GMC Malware Attack

It’s not often that there is headline news for GM, but this story is unlikely to go down unnoticed.

According to several users on the GMC (which we will not link to for reasons explained below), a malicious piece of code has been embedded in the forum software code. The code, which allegedly creates an iframe that secretly loads a malicious website and downloads a virus is said to be found in every forum topic.

Until there are further developments on this story, we recommend that you DO NOT visit the GMC.

According to one user, Google Chrome warns users prior to visiting any GMC page to say that the site contains malicious code with a recommendation of not continuing. Internet Explorer on the other hand seems to be most affected by the attack (not surprisingly).

According to Phil Gamble on the Game Maker Blog, it may be possible that the forum code was altered by the use of a technique called ‘MySQL injection’ whereby a hacker finds a vulnerability in the website which allows him or her to modify or add new code directly into the forum’s database without needing Administration access to the whole forum itself.

KC, a moderator of the GMC, was quick to say users shouldn’t be too worried despite all the virus warning pop-ups users have reported. “ [the malicious website] has been listed as a malware site before. It’s probably being generated by one of the advertisers on YYG. I wouldn’t worry too much about it.” Nevertheless, we recommend taking all pre-cautions necessary to ensure your computer’s safety.

Update: Thanks to NakedPaulToast, it appears the security flaw in the forum software that may have allowed this attack to occur has been identified, click here for more details. According to the website, a patch has been available

Update: One user warns that the virus is also affecting Firefox users, and that he/she received a warning from their anti-virus software to say a virus named “HTML:IFrame-BL [Trj]” had been detected.

Update: Screenshots from users:
Using Google Chrome from Jangos_Legacy
Using Internet Explorer & AVG from Jangos_Legacyo
Using Firefox & Google Toolbar from Revel

Update: For those who want to keep up to date with what’s happening, click here for the GMC virus topic in low-fi mode, this will allow you to view the topic without putting your computer at risk (at least for now).

Update: Internet Explorer users are reporting that the GMC is now asking to install an ActiveX control called “Microsoft works imaging server” from an unverified publisher. There is also a report that the website is automatically running Microsoft Outlook

Update: The Game Maker blog has been updated to confirm that the security vulnerability on the GMC still exists and the iframe is now loading different malicious websites to those from before. Until now, there hasn’t been any signs of major virus damage as the result of visiting the website, however if the URL continues to change, it’s probably only a matter of time before it forces dangerous executables to run on the end-users computer.

Update: Mark overmars is now reading the Virus and Malware releated topics on the GMC forum. As an administrator he has more control over the forum than other users and can choose to close the forum until it is safe for users to come back. It is unknown however if he has the server-side access required to patch the forum software to fix the security vulnerability.

Update: The GMC is reportedly now asking users to run and download various Java applets and Active-X controls which are damaging to your computer. Most of them say they are from “Microsoft” but the source is in fact from an unverified/unsigned publisher trying to mask itself under the company’s name.

Update: It appears things are just getting worse. As the end of the day closes (in North America), any attempt to access the GMC in Firefox is denied with a “Reported Attack Site!” message. Previously, this only happened to users who also had Google’s Firefox toolbar extension installed.

Update: The GMC has now been given the all clear by forum administrator chronic. It’s expected to take a couple of days before the google/firefox warnings clear – From my iPhone.

Attack causes GMC load times

Since the forum upgrade, many users have started complaining about long loading times for pages on the GMC. Some users indicated wait times of over 30 seconds, others explained how their browser reported a ‘connection reset’ when trying to access a page. This happened more than once for long periods at a time, and the cause seemed to be a mystery until now.

According to Marc (not to be confused with Mark) who manages much of the GMC forum software and back-end programming, multiple DoS or Denial of Service attacks were directed at the GMC over the past few days. This caused extremely large delays in page load time and the server (even with its new upgrade) was struggling to keep up. For those of you who don’t know, a DoS attack works by sending thousands and thousands of requests to a server simultaneously from multiple computers in attempt to crash the server.

Unlike many other forms of attacks, a DoS attack is hard to prevent. This is because there are likely hundreds or more computers organized in the attack and blocking all of them becomes a very difficult task; and even if they are all blocked, the perpetrator has probably already set-up a new set of computers for attack. Sandy Duncan notes that some new Anti-DoS attack software is being installed along with an upgrade to the firewall to help prevent any future attacks from affecting the GMC operation.