[Drizzt]

So, If I'm affected by one of this malware maps, the client binary does not has been modified and the authkey it's not has been stolen? We need not worry about next banlist, right?

[diRf!Nikki]

I already see another server with this kiddie bullshit. The best thing for everyone to do is stick only to the servers you know. There's even a "Server Info" button you can click. If the server shows 20 and it doesn't say anyone is playing under "Server Info", you're probably about to get had.

This post has been edited by Nikki: 17 September 2014 - 06:14 AM

[MsT*|tintir]

We also got a legit map repo, for Europe players: http://s1.mstclan.xyz/q3ut4/

[bArgh]

Let me just repeat the comment from the thread Puma is no more, but there is Eminem I started in March this year:

"There is a couple of questions in regard to all of this. How can a content of a particular map package affect a game behaviour in another map? When I have a target practice with bots on my local server it is "ut4_algiers" map. Why is "chronic" map allowed to "disable" UrT bots and load its own? I am aware that assets in one map can cause visual problems in another. Common, and programming, sense tells me that map assets should be limited to affecting the game behaviour only on the map these assets are part of. Which raises a security question. Is it possible for a rogue server to distribute map(s) containing code which would deliberately infect the UrT client with cheatcode signatures, thus compromising UrT anticheat?"

[Mod [dswp]JRandomNoob]

All the signs of a malicious server described so far are trivial to alter, and any map can be repacked to contain the malicious code. You should assume that any server you do not know well can be a malicious one. The important part here is “know well” — you may have played on a server once or twice before, but it may be malicious now. The only way to be sure is to not allow map autodownloads from unfamiliar servers. If you need to download something, get it from a trusted website.

Please note that logging out of auth is not a solution to this problem — until the security hole is fixed, you remain vulnerable should you ever log into auth again. Make sure you don’t have any bad maps and do your best to avoid getting any. And, if you haven’t changed your auth key yet, do it. It’s made easy for a reason, you know.

Ladies and gentlemen with a YOLO attitude can of course log out of auth and restart the game before autodownloading, and check the PK3s manually: the bad maps have been repacked with a vm/ folder containing hacked versions of the QVM files. Maps without QVM files — however fishy the originating server looks — are safe. (Maybe.)

The person who spotted this QVM thing was Orbit by the way. D SZ went hunting and found several servers that matched his description.

[sk3tz]

Barbatos, on 16 September 2014 - 03:55 PM, said:

Hi,

There are currently at least four malicious servers trying to steal authentication keys. If your auth is suddenly refusing to work and/or you see “Unknown” in the server list instead of “FREEZE”, you probably have connected to one of those servers and downloaded at least one map.

All those maps contain malicious code.

If you think you may be affected, delete all maps downloaded on September 14 or later and change your auth key. Downloading any maps from servers you don’t know well is discouraged until further notice.

Is it only my authentication key they can obtain through this malicious code?

[MsT*|tintir]

sk3tz, on 17 September 2014 - 12:44 PM, said:

Is it only my authentication key they can obtain through this malicious code?

No one knows, but from what we know it's still auth only.

[FS Mr.Yeah]

Nikki, on 17 September 2014 - 06:12 AM, said:

There's even a "Server Info" button you can click. If the server shows 20 and it doesn't say anyone is playing under "Server Info", you're probably about to get had.

This happened to me way prior to this announcement. On 4.2.018, Auth working, and the info displayed by the "Server Info" seemed incomplete e.g players connected shown in server list, but incomplete or non of them showing up in server info. And it did show bots.

[diRf!Nikki]

Mr.Yeah, on 17 September 2014 - 05:21 PM, said:

This happened to me way prior to this announcement. On 4.2.018, Auth working, and the info displayed by the "Server Info" seemed incomplete e.g players connected shown in server list, but incomplete or non of them showing up in server info. And it did show bots.

It's always incomplete but it will show at least some of the list. Easier than telling people to get the IP and use the server browser or download qtracker :P

This post has been edited by Nikki: 17 September 2014 - 06:24 PM

[Pilou42]

By the way, I think there's a setting which prevents auto-download map. It could be a temporary solution.

Maybe it should be forced for the next release. Then a message would appear:
"You need to download a map to play this game. The server you're trying to download map is not in our whitelist, so be careful and don't download map except if you know the server well" then "proceed anyway" or "cancel and return to list".

Well maybe it's too much for 4.2 which is supposed to receive only bug fixes.