<< Shredding Hard Drives | Investigating the Keylogger Detection in Wall-E PC Demo Game - 10MB Limits (updated) >>

8/3/2008Keylogger Detected in Wall-E Demo PC Game (Updated)

You know it's a sad time we live in when keyloggers are detected in games targetted at kids.

Yesterday (Saturday) I saw Wall-E at the movies with friends and family. Much anticipated, very impressed and I loved it. Next task was to check out the Wall-E game. Bonus, there is a game demo for the PC to download, here's the link BUT DON'T CLICK IT - http://wall-e.playthq.com/.

Extra bonus, after downloading it my antivirus goes crazy and has detected the download as one that contains a keylogger - Spyware.Ardakey!

Pixar, what the hell!? Sorry, you instantly lost a fan right there!

Addresses of servers verified locally and remotely (two separate ISPs).

Updated: Wayne Porter received a quick response from Cachefly, see under the addendum on his blog entry.

Updated: Some of the initial feedback from a fellow security researcher seems to indicate this might be a false positive match by Symantec, but it's still early in the investgations to jump to conclusions. The download sizes vary greatly between languages. The upload to VirusTotal failed, so no comparison results yet. I just woke up and haven't had my coffee yet.

Currently rated 3.9 by 7 people

Currently 3.857143/5 Stars.
1
2
3
4
5

Investigating the Keylogger Detection in Wall-E PC Demo Game - 10MB Limits (updated)If malware sample is greater than 10MB you'll find it tough to submit a sample to Symantec quickly.Wall-E Demo No Longer Being Detected as Containing KeyloggerPotentially a false positive match, no word yet from THQ.Investigation Part 2 - Splitting (updated)Narrowing down where a signature detection is within a file and why it's not so straight forward.

Comments

wayneporter.com

Sunday, August 03, 2008 1:13 AM

Pingback from wayneporter.com

Spyware Games

Timeless Prototype

Sunday, August 03, 2008 10:18 AM

Think trackbacks are not working properly on this blog, but in case you're following these comments I've posted an update to the progress on this Wall-E demo investigation:

www.timelessprototype.com/.../...-10MB-Limits.aspx

ox4r

Sunday, August 03, 2008 10:25 AM

that kind of bloatware shitty antivirus you are using is far more dangerous than anything else. wake up, n00b

Timeless Prototype

Sunday, August 03, 2008 10:35 AM

ox4r, I totally agree, but it's the same kind of curiosity that makes white hats watch black hats that tempted me to use it on this particular machine.

Timeless Prototype

Sunday, August 03, 2008 2:51 PM

Cross posting a comment: AVAST also detects it:
games.internode.on.net/.../viewtopic.php?p=1844560

Monday, August 04, 2008 1:02 AM

What exactly does nslookup have to do with a keylogger? Don't level3 just provide a lot of infrastructure for the internet? Why do you use Norton?

Have you disassembled it or anything? I mean I'm not saying that what you are saying is untrue but how can you possibly expect anyone to believe you when you have not provided any reason for anyone to believe that you know what the hell you are talking about...

Timeless Prototype

Monday, August 04, 2008 7:22 AM

You see, if you're up to speed on the recent security activity, you'll know about the DNS vulnerability that allows DNS caches to be poisoned and therefore users downloading from attacker's web site instead of the original one. If this was the case, we'd see the IP address would belong to some other company.

Some/many(?) of the ISPs have not patched yet and/or have not disclosed their patch status, so at this time, be sure to check it out carefully.

http://secunia.com/search/?search=dnsmasq
http://secunia.com/search/?search=bind

Timeless Prototype

Monday, August 04, 2008 7:26 AM

PS. There are plenty of links and discussions about the current DNS problems, I won't enter into a discussion about them here beyond stating why I've done the lookups.
http://isc.sans.org/diary.html?storyid=4765
http://search.theregister.co.uk/?q=bind

Timeless Prototype

Monday, August 04, 2008 7:37 AM

The next two blog entries are a continuation of this, please read on if you thought this was all. I logged it as I went and as I thought at the time, I think that's why they call this a web log (blog). The file splitting process later was not completed, I could have extended the size of the first file gradually to arrive at the start of the signature. Frankly, blogging it all was generating way too much hype and people misquoting it as a definite find, when in fact we don't know yet, other than Norton 360 and AVAST detect it - whether it's a false positive or not remains to be seen.

exkon

Monday, August 04, 2008 10:07 AM

I'm sorry here, but what does exactly PIXAR have to do with making and distributing the video game?

So you're no longer a PIXAR fan because of game based on a movie they made "might" have a keylogger. While I understand your concern for a serious breach of security here, your focus of blame is entirely off.

For such an intelligent person, this is the most irrational thing I have ever heard.

Timeless Prototype

Monday, August 04, 2008 10:35 AM

I don't claim that I'm intelligent, in fact I see myself as probably below average based on the superb work that's going on elsewhere in the world. Sure, I've dabbled with the maths to simulate guided rockets in a virtual world, but I never actually made one in the real world. There's a difference. I'm no rocket scientist.

But I have seen how businesses can make bad marketing decisions, so I'm not ruling anything out.

That was also my feeling at that particular moment in time, I've since changed my mind actually, I'm allowed to do that. Remember that I'm simply writing a log of my thoughts and actions as I went along, this is by no means a published whitepaper or some kind of authoritative research. A lot of bloggers constantly go on about what someone else does/did, whereas I'm actually doing something and writing about it. It's not easy showing the world your thought process and it's a hell of a lot easier to critically examine something in hind sight. I'm right there with you, critically examining my approach here, and it's a good way to learn. This is a fairly new thing for me, blogging, but I'm willing to give it a good shot. All feedback does affect how I will choose to do things in future and frankly I can only see an upside to doing it.

Thanks for taking time to read and comment, it's appreciated.

Obijan

Monday, August 04, 2008 7:12 PM

Tip:
How about everybody who's looking into this post the filesize and MD5s of the files they downloaded and investigated?

That would immediately show if weird stuff has been going on.
If this is a DNS spoofing, it will show up. There is NO way that an attacker can spoof for everybody with a 100% success rate.

Sidebar note:
Is there anything besides the Norton notification that indicated that this download is infected? False positives do happen. Some of my own software has been flagged in the past by Norton. It usually takes about a week of mailing for them to reply to the tune of

"Oopsy... Our bad. Sorry we made hundreds of your customers yell at you. We'll fix it sometime next month."

Timeless Prototype

Monday, August 04, 2008 10:34 PM

Hi Obijan. That is exactly the feedback I'd primarily expected, people motivated to get involved. So, thank you.

Also, see later posts and/or comments, yes, AVAST detected it too.

I've just posted this to sum up everything, as it's no longer being detected by Norton 360 nor AVAST: www.timelessprototype.com/.../...ng-Keylogger.aspx

AndyGusto

Wednesday, August 06, 2008 8:35 AM

Coming from a game making side, you really shouldn't pin this one on pixar. More than likely, the marketing department at pixar decided to pursue making a Wall-E game (a brilliantly good idea financially). Pixar, however, does notmake games. They probably shopped around and found a midsized game studio willing to make it on the cheaper side, as anything with Wall-E stamped on it is selling like hotcakes these days. As the people who frequent this blog probably understand, with low profile software, you can get away with more slop and sneak than on high profile stuff, and vice versa. See the Hot Coffee scandal for an example.
The folks over at pixar probably played through the finished game once or twice, and gave it the OK. I'd wager that nobody on the approval board has ever heard the word Keylogger.

In short, Pixar is good at making movies (damn good), but not at making video games. Please don't let this outsourced straight-to-bargain-bin game tarnish the reputation of an otherwise excellent animation studio

Timeless Prototype

Wednesday, August 06, 2008 9:26 AM

Thanks Andy, yes, you're right. This has all since blown over though, but good that you commented what I feel will be a consensus of opinion.

Free game downloads

Tuesday, February 17, 2009 1:57 PM

Thanks for the warnings, indeed it's a sad time we live in. Nevertheless this shouldn't stop us from playing, eventually we can find solutions to this problem and move one with it. Do you have any other alternatives in mind?

Timeless Prototype

Tuesday, February 17, 2009 7:22 PM

Don't misunderstand. We've assumed it's a false positive match. So, there's nothing to stop you playing it.

BUY NINTENDO DS LITE, DSi & Wii : Bundles on Clearance SALE

Tuesday, April 07, 2009 12:08 PM

Really a good one..keep on posting more like this..thanks.

saç ekimi merkezi

Sunday, April 26, 2009 3:56 PM

Great Post!! It was very helpful.

UK Online PC Games

Wednesday, April 29, 2009 11:56 AM

PC gaming has become an important part in day to day life. So in the context of this the gaming programming that you have specified is really a great one. Thanks for posting.

prostat

Thursday, May 14, 2009 8:11 AM

What remains unclear, however, is what the end game is.

Laptop Skin

Thursday, May 28, 2009 10:47 AM

Post more like these..thanks

Fotoğraf Makinasi

Tuesday, June 09, 2009 2:16 AM

Post more like these..thanks

club penguin

Wednesday, June 10, 2009 3:09 AM

What exactly does nslookup have to do with a keylogger? Don't level3 just provide a lot of infrastructure for the internet? Why do you use Norton? Have you disassembled it or anything? I mean I'm not saying that what you are saying is untrue but how can you possibly expect anyone to believe you when you have not provided any reason for anyone to believe that you know what the hell you are talking about.

r4 ds card

Wednesday, June 10, 2009 11:31 AM

I enjoyed going through the comments area more than the article itself. nice posts..

thanks guys

Nintendo DSI Skins

Tuesday, June 23, 2009 1:07 PM

I hate keyloggers, some people use this spyware to stolen passwords or credit card accounts and this is fraud. A good antivirus can catch them easily, if is up to date.

Tukang Nggame

Friday, June 26, 2009 5:30 PM

This is exactly what I was looking for. Thanks for sharing this great article! That is very interesting Smile I love reading and I am always searching for informative information like this.

LG Phone Skins

Saturday, June 27, 2009 4:10 PM

Last days I've found 2 keyloggers after downloading some demo games, my antivirus alarm started announcing me it have found some spyware. Double-clicked to start the game and Kaspersky detects a keylogger!! It states 'Suspicious action: Keylogger'. The program running this process is stated as being Crysis.exe!!!

SEO

Friday, July 03, 2009 11:23 AM

Useful article.
Thanks for helpful information you catch up us with your instructional explanation.

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
Country Country flag

Comment* [b][/b] - [i][/i] - [u][/u]- [quote][/quote]

Notify me when new comments are added

Live preview

Saturday, July 04, 2009 2:27 AM

Pages

Categories

Tags

Archive

Blogroll

Authors

Disclaimer

8/3/2008Keylogger Detected in Wall-E Demo PC Game (Updated)

Related posts

Comments

Add comment

Live preview