around obscurity of the unknowns. When the general public is given more info to work off of, they have a better idea of where the risks are, and how they can defend from, or if they are malicious - attack from, accordingly. The sharing of that information simply works to define what the areas of concern are for everyone involved.
- cedws5 days ago
  It sounds like Lua modding might be a bad idea. Factorio also had a few vulnerabilities due to Lua sandboxing not being as strong as initially thought.
- sonofhans6 days ago
  Thank you! My kid is one of the million. It’s a great mod. It took us a minute to figure out that it really is free.
  Is there a business model? Just Patreon? It seems unbelievable that’s enough.
  - lionkor6 days ago
    Just Patreon, and then there are some deals with hosting providers for servers as well. Essentially, hosting providers will pay some % of their hosting income, and in return they get "natural" advertisement and other benefits. For example, if you ask our support how to host a server, they might mention a list of providers.
    This all works because the only expenses are necessary operational costs, for example server costs for the backend.
    All developers, support, moderation, etc., which was around 53 people when I left in January, are volunteers and do not get paid. This is mostly because it would not be sustainable, because when you pay people, you have to pay them in accordance with local laws like minimum wage. Nobody, not even the founder, is taking money out for themselves.
    I hope that answers your question! And it's great to hear when people use it :)
- ribcage6 days ago
  [dead]
davikr7 days ago
This is the second time (we know of) BeamNG.drive being exploited due to bad security practices - the first time, disabling ASLR [0], leading to Disney being hacked, this time, disabling CEF sandboxing. It is weird to see them go out of their way to disable conventional security features on their product.
[0]: https://news.ycombinator.com/item?id=41063489
- LegionMammal9787 days ago
  I'd imagine by the time your program's security is critically reliant on ASLR and process-level sandboxing, you're already in deep trouble, since any given minor update may turn existing holes into viable exploits. It will only slow down the rate of attacks at best.
  The lesson I'd take here is "don't embed a web browser to run untrusted code unless you can keep it up to date 24/7". Hence the popularity of Lua interfaces for mods. Or even the alternative JS engines built for such purposes.
- pixl977 days ago
  >It is weird to see them go out of their way to disable conventional security features on their product
  Honestly with most developers I know, unless they also have a strong security background, it's not weird or surprising at all. Security features (almost?) never make debugging easier. When confronted with a failure that presents challenges devs will disable things that limit access or otherwise randomize the output in order to catch the problem and then 'hopefully' come tighten it back up when they are done. Unfortunately the second part rarely happens unless you have security auditors follow you around.
  - pjmlp7 days ago
    That is why then there are folks like me, complaining in code reviews, or adding configurations into the CI/CD pipeline.
    However it is indeed a quixotic battle in some scenarios, regarding security best practices.
- ortichic7 days ago
  I had forced ASLR on in windows for a while... You'd be surprised how much stuff breaks with that. Almost feels like more is broken than not. Just to name a few: MinGW (including git for windows), Unity, Whatever installer Framework Signal and some others use, some Anti-Cheats
- pjmlp7 days ago
  One could be using the safest programming language in the world, if the culture doesn't get the point, it doesn't matter how safe it can be.
TZubiri7 days ago
Unrelated, on mobile, background is quickly oscilating colours giving an epileptic vibe
- yomismoaqui6 days ago
  Seen the same on Android Chrome, for a moment I thought my screen was wrong.
- r4indeer6 days ago
  Firefox on Android seems to be unaffected.
  - tetris116 days ago
    It seems to scroll very jittery though
abhisek7 days ago
Still trying to understand - Did the mod developers intentionally shipped malicious code or they were compromised by some external attacker to target the downstream users?
- throwaway3141557 days ago
  The author indicates that the mod authors' account was "likely compromised" indicating a bad actor took over their account somehow, perhaps made easier by prolonged inactivity?
  I don't think the author of this piece found it useful to speculate though and I have to agree. No need to break out pitch forks - let those involved get to the bottom of it.
Cloudef6 days ago
Why is CEF used without sandbox?
everdrive7 days ago
But did the malware do anything significant through proton to the host OS?
lopanapol6 days ago
nice
fifteen15067 days ago
I hate malware. I found two Android apps using an obfuscator loaded via JNI (libjiagu_64.so) which crashes on startup (on GrapheneOS) and I am at a loss at what to do next which doesn't involve send reports into the void hoping it reaches an human with the time, skills and willingness to check what is really going on.
Summary: https://user934.com/2025/04/29/investigating-suspicious-beha...
- Cloudef6 days ago
  That sounds familiar, I used <https://github.com/Cloudef/android2gnulinux> to reverse one libjiagu program in past. The deobfuscated code eventually ends up in the ram, and you can then extract it.
- ThePowerOfFuet6 days ago
  >Disclaimer: This blog post was written by Gemini, a large language model from Google AI, specifically the Gemini Pro model. My knowledge cutoff is June 2024. The information provided is based on my understanding and should not be taken as definitive professional advice.
  I encourage you to cease contributing to the enshittification of the web.
  Also, what did you expect from cheap no-name IoT shit? As we say, the S in IoT stands for Security...
  - fifteen15066 days ago
    Ok I could have been less snarky.
    What I meant is, I have ideas I like to explore but a two-liner blog post won't entice anyone.
    For example on https://user934.com/2025/04/22/securing-home-and-smb-network... I mix several ideas together and define the test plan (chapter 5), and let LLM fill in the blanks. Plus I clearly identify it as mostly written by LLM, which is better than most SEO garbage spam. So I think I've achieved a good compromise.
    techbrovanguard6 days ago
    you’ve taken a slightly smaller shit on the floor than the seo slop factory next to you. do you want a medal?
    fifteen15065 days ago
    yes, you purist! :)
  - fifteen15066 days ago
    I'm sorry I don't earn enough to hire a maid but still like to write blog posts :(