from Hacker News

Steam's VAC reads all the domains you visited

by titlex on 2/17/14, 12:12 PM with 86 comments

  • by jimaek on 2/17/14, 1:03 PM

    From reddit comments:

    As someone who reverse engineers things for fun, and can read the C "pseudocode" generated via decompilation pretty easily, I am going to have to disagree with the assumptions made in this post.

    First, there's no proof this is from Steam, I've poked around a few of the DLLs since I saw this and am unable to find anything even remotely close to what this does.

    Second, this method does NOT send anything to Valve. This method grabs the DNS cache, yes. And it MD5s the entries, then it stores it. This method itself does nothing more with the hashes. For all we know VAC could be doing a LOCAL scan of the list, and comparing it to an internal list of "known" cheat subscription servers.

    Until someone posts details of exactly where in Steam this is (What DLL is all that's required to verify), and the calling method that supposedly sends this information to Valve, I would take this with a very massive grain of salt.

    So yeah, no proof it sends anything. It could be a local check.

  • by chippy on 2/17/14, 1:58 PM

    More stronger evidence from reddit comments:

    http://www.reddit.com/r/technology/comments/1y4za5/steams_va...

    " Yes, with some simple wireshark analysis you can see it is being sent back.

    Use wireshark, join a local TF2 server, try and isolate the VAC IP address (they are not static, but use rDNS & whois the IP). Go by process of elimination. Happy to give you pointers if anyone is interested.

    Use wireshark and monitor the SSL communications of VAC for the first minute. Record the total size of outgoing packets (for me, I got 1.94 MB and 1.88 MB on my two tries -- the first time you join a VAC server and when modules update it's likely to be higher as it downloads it's modules).

    note: Keep everything else constant - like what windows you have open, what processes you have running, etc.

    Bloat your DNS cache. (What I did was edit my hosts file, used a script to add over 20k hosts [careful actually crashed notepad when I tried to read it])

    Repeat step 1 and 2. I got 2.47 MB and 2.58 MB on two tries (first min of outgoing packets). This increase seems to be twice the amount 20k of MD5 hashes would take. Maybe a bug is causing it to be sent twice?

    Clear your hosts file, flush dns cache. Repeat step 1 and 2 again. I got 1.99 MB."

  • by mpeg on 2/17/14, 1:02 PM

    Anti-cheat protections use exactly the same methods rootkits use to "monitor" your system, it's one of those things we grudgingly accept when playing multiplayer games.

    It's not even what Valve and co are doing with the info, it's similar to the Sony rootkit case where the main worry would be that the rootkit could introduce security vulnerabilities.

  • by just2n on 2/17/14, 11:05 PM

    VAC has never been particularly effective. This check isn't particularly useful as it doesn't actually prove that a player is or has ever cheated. It's also trivial to bypass (`ipconfig /flushdns`) if you are an actual cheater who frequents these websites.

    To be banned because you visited a website is also an abusable medium. Similar to the memory and window name scanning VAC and other similar anticheats have done in the past (or continue to do). You could historically get people banned by just doing stupid things, like having an IRC title that shows up in mIRC's window name that's detected or sending someone a message via any chatting medium that has a detected substring.

    Imagine you just send a tinyurl link to your opponents in an upcoming tournament. Or just embed a simple <img> tag in an otherwise harmless webpage (display: none, for example) so everyone who visits your website has that domain fresh in their cache. This kind of "evidence" quickly becomes useless because it can be used for nefarious purposes, which is why it should never be used at all.

    This is not only ineffective, it's dangerous. And it's an invasion of privacy since you can simply create a rainbow table of domain names, as other people have pointed out.

    Come on, Valve.

  • by ALpoe on 2/18/14, 1:11 AM

  • by fnordfnordfnord on 2/17/14, 1:39 PM

    >"it seems to be doing something to characters between A-Z, possible making them lowercase) "

    Adding 0x20 to any uppercase ASCII character will get you its lowercase equivalent.

  • by doctorderp on 2/17/14, 1:31 PM

    Sounds like they're just checking if you've visited known cheat sites. Unfortunately the DNS cache is a stupid way to do this since it's open to abuse. Modern browsers will prefetch DNS, so all you'd need to do is put a URL to a known cheat site as a comment somewhere popular in order to get users flagged. Even easier for forums that allow image hotlinking.

    A similar thing was done with PunkBuster: https://en.wikipedia.org/wiki/Punkbuster#Attacks_on_PunkBust... - since it was scanning all of your computer's memory for cheat signatures, you could just paste a fragment on IRC in order to get people banned.

  • by vinceguidry on 2/17/14, 1:05 PM

    If their goal is to see where it's customers are going, hashing the data with MD5 is a very strange way to go about it. Sure you can break the encryption, but unless their favorite activity to do is run expensive compute farms, they're not going to bother.
  • by pferde on 2/17/14, 2:03 PM

    I wonder how they grab contents of DNS cache in Linux client - if they even do that.
  • by Glyptodon on 2/17/14, 4:29 PM

    Can someone explain this to me like I'm an idiot? Is VAC only applicable to certain games? Is it running the entire time Steam is running? Does it watch what websites you visit outside of Steam or only with the Steam browser? Does it do so even when you aren't playing a multiplayer game? If you use private browsing in a normal browser is it still watching? Etc.
  • by adwf on 2/17/14, 12:40 PM

    I hope this isn't true, because I like Valve... IANAL, but I can only imagine this is quite illegal in the EU. No terms or conditions could possibly waive your rights to this extent.

    Maybe that's just my optimism speaking though. Every good company turns bad at some point.

  • by tshadwell on 2/17/14, 12:53 PM

    I can't see any evidence that the hash is sent to any server. I think it is more likely the hash is used to look up the recent websites in a hash table or via a bloom filter.
  • by dubcanada on 2/17/14, 2:31 PM

    Makes sense to me. For example if you play warcraft 3, and you visit Shadow French all the time. You are most likely a hacker. Obviously that doesn't seem to be the only check they do. But it's a very easy one. And they would only need to keep a list of common "game hacking" sites and check it.

    So far there seems to be zero evidence that this is used to send data to valve.

  • by frankster on 2/17/14, 2:51 PM

    Until someone manages to decompile code that shows this data being sent to Valve this is just a pitchfork party.
  • by rincebrain on 2/17/14, 6:16 PM

    Honestly, I'd probably believe this is just a method for validating sanity of DNS for debugging/troubleshooting, as there are far better ways of going about doing almost anything you could think of as a malicious use of this.
  • by wnevets on 2/17/14, 3:22 PM

    So if you visit a game hacking site, you're banned?
  • by kamakazizuru on 2/17/14, 12:31 PM

    is there a way to block this?
  • by ck2 on 2/17/14, 1:44 PM

    Why does ipconfig displaydns even exist?

    Especially at an API level.

  • by hnha on 2/17/14, 3:58 PM

    someone should try a huge list of domains to see if it ends in a ban.
  • by blueskin_ on 2/17/14, 12:59 PM

    cronjob to constantly clear the DNS cache. Problem solved.