Final Determination - Update on malware incident

[Splorghley]

If you didn’t start the game with the version of the Traffic mod containing the DLL downloaded and installed, you are entirely unaffected. If you do not have an Exodus cryptocurrency wallet on your computer the malware should not have been harmful.

'Should not' is a normative statement, not a statement of fact.

Can Paradox actually confirm this mod is harmless without Exodus wallet installed?

When it comes to mod support, sandboxed environments also limit what you can do with modding. You are certainly correct that a big advantage of not allowing direct access to the system is good for security, but the flip side is that it limits what you can do with mods to what the developers expose via APIs. It restricts experimental features, data extraction, and manipulation of the game’s runtime environment, which are common practices in the modding community.

Respectfully, this is nonsense. Currently, every mod has access to everything in your computer - from the banking details you have stored in your browser, to the full collection of your family photos. It can download new executables (making anti-virus checks totally worthless), run arbitrary code on your machine, upload or download anything at all. It should go without saying that no mod should need that.

Restricting mods via APIs is entirely appropriate. The fact that this limits the mods is not a 'flip side', it's the very point of a security sandbox. A well-designed API can expose the entire surface of the game, and as has been pointed out before, games well known for their extensive mod scene almost universally use some kind of scripting language. Paradox, for example, bans executable mods for security reasons in their own games, but this does not extend to the games they merely publish.

What's good for the goose is good for the gander, and the exact same security concerns that motivate Paradox to ban executable mods apply fully to CS2.

What I want to know is: why did this mod have what seems like unfettered access to user's personal files which are entirely unrelated to the game in any way?

Are dlls really just imported into the game's context and executed without restrictions? Is there no sandboxing, api vetting, or any kind of sanitation being done prior to loading and execution?

If that's the case, then all modders would effectively have user-level permission on my system. Which is, honestly, rather terrifying.

Frankly I'm rather concerned about launching the game now as it feels like we're just an auto-update away from another disaster. My computer is used for things other than playing CS2, and this risk is not acceptable to me.

I hope I'm wrong. I would really appreciate an official comment from CO or Paradox on this.

You're not wrong, and this is an extremely reasonable response to finding out how CS2 modding works.

Every time you download 'Slightly curvier roads 2.3', you're literally running executable code from some anonymous username. As I've said elsewhere, this is identical to running an EXE from an anonymous Discord.

So what happens if someone wants to adopt someone else's abandoned mod?

They upload a new mod, call it the spiritual successor, and people can opt in if they'd like. Users should not be silently auto-updated to someone else's project - someone they never vetted, and have not chosen to trust. That's obviously a total break in the security model.

 

[TheRog10]

'Should not' is a normative statement, not a statement of fact.

Can Paradox actually confirm this mod is harmless without Exodus wallet installed?



Respectfully, this is nonsense. Currently, every mod has access to everything in your computer - from the banking details you have stored in your browser, to the full collection of your family photos. It can download new executables (making anti-virus checks totally worthless), run arbitrary code on your machine, upload or download anything at all. It should go without saying that no mod should need that.

Restricting mods via APIs is entirely appropriate. The fact that this limits the mods is not a 'flip side', it's the very point of a security sandbox. A well-designed API can expose the entire surface of the game, and as has been pointed out before, games well known for their extensive mod scene almost universally use some kind of scripting language. Paradox, for example, bans executable mods for security reasons in their own games, but this does not extend to the games they merely publish.

What's good for the goose is good for the gander, and the exact same security concerns that motivate Paradox to ban executable mods apply fully to CS2.



You're not wrong, and this is an extremely reasonable response to finding out how CS2 modding works.

Every time you download 'Slightly curvier roads 2.3', you're literally running executable code from some anonymous username. As I've said elsewhere, this is identical to running an EXE from an anonymous Discord.



They upload a new mod, call it the spiritual successor, and people can opt in if they'd like. Users should not be silently auto-updated to someone else's project - someone they never vetted, and have not chosen to trust. That's obviously a total break in the security model.

I uninstalled the game and wont touch it unless I can have a mod free version delivering all the features promised. I have to wipe my whole system as I don’t “trust” it anymore, not worth to go through that pain for CS2 again.

 

[MohawkWolfo98]

'Should not' is a normative statement, not a statement of fact.

Can Paradox actually confirm this mod is harmless without Exodus wallet installed?



Respectfully, this is nonsense. Currently, every mod has access to everything in your computer - from the banking details you have stored in your browser, to the full collection of your family photos. It can download new executables (making anti-virus checks totally worthless), run arbitrary code on your machine, upload or download anything at all. It should go without saying that no mod should need that.

Restricting mods via APIs is entirely appropriate. The fact that this limits the mods is not a 'flip side', it's the very point of a security sandbox. A well-designed API can expose the entire surface of the game, and as has been pointed out before, games well known for their extensive mod scene almost universally use some kind of scripting language. Paradox, for example, bans executable mods for security reasons in their own games, but this does not extend to the games they merely publish.

What's good for the goose is good for the gander, and the exact same security concerns that motivate Paradox to ban executable mods apply fully to CS2.



You're not wrong, and this is an extremely reasonable response to finding out how CS2 modding works.

Every time you download 'Slightly curvier roads 2.3', you're literally running executable code from some anonymous username. As I've said elsewhere, this is identical to running an EXE from an anonymous Discord.



They upload a new mod, call it the spiritual successor, and people can opt in if they'd like. Users should not be silently auto-updated to someone else's project - someone they never vetted, and have not chosen to trust. That's obviously a total break in the security model.

Jesus Christ. If this is even partially true, how is this even allowed? This has the potential to have such a major breach in security again, which can’t be resolved unless they change the games architecture (which probably wont happen cos they are already significantly behind schedule). If the allegory is true, why did you design a modding section which relies on running an .exe without fully warning us of the risks?

Paradox or CO, can someone step up and show responsibility to say if these statements are actually true? Or why was this designed this way, and what are you going to do to mitigate the risks of download executables on our computer? And how are u going to change it to better follow other Paradox Games like CK3 etc?

 

[ourg]

Or why was this designed this way

The reason is that it's way more simple to do that way (an so cost effective).

They don't have to code a specific script language and use a compiler to read it for the game.

Wondering why the code mode are here and still waiting for asset ? cause their code "modding" is just allowing C# codding injection which is ultra simple to set.

It's not the only game that using dll, I don't use bannerlord mod for the same reason for exemple.

And for sure they won't step back, now they will make the ostrich considering the event is done, but they've done nothing or planned to prevent it to happen again.


Cause yes, now the breach is open and well known, so it's even more dangerous to use mod currently cause it can happen at anytime, a hacker just have to steal a paradox account from a modder, and it's not very hard considering the low security of paradox account.


People was complaining of the withdrawal of the steamworkshop bcause it's one of the reason, steam is way more secure, with the phone 2FA it's impossible to steal your steam account unless the hacker come to steal your phone physicaly

 

[illuminaut]

Respectfully, this is nonsense. Currently, every mod has access to everything in your computer - from the banking details you have stored in your browser, to the full collection of your family photos. It can download new executables (making anti-virus checks totally worthless), run arbitrary code on your machine, upload or download anything at all. It should go without saying that no mod should need that.

Restricting mods via APIs is entirely appropriate. The fact that this limits the mods is not a 'flip side', it's the very point of a security sandbox. A well-designed API can expose the entire surface of the game, and as has been pointed out before, games well known for their extensive mod scene almost universally use some kind of scripting language. Paradox, for example, bans executable mods for security reasons in their own games, but this does not extend to the games they merely publish.

What's good for the goose is good for the gander, and the exact same security concerns that motivate Paradox to ban executable mods apply fully to CS2.



You're not wrong, and this is an extremely reasonable response to finding out how CS2 modding works.

Every time you download 'Slightly curvier roads 2.3', you're literally running executable code from some anonymous username. As I've said elsewhere, this is identical to running an EXE from an anonymous Discord.



They upload a new mod, call it the spiritual successor, and people can opt in if they'd like. Users should not be silently auto-updated to someone else's project - someone they never vetted, and have not chosen to trust. That's obviously a total break in the security model.

You're drawing the wrong conclusions from this incident, as are a lot of people who are freaking out over the "crazy" and "irresponsible" decisions by CO to allow executable code in user mods. Cities Skylines had the same approach to modding, and it became a huge success not despite, but because of it. People created massive extensions to the game in unexpected ways, which CO could not have all foreseen and created APIs for, even with the massive team that would be needed for such a strategy.

You're running executable code by playing this game, and the reason you do it is because you trust the developer not to infect you with malware. The same is true for mods: you can pick who you trust, and thanks to a very active modding community people know and trust each other. I don't install code mods from some random person with no subscribers. The developer of the mod in question was a trusted member of the community. Their account was breached, so that is the real problem, not the fact that CO allows code mods. Steam was more secure because it made account takeovers much more difficult than the Paradox mods platform.

Finally, to everybody claiming the game should be sandboxed, i.e. run isolated from your system's resources, I have some news: you can do that yourself. Run CS2 in a virtual machine. You will be very secure, but please come back and tell us how the performance worked out for you.

They need to harden their security for developer accounts and add safeguards to the publishing process, not throw the baby out with the bathwater.

 

[ourg]

Their account was breached, so that is the real problem, not the fact that CO allows code mods.

And you can have modder that are actually also hacker, gaining trust and send malware. Like all scamers are doing nowodays.

Look are puredark who had threated to include malware in his mods for non payed version. He claimed it and didn't made, but he could have said nothing and actually made it.

You're running executable code by playing this game, and the reason you do it is because you trust the developer not to infect you with malware. The same is true for mods: you can pick who you trust, and thanks to a very active modding community people know and trust each other.

And no you can't have the same trust from dev company and random unknown modders. It's like comparing stroring your money at a national bank versus a random guy found in the street.


And don't spread the false information, you can make great mod from sandoxed game with a specific API, but it requires more work to the dev.

 

[Splorghley]

You're drawing the wrong conclusions from this incident, as are a lot of people who are freaking out over the "crazy" and "irresponsible" decisions by CO to allow executable code in user mods. Cities Skylines had the same approach to modding, and it became a huge success not despite, but because of it. People created massive extensions to the game in unexpected ways, which CO could not have all foreseen and created APIs for, even with the massive team that would be needed for such a strategy.

Respectfully, this is a false dichotomy. It is entirely possible to design a well-sandboxed scripting language, most games do so, and it does impose any inordinate cost in time and resources. Hooking something like Luau into an existing code base is fairly trivial. There is a reason virtually all games that wish to offer modding use a sandboxed scripting language. Mods that run arbitrary executable code are unacceptable from a security standpoint, as demonstrated by the reaction of everyone here to finding out how CO mods work.

You're running executable code by playing this game, and the reason you do it is because you trust the developer not to infect you with malware. The same is true for mods: you can pick who you trust, and thanks to a very active modding community people know and trust each other. I don't install code mods from some random person with no subscribers. The developer of the mod in question was a trusted member of the community.

This is utterly absurd. I trust CO to run executable code on my computer because they have a head office, they have staff, they have careers on the line, and if they consciously put malware on my computer they would be ruined / criminally prosecuted. I do not trust 'xXxPterodactylHOMEBOYxXx' in that way, for reasons that are really too obvious to have to explain.

I can sue CO. I cannot sue anonymous PP accounts (at least with any expectation of success). 'A trusted member of the community' is just as much a random person as a person with no subscribers. I don't care how popular someone is on Discord, that's nothing real or substantive that would lead me to hand over the keys to my computer.

I've said this elsewhere, but so much of computer security is preventing remote code execution (RCE) exploits. With CO modding, there's no need for an exploit, you're just straight-up volunteering for RCE. No antivirus can protect you from yourself here.

Their account was breached, so that is the real problem, not the fact that CO allows code mods. Steam was more secure because it made account takeovers much more difficult than the Paradox mods platform.

No, that is not the real problem. I didn't trust the original random to begin with.

The real problem is that CO is unable or unwilling to build a complete, finished game.

Because CO has not built a complete game, my choices are 'play a broken game' or 'run executable code from randoms to make the game playable'. I chose the former (well, I had basically stopped playing, but I kept the game installed in hopes it would improve), and my SO chose the latter.

We've both since uninstalled the game.

Finally, to everybody claiming the game should be sandboxed, i.e. run isolated from your system's resources, I have some news: you can do that yourself. Run CS2 in a virtual machine. You will be very secure, but please come back and tell us how the performance worked out for you.

Sure, let's take this game that barely runs on bare metal, and translate it through a virtual machine, I'm sure that will work.

You yourself recognise this is not a real solution, so don't pretend it is. I have no idea what point you're trying to make, other than that you don't understand the distinction between a sandboxed scripting language within a game, and virtualising the entire game?

They need to harden their security for developer accounts and add safeguards to the publishing process, not throw the baby out with the bathwater.

Safeguards like what, exactly? Virus checks for uploaded mods? OK, but the mod can download any further executables that it wants, or generate any new code it wants (through e.g. .NET reflection), and none of this will be subject to any virus checks. It's also worth noting no antivirus detected the DLL under discussion here, despite it just being straight up malware.

There is a reason why very few games use 'DLL injection' as a modding technique. That model is broken. It's fundamentally unsecurable, and it provides no real benefit over a well-designed, secure scripting language. Much more sophisticated games than CS2, with much more extensive modding scenes, get by just fine with secure, sane modding.

 

[illuminaut]

Respectfully, this is a false dichotomy. It is entirely possible to design a well-sandboxed scripting language, most games do so, and it does impose any inordinate cost in time and resources. Hooking something like Luau into an existing code base is fairly trivial. There is a reason virtually all games that wish to offer modding use a sandboxed scripting language. Mods that run arbitrary executable code are unacceptable from a security standpoint, as demonstrated by the reaction of everyone here to finding out how CO mods work.

You don't have to convince anybody that there are more secure ways to enable modding, but at the same time everybody also agrees that this takes way more effort, and CO already said it's this or nothing. So there's a very real dichotomy: have the mods we have now or not have mods at all. Since you don't want to trust any mod developer, the choice is really easy for you: don't install code mods and you'll be perfectly safe. Heck, play through Geforce Now and stream the game - problem solved. This has been the modding model since the release of CS1 in 2015, so it's hardly a shocking revelation.

This is utterly absurd. I trust CO to run executable code on my computer because they have a head office, they have staff, they have careers on the line, and if they consciously put malware on my computer they would be ruined / criminally prosecuted. I do not trust 'xXxPterodactylHOMEBOYxXx' in that way, for reasons that are really too obvious to have to explain.

I can sue CO. I cannot sue anonymous PP accounts (at least with any expectation of success). 'A trusted member of the community' is just as much a random person as a person with no subscribers. I don't care how popular someone is on Discord, that's nothing real or substantive that would lead me to hand over the keys to my computer.

You skipped over the fact that CS 1 has been using this strategy for 9 years without major incidents that I can recall. You're saying you can't trust any modder because they have a cryptic handle, and you don't think you could sue them. Guess what, there are still real people behind them that are known to other real people and they've earned the community's trust through years of releasing quality mods. They have a reputation to defend. And sure, then there's Joe Schmoe who has just released his first mod with 5 subscribers. I'm gonna pass on that, too. If everybody on the internet is just a "random" to you that you can't trust, that's fine - but that's not how communities work, and you're missing out by not considering nuance.

Because CO has not built a complete game, my choices are 'play a broken game' or 'run executable code from randoms to make the game playable'. I chose the former (well, I had basically stopped playing, but I kept the game installed in hopes it would improve), and my SO chose the latter.

Speaking for myself, I think the game is very enjoyable in its current vanilla state, but of course, there's always room for improvement. A "broken game" is something else, though, and it has made massive strides since launch day.

Sure, let's take this game that barely runs on bare metal, and translate it through a virtual machine, I'm sure that will work.

You yourself recognise this is not a real solution, so don't pretend it is. I have no idea what point you're trying to make, other than that you don't understand the distinction between a sandboxed scripting language within a game, and virtualising the entire game?

I do understand the difference between sandboxed scripted modding and virtualizing the entire game, as my previous posts should have made clear. I was addressing the people who don't and specifically asked for the whole game to be virtualized. As you kind of caught on to, I do not recommend that as a feasible approach.

Safeguards like what, exactly?

Safeguards like protecting the accounts of mod developers so they're hard to hijack. Safeguards like encouraging open-source mods that the community can review. Safeguards like digitally signing of mods so that the identity of the code owner is clear even in the event of an account breach. Safeguards like occasional code reviews for popular mods by the community or even the game developers. That's just off the top of my head, I'm sure there's more that can be done.

There is a reason why very few games use 'DLL injection' as a modding technique. That model is broken. It's fundamentally unsecurable, and it provides no real benefit over a well-designed, secure scripting language.

Let's not pretend there's "no real benefit" - that's just false. You're just ignoring them because you think the security concerns outweigh them. Here are some real benefits of allowing direct system access to code mods, in no particular order:

• Unlimited flexibility and power: use any programming language and use any libraries or tools available on the host system. Enables the creation of highly complex mods that go beyond the capabilities of a limited scripted API.
• Mods can directly access hardware, filesystems, and peripherals, enabling deeper integration with the user's system. For example, I highly doubt the extra assets importer would have been possible otherwise - the fact that CO still hasn't figured out how to safely allow 3rd party assets is a testament to this.
• Developers can use popular frameworks, libraries, and engines without waiting for the game developer to provide support. This minimizes reinventing the wheel—modders can focus on creative work rather than overcoming API constraints.
• Mods can push boundaries in ways the original developers never anticipated, fostering innovation and creativity in the community.

Everybody has to figure out for themselves if the risk outweighs the reward, but the developers give users the choice: mods are opt-in, and they distinguish between code mods and others. I personally would prefer a hybrid system where most functionality can be achieved through APIs and allowing access to the system would be an extra permission a mod would have to request. Still, I recognize that it's not very likely now with the state of the game and the resources available to CO.

 

[illuminaut]

And you can have modder that are actually also hacker, gaining trust and send malware. Like all scamers are doing nowodays.

Sure, just like there are double agents in the intelligence community. It's possible, but it takes a lot of effort and time to pull off. The rewards are relatively slim pickings compared to what else scammers could do with their time.

 

[vooc4]

They need to harden their security for developer accounts and add safeguards to the publishing process, not throw the baby out with the bathwater.

I don't think anybody is suggesting anything of the sort.

As a result of recent events, I decided to create an AppArmor profile (I play on Linux) for this game, which essentially allows me to confine the game and its mods to its own directories and prevent them from drawing outside those lines.

At the cost of just a few hours of work, I have managed to greatly increase my security posture. The impact on performance, if there is one, is negligeable and imperceivable to me. And all of my mods still work. Indeed, if it had broke a mod, that would be very much the point and welcomed. It would have broke fastmath.dll, for example.

Is it perfect? No. But it's a good start, and security is all about layers of protection.

We can have a healthy modding ecosystem without handing over the keys to the *entire kingdom*. It's not either/or as you seem to be suggesting.

More to the point: why did I even have to do this myself in the first place? To me, this is the mininum level of effort any developper should put in once they decide to support mods and user-contributed code.

Is nobody from CO with any technical authority going to address this thread at all?

 

[ourg]

Is nobody from CO with any technical authority going to address this thread at all?

Look at the message, they've stated they won't do anything.

 

[mettliebe]

perhaps neither paradox nor colossal order involve themselves in this discussion,
cause whatever each of them do,
is/would be bad.

none of them answers -> bad -> why dont they answer?

they answer -> bad -> why do they rahter spend their time to answer/get involved in this discussion than to work out 'a solution'?

 

[Splorghley]

You don't have to convince anybody that there are more secure ways to enable modding, but at the same time everybody also agrees that this takes way more effort, and CO already said it's this or nothing. So there's a very real dichotomy: have the mods we have now or not have mods at all. Since you don't want to trust any mod developer, the choice is really easy for you: don't install code mods and you'll be perfectly safe. Heck, play through Geforce Now and stream the game - problem solved. This has been the modding model since the release of CS1 in 2015, so it's hardly a shocking revelation.


You skipped over the fact that CS 1 has been using this strategy for 9 years without major incidents that I can recall. You're saying you can't trust any modder because they have a cryptic handle, and you don't think you could sue them. Guess what, there are still real people behind them that are known to other real people and they've earned the community's trust through years of releasing quality mods. They have a reputation to defend. And sure, then there's Joe Schmoe who has just released his first mod with 5 subscribers. I'm gonna pass on that, too. If everybody on the internet is just a "random" to you that you can't trust, that's fine - but that's not how communities work, and you're missing out by not considering nuance.


Speaking for myself, I think the game is very enjoyable in its current vanilla state, but of course, there's always room for improvement. A "broken game" is something else, though, and it has made massive strides since launch day.


I do understand the difference between sandboxed scripted modding and virtualizing the entire game, as my previous posts should have made clear. I was addressing the people who don't and specifically asked for the whole game to be virtualized. As you kind of caught on to, I do not recommend that as a feasible approach.


Safeguards like protecting the accounts of mod developers so they're hard to hijack. Safeguards like encouraging open-source mods that the community can review. Safeguards like digitally signing of mods so that the identity of the code owner is clear even in the event of an account breach. Safeguards like occasional code reviews for popular mods by the community or even the game developers. That's just off the top of my head, I'm sure there's more that can be done.



Let's not pretend there's "no real benefit" - that's just false. You're just ignoring them because you think the security concerns outweigh them. Here are some real benefits of allowing direct system access to code mods, in no particular order:

• Unlimited flexibility and power: use any programming language and use any libraries or tools available on the host system. Enables the creation of highly complex mods that go beyond the capabilities of a limited scripted API.
• Mods can directly access hardware, filesystems, and peripherals, enabling deeper integration with the user's system. For example, I highly doubt the extra assets importer would have been possible otherwise - the fact that CO still hasn't figured out how to safely allow 3rd party assets is a testament to this.
• Developers can use popular frameworks, libraries, and engines without waiting for the game developer to provide support. This minimizes reinventing the wheel—modders can focus on creative work rather than overcoming API constraints.
• Mods can push boundaries in ways the original developers never anticipated, fostering innovation and creativity in the community.

Everybody has to figure out for themselves if the risk outweighs the reward, but the developers give users the choice: mods are opt-in, and they distinguish between code mods and others. I personally would prefer a hybrid system where most functionality can be achieved through APIs and allowing access to the system would be an extra permission a mod would have to request. Still, I recognize that it's not very likely now with the state of the game and the resources available to CO.

I disagree with most of this, for reasons already outlined above. We have different risk models. Mine will never include allowing people to run self-updating executable code on my computer because they've built up a rep on some Discord or another, and I think it's absurd to pretend that such a person warrants a similar level of trust to an established company.

Would you trust a person to do dental surgery on you because they built up a reputation on some Discord chat room for dentists? Of course not, you're going to look for someone with an office, with degrees, with accreditation and accountability.

I didn't 'skip over the fact that CS1 has been using this strategy for 9 years without major incidents', because that's not correct, there were in fact security breaches in CS1 too. Here's an example. The key difference here is that CS1 was fun and playable without mods, and CS2 is not.

Your list of benefits for code mods sounds like it was written by ChatGPT. You're describing the benefits of arbitrary code execution. Some of those 'boundaries' being 'pushed' include things like exfiltrating people's crypto-currency wallets, which is indeed very innovative, creative, and unforseen by the original developers.

I agree, at the end of the day, that none of this is likely to be fixed. I (genuinely) hope you are never seriously affected by mod malware, but your risk model does seem to make it relatively likely.

Since I'm never expecting the gaping security hole at the heart of code modding to be fixed, my recommendation is that CO enforces a very strict separation between code mods and asset mods, at the very least, so that a person downloading an asset mod can be truly assured it's just an asset, and cannot run any executable code. And I don't mean "should not", like we got from CO in this thread, I mean "can not".

 

[ClemiMD]

The key difference here is that CS1 was fun and playable without mods

Playable, yes. Fun? That's how different tastes are.
I can't imagine having fun with CS1 without mods like TMPE, Anarchy, Node Controller, MoveIt and so on.
And I haven't played the first game since the release of CS2.