{"id":19480,"date":"2022-03-28T19:02:10","date_gmt":"2022-03-28T15:02:10","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/cities-skylines-malicious-mods\/19480\/"},"modified":"2022-03-28T19:02:33","modified_gmt":"2022-03-28T15:02:33","slug":"cities-skylines-malicious-mods","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/cities-skylines-malicious-mods\/19480\/","title":{"rendered":"Attack on Cities: Skylines \u2014 malicious code in a virtual city"},"content":{"rendered":"

On February 13, 2022, EuroGamer published a post<\/a> reporting the spread of malicious code among users of the Cities: Skylines<\/em> game. Two days later, the article was updated: nobody was adversely affected, but one of the game mod creators tried to sneak a backdoor into the official store. We looked into this interesting case of a potentially serious attack on gamers.<\/p>\n

About Cities: Skylines in brief<\/h2>\n

We apologize in advance to fans of the game, but for everyone else, we think it is necessary to provide a brief description \u2014 it\u2019s important for the story. Cities: Skylines<\/em> is a city simulator, and it looks something like this:<\/p>\n

\"Screenshot<\/a>

Screenshot from Cities: Skylines. Source<\/a><\/p><\/div>\n

Cities: Skylines<\/em> is a competitor and in some ways a successor to the famous SimCity<\/em> series from the 1990s and 2000s, whose history (so far) ended with a failed release in 2013. Cities: Skylines<\/em> was released in 2015 \u2014 quite a long time ago by standards of the ever-changing online world, but fans are unlikely to be scared by this.<\/p>\n

Instead of releasing a new series, the creators of Cities: Skylines<\/em> preferred an approach with gradual modification of the original game, releasing official expansion packs about every six months. The 13th release came out just recently. Each of these expansions adds new elements to the virtual world. It may be buildings (you can now build an airport of your own design), natural phenomena, development scenarios (\u201cgreen\u201d city), and so on.<\/p>\n

Unofficial modifications expand the game even more. In fact, any player who seriously enjoys Cities: Skylines<\/em>, will eventually start experimenting with mods. The game was originally designed to make it easy for users to develop and share modifications. Anybody can upload them to the public Steam Workshop directory<\/a>.<\/p>\n

With our without mods and addons, Cities: Skylines<\/em> allows you to build your own city. Divide the land between housing, industry, and commerce. Plan roads and fight traffic jams. The game is so good and so realistic that people even used<\/a> it to plan the transportation system of a real city!<\/p>\n

An example of a good mod for Cities: Skylines<\/em> is Traffic Manager: President Edition<\/a>. It adds fine-tuning to the game\u2019s basic road construction features: you can fine-tune traffic lights, set lane direction and speed limits, prohibit parking, and so on. Basically, the mod enables you to do things that are essential for traffic improvement, both in real life and in the game.<\/p>\n

To summarize, you can play Cities: Skylines<\/em> without extensions, but few fans do it, because a properly chosen set of mods both seriously improves game play and makes it more convenient. To make a long story short, if you want the full Cities: Skylines<\/em> experience, use mods.<\/p>\n

Vengeance mods<\/h2>\n

Now let\u2019s go directly to events. On February 10, 2022, the creators of the aforementioned Traffic Manager: President Edition mod published a warning<\/a> about malicious extensions for the game:<\/p>\n

\"The<\/a>

The creators of Traffic Manager: President Edition accuse the author of other mods of distributing malware. Source<\/a><\/p><\/div>\n

The malicious functionality was relatively harmless: the extension randomly changed the speed limits on roads in the game. And not for all users, but only for those who were \u201clucky\u201d enough to be in the mod creator\u2019s list. This list includes the developers of Traffic Manager, the creators of the game, and other people that the list creator had real or imaginary complaints about.<\/p>\n

But that\u2019s not all. In the same post, the creator of the mod known as Chaos or Holy Water intentionally broke compatibility with other mods. As Cities: Skylines<\/em> has a huge number of modifications, it needs a mechanism that prevents mod-related bugs in the game. The game creators settled for very simple compatibility check: they expect the mod developer to check everything themselves, and add incompatible extensions to a special list. Chaos\/Holy Water took advantage of this feature, and started adding other popular extensions to the incompatibility list of their own mods.<\/p>\n

When users asked the creator why the mod was incompatible with other extensions, and what to do, they referred to the poor quality of code from other developers, and offered their own version of another extension, slightly modifying the original. That is how Chaos tried to popularize their modifications and increase the number of their own add-ons for each user.<\/p>\n

If the developer was criticized, Chaos\/Holy Water retaliated by adding the Steam platform\u2019s IDs of critics to their personal \u201cenemies list,\u201d which introduced arbitrary bugs in the game\u2019s performance. There was some interesting internal drama among active fan players, but nothing serious enough to call it a real malicious attack. But wait \u2014 that\u2019s not all!<\/p>\n

Hundred percent backdoor<\/h2>\n

On February 14, 2022, the developers of Cities: Skylines<\/em> published<\/a> their description of the incident. It reports that the author\u2019s extensions have been removed from the Steam Workshop site. The creators of the game insist that there was no malicious code in them. Clarifying, \u201cNo keyloggers, viruses, cryptocurrency mining software, or similar\u201d was found. But further down in the text, there is a brief mention of the \u201cUpdate from GitHub\u201d extension by the same author. And what did this mod do? \u2014 it switched the add-on update mechanism from standard (via Steam Workshop) to an alternative one, updating mods directly from the creator\u2019s repository on GitHub.<\/p>\n

And this is a real backdoor: users who installed this modification along with a couple of other modifications by the same creator could\u2019ve ended up downloading and running arbitrary code at any time. In a situation like this you can only rely on the conscience of the extension creator (although given the \u201cenemies list,\u201d this is clearly a bad idea).<\/p>\n

Even if the backdoor creator does not plan to hack users of their mods, access to their GitHub account can be stolen or they can sell their account themselves (as often happens, for example, with browser extensions). Finally, if a mod is already installed, user will most likely need to remove it manually, but not everyone may get round to that. Fortunately, according to Cities: Skylines<\/em> developers, only 50 people have been affected this time.<\/p>\n

How to protect yourself from dangerous game mods<\/h2>\n

There are plenty of ways to get a user to download malware under the guise of an \u201cofficial\u201d program or game. But with custom extensions, things are more complicated: by definition, they are created in a \u201chome-made\u201d manner, and the developer of the game cannot control all the modifications. Therefore, as you expand the capabilities of your favorite game, be vigilant. Try to install mods from official sources, if possible. And if the mod creator advises you \u201cin case of problems, disable your anti-virus,\u201d think twice before doing so.<\/p>\n

The incident with the mods for Cities: Skylines<\/em> ended, thankfully, without too much drama. The malicious developer was banned, and it seems they had no intention of causing serious damage to players. But they created a rather complex mechanism of penetration users\u2019 computers that exploited peculiarities of the community. And most importantly, they tried to bring users out from the control of the official platform for distributing mods.<\/p>\n

In a worst-case scenario such a backdoor could be used to deliver malicious code that, for example, would steal passwords from the game service or mine cryptocurrency on player\u2019s computer. Tracking the activity of such \u201cshapeshifter programs\u201d is standard functionality of any reliable security solution. On top of that our Kaspersky Premium<\/a> also features a special gaming mode that provides protection with a minimal impact to computer\u2019s performance. So when experimenting with your favorite game, don\u2019t forget about taking precautions.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

We explain why game mods can be dangerous, using as an example malicious mods for Cities: Skylines.<\/p>\n","protected":false},"author":665,"featured_media":19485,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[1520,617,2379,692],"class_list":{"0":"post-19480","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-backdoors","9":"tag-gamers","10":"tag-mods","11":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cities-skylines-malicious-mods\/19480\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cities-skylines-malicious-mods\/23993\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/cities-skylines-malicious-mods\/9832\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cities-skylines-malicious-mods\/26298\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cities-skylines-malicious-mods\/24257\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cities-skylines-malicious-mods\/24618\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cities-skylines-malicious-mods\/27022\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cities-skylines-malicious-mods\/32911\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/cities-skylines-malicious-mods\/10581\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cities-skylines-malicious-mods\/44004\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/cities-skylines-malicious-mods\/18682\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/cities-skylines-malicious-mods\/19230\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/cities-skylines-malicious-mods\/15881\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cities-skylines-malicious-mods\/24908\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cities-skylines-malicious-mods\/30338\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cities-skylines-malicious-mods\/30110\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/gamers\/","name":"gamers"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=19480"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19480\/revisions"}],"predecessor-version":[{"id":19484,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19480\/revisions\/19484"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/19485"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=19480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=19480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=19480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}