Jump to content

Malware Found in Tequila Launcher Connection


Recommended Posts

Hey all just a PSA.  I posted this message as a response to the installation guide under announcements as well.

 

When I executed "tequila.exe," I was informed of a virus/malware install called "EK-Trickbot-malspam."  This particular threat is very dangerous.

 

unknown.png

 

You can learn more about "Trickbot" here.

https://www.cisecurity.org/white-papers/security-primer-trickbot/

 

Traditional Trickbot infections steal financial information.

 

"TrickBot is a modular banking trojan that targets user financial information and acts as a dropper for other malware. It uses man-in-the-browser attacks to steal financial information, such as login credentials for online banking sessions. The malware authors are continuously releasing new modules and versions of TrickBot."

 

 

Please exercise caution until this is explained or rectified.

 

Regards,

Paw

 

Link to comment
Share on other sites

You are scanning the file. not the connection it makes.

 

If you observe the picture I included (not being toxic) the Tequila was redirected from its original connection point.

 

Thank you for your response.

Link to comment
Share on other sites

Is there another virus checker that performs a similar check? While it's certainly within the realm of possibility that some server that tequila is connecting to could, at some point, have had malware infection, Tequila has been in use for years without any issues. Moreover; it's not a web browser and I'd be surprised if there's any opportunity for a "man in the middle" attack to even work. It doesn't send personal information. It doesn't download, install, or even support any kind of browser extensions. It just downloads client files and launches the client you choose. It doesn't actually do anything that malware of the sort your virus checker is describing could exploit.

 

It seems way more likely to be a false positive.

Link to comment
Share on other sites

This is very interesting information. In light of the fact there have been multiple threads on this topic, it may be important to have a red name chime in on this. I am sure that many of us, even those who are savvy in such venues, get that twitchy dread feeling in the gut at even the mention of malware.

 

Would it be possible to have this addressed by a Dev?

 

Thanks so much, homecoming team!

Link to comment
Share on other sites

I respect your reply.  The executable is fine.  The connection is not.

 

While the screen shot shows it as being a detected threat, there really is no details about the connection to make the determination of whether it is in fact compromised or if it is a false positive. There are no details on it about the destination of the connection there. Dismissing that it is a false positive based on your screen shot is not really out of hand considering it is a known possible outcome. I will say as someone who works in Cybersecurity, most patchers function like malware connecting to a command and control point to pull down files. And it is good that you are hesitant to just accept it. Since this is not an official launcher backed by a company that certainly is a concern and when you receive something like this, you have to investigate it more than just accept that it is ok or even that it is bad. The real question here is where is the connection going is it the manifest site listed here as being official? Or is it somewhere else?

Link to comment
Share on other sites

Tequila downloads Homecoming patch files from 4 different mirrors. I would need to know which of the mirrors is being considered malicious in order to see why it's complaining. You can just view the manifest http://www.savecoh.com/manifest.xml with a web browser in order to see exactly which files it's trying to download and from where.

 

The whole message saying the "connection" being malicious is pure FUD. It's a standard HTTP download on port 80. There's absolutely nothing that the connection can do to your computer, it doesn't establish a two-way connection or open any ports. That antivirus is just trying really hard to prove its useful and doesn't care much if it hits false positives.

 

A possible reason is that one of the mirrors is in a shared host, which shares the IP address with a multitude of other sites, and at some point, someone downloaded a virus out of one of those, therefore the whole IP was thrown out as malicious. That's a blind guess, but it's the kind of overkill that AV companies are engaging on in order to try to convince people that they detect "more" threats than the competition.

  • Like 1
Link to comment
Share on other sites

  • Retired Game Master

I also went ahead and installed your security product to see if it would give me the same result when running Tequila or even the game itself - however no warning on my end. So whatever concerns remain after the explanation above, it is not an automatically reproducible warning.

Link to comment
Share on other sites

Tequila downloads Homecoming patch files from 4 different mirrors. I would need to know which of the mirrors is being considered malicious in order to see why it's complaining. You can just view the manifest http://www.savecoh.com/manifest.xml with a web browser in order to see exactly which files it's trying to download and from where.

 

The whole message saying the "connection" being malicious is pure FUD. It's a standard HTTP download on port 80. There's absolutely nothing that the connection can do to your computer, it doesn't establish a two-way connection or open any ports. That antivirus is just trying really hard to prove its useful and doesn't care much if it hits false positives.

 

A possible reason is that one of the mirrors is in a shared host, which shares the IP address with a multitude of other sites, and at some point, someone downloaded a virus out of one of those, therefore the whole IP was thrown out as malicious. That's a blind guess, but it's the kind of overkill that AV companies are engaging on in order to try to convince people that they detect "more" threats than the competition.

 

The Man himself!

 

Firstly, my gratitude for your efforts and passion are truly inexpressible in mere words! Thank you so much for everything.

 

Thanks for the personal attention and timely reply to this, your attention is more than appreciated.

Link to comment
Share on other sites

Tequila downloads Homecoming patch files from 4 different mirrors. I would need to know which of the mirrors is being considered malicious in order to see why it's complaining. You can just view the manifest http://www.savecoh.com/manifest.xml with a web browser in order to see exactly which files it's trying to download and from where.

 

The whole message saying the "connection" being malicious is pure FUD. It's a standard HTTP download on port 80. There's absolutely nothing that the connection can do to your computer, it doesn't establish a two-way connection or open any ports. That antivirus is just trying really hard to prove its useful and doesn't care much if it hits false positives.

 

A possible reason is that one of the mirrors is in a shared host, which shares the IP address with a multitude of other sites, and at some point, someone downloaded a virus out of one of those, therefore the whole IP was thrown out as malicious. That's a blind guess, but it's the kind of overkill that AV companies are engaging on in order to try to convince people that they detect "more" threats than the competition.

 

4 different mirrors? Looking through that file I see over 8 depending on which files are being downloaded from.  cityofheroes.exe has 10 mirrors listed for example.  Not to say this isn't a false positive, but with that many mirrors it can also be possible that one of them gets hijacked.

Link to comment
Share on other sites

  • City Council

Tequila downloads Homecoming patch files from 4 different mirrors. I would need to know which of the mirrors is being considered malicious in order to see why it's complaining. You can just view the manifest http://www.savecoh.com/manifest.xml with a web browser in order to see exactly which files it's trying to download and from where.

 

The whole message saying the "connection" being malicious is pure FUD. It's a standard HTTP download on port 80. There's absolutely nothing that the connection can do to your computer, it doesn't establish a two-way connection or open any ports. That antivirus is just trying really hard to prove its useful and doesn't care much if it hits false positives.

 

A possible reason is that one of the mirrors is in a shared host, which shares the IP address with a multitude of other sites, and at some point, someone downloaded a virus out of one of those, therefore the whole IP was thrown out as malicious. That's a blind guess, but it's the kind of overkill that AV companies are engaging on in order to try to convince people that they detect "more" threats than the competition.

 

4 different mirrors? Looking through that file I see over 8 depending on which files are being downloaded from.  cityofheroes.exe has 10 mirrors listed for example.  Not to say this isn't a false positive, but with that many mirrors it can also be possible that one of them gets hijacked.

 

i24 comes from a whole bunch of different mirrors, but the Homecoming files are only sourced from 4 of them. That being said, it's still quite possible that something got hijacked... but other explanations are much more likely, given that this is the only place this issue has been reported.

  • Like 1
"We need Widower. He's a drop of sanity in a bowl of chaos - very important." - Cipher
 
Are you also a drop of sanity in a bowl of chaos? Consider applying to be a Game Master!
Link to comment
Share on other sites

Hey all just a PSA.  I posted this message as a response to the installation guide under announcements as well.

 

When I executed "tequila.exe," I was informed of a virus/malware install called "EK-Trickbot-malspam."  This particular threat is very dangerous.

 

unknown.png

 

You can learn more about "Trickbot" here.

https://www.cisecurity.org/white-papers/security-primer-trickbot/

 

Traditional Trickbot infections steal financial information.

 

"TrickBot is a modular banking trojan that targets user financial information and acts as a dropper for other malware. It uses man-in-the-browser attacks to steal financial information, such as login credentials for online banking sessions. The malware authors are continuously releasing new modules and versions of TrickBot."

 

 

Please exercise caution until this is explained or rectified.

 

Regards,

Paw

 

I'm using ESET NOD32 Anti-Virus 12, and I downloaded and installed Tequila and City of Heroes just fine.  ESET NOD32 has even run a couple of thorough anti-virus scans since then.  Nothing.

Link to comment
Share on other sites

Hello,

 

I believe this is picking up traction by a lot of sources and this is personally something I'd find worrisome and for any other potential future players. Is this pretty much determined to be a false positive? My friends and are are running into this and if this is real, it's way more important to care about that then playing a video game we all love.

 

Is this something that can just start occurring during instances of recent updates? I'm not knowledgeable in something like this. For instances; is it possible that old downloads/updates can be free from this virus but after the "infected date" that everyone downloading/updating after the date would be downloading this file?

 

Looking forward to more responses. Hopefully my friends and I can hop into the action soon!

 

 

Link to comment
Share on other sites

Hi, Security specialist here. The type of malware reported in the comment is a man in the middle/redirector malware not an injection type virus. That means it installs itself onto your system and then hijacks other programs web traffic to spy on them. It does not infect programs like Tequila.

 

In fact the message posted in the screenshot says that the Tequila connection is being re-directed not that Tequila is malicious.

 

If trickbot IS intercepting the connection then it means that the PC running Tequila is infected not Tequila itself. If the machine is infected then opening a file browser and typing in "%appdata%\roaming \modules" without the quotes will show you a directory called "injectdll32_configs"

 

Trickbot had a number of command and control hosts that it connected to when running and eset may just be reacting to one of the IP's. Seeing as Trickbot is a three year old malware it is possible that one of the IPs it was using back in the day has been re-used for some of the homecoming infrastructure by the hosting company without the team knowing about it.

  • Like 2
Link to comment
Share on other sites

In fact the message posted in the screenshot says that the Tequila connection is being re-directed not that Tequila is malicious.

 

And whether or not the OP hit on a false positive, that is something that should probably be looked into. At minimum, the manifest.xml and the downloadable files listed in it should be served over HTTPS to provide some additional protection against MITM attacks.

Link to comment
Share on other sites

Thank you for the replies!

 

I can understand that Tequila is not the source of this kind of infection. What would be the best approach in regards to this connection? I'll give some examples in my own scenario that maybe can help contribute to figuring this out.

 

1. Games in my household are played on designated computers that are primarily used for gaming. The first install of the launcher was on a refreshed PC that hasn't even been used since the refresh. The flowchart would essentially be me installing a different default browser of choice. I always install antivirus and malware bytes as extra measures. Lastly, this leads into going straight into tequila and the game update. I have good browsing habits and in this scenario, I avoided all sorts of means to interact with a virus from a different source. In my own thoughts, I would assume this was picked up from updating the game. My knowledge in how the launcher applies updates is something I wouldn't be able to give a comment on. This is why I ask if people who installed the updates on the 7th or later are the only ones experiencing this?

 

2. The second computer definitely is not fresh and has use but my whole family practices good browsing habits. The computers are set up with everything to prevent viruses and the alike from reaching into any of our computers. The first attempt at downloading the game was on the fresh computer. The second attempt was on this one, but I ran into the same occurrence. If it's not the launcher itself, then this has something to do with the connection (Again, with my own thoughts.) Definitely something is up.

 

If it's possible, I think getting a couple of people to install the whole process with tequila would potentially be a strategy in identifying this problem. Thankfully, the computers used were not the primary ones and don't really have applicable uses for important things. But as I mentioned before, this is potentially something super important that needs to be figured out. I've ran into games before where some occurrences happened but it's safe to assume this is indirectly happening from some unknown source.  For playing the game, we can press on but I feel like this should be looked into. I would definitely love to get this game running on the better computers which is why I'm asking if this is something we can safely ignore or something we should wait to figure out on.

 

I appreciate the time. Hopefully we can figure this out!

Link to comment
Share on other sites

It looks like Tequila logs its download activity in the TequilaActivityLog file in the Tequila directory. Anybody experiencing the problem should probably try to see the last download attempted in that file - or if there are any errors attempting to download files (assuming your security software is stopping the download).

 

It would probably also be a good idea to then check the IP address of the download site on that same computer, just in case something is mis-resolving the hostname to a malicious site. For example, if the failed download was from "blah.blah.com" you would want to fire up a cmd prompt and check what IP is returned by "nslookup blah.blah.com"

 

 

It's certainly also possible that a.) some of these security packages have mistakenly tagged some of these IP's as hosting malicious content or even that b.) some of these sites are actually hosting malicious content (or as was already pointed out, hosted bad content in the past). That doesn't necessarily mean that Tequila is actually downloading bad content. But the first step is to try to figure out what site / IP address is being flagged by the security software.

 

If you just want to quickly get around the error, presumably you could just point Tequila to a customized manifest file that doesn't include the site your software is flagging.

 

Although, FWIW - I ran all the Tequila mirror URLs through Trend Micro's Malicious URL list and through ThreatMine and didn't get any untoward results.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...