VAC3 now sends MD5 hashes of your DNS cache entries - Games

[t]http://i.imgur.com/z9dppCk.png[/t] Not sure where this image originated but it's legit. They're unsalted so if you play a VAC game on public wifi someone could totally see your scat fetish sites.

Hmm, interesting. But why does VAC3 do that?

[QUOTE=Bumrang;43930956]Hmm, interesting. But why does VAC3 do that?[/QUOTE] Possibly checking if you connect to paycheat auth servers by domain name.

time to get owned, rust kiddies

Hardly a bad thing.

[QUOTE=Altimor;43930860]Not sure where this image originated[/QUOTE]1.) It originated from a cheat author. Not an entirely unbiased source. 2.) According to people far, [I]far[/I] smarter than I on both Reddit and SA who have analysed the listed code, it never sends anything anywhere. It fetches, enumerates and MD5s DNS entries, yes, but that's where it ends. 3.) There's no evidence in the provided image that the code is even from VAC in the first place. Combine this with the first point. Don't go crazy just yet. Alert not alarmed, etc. etc.

[QUOTE=The Kins;43934340]1.) It originated from a cheat author. Not an entirely unbiased source. 2.) According to people far, [I]far[/I] smarter than I on both Reddit and SA who have analysed the listed code, it never sends anything anywhere. It fetches, enumerates and MD5s DNS entries, yes, but that's where it ends. 3.) There's no evidence in the provided image that the code is even from VAC in the first place. Combine this with the first point. Don't go crazy just yet. Alert not alarmed, etc. etc.[/QUOTE] Exactly. It seems Altimor didn't really dig thru all these comments under Reddit thread.

I feel like the MD5s would go a ways to help preserve privacy. You can't ungrind meat, etc.

[QUOTE=SGTNAPALM;43937809]I feel like the MD5s would go a ways to help preserve privacy. You can't ungrind meat, etc.[/QUOTE] The problem is that MD5 is outdated, so there are already dictionaries of known hashes and their values.

[QUOTE=SGTNAPALM;43937809]I feel like the MD5s would go a ways to help preserve privacy. You can't ungrind meat, etc.[/QUOTE] With MD5 it's more like you can't ungrind salted meat.

[QUOTE=vexx21322;43937876]The problem is that MD5 is outdated, so there are already dictionaries of known hashes and their values.[/QUOTE] Pretty much no matter the hash algorithm it doesn't matter: I'm just going to hash a bunch of domain names and compare hashes. The only problem I have with the claims is pretty simple: While this code doesn't push the MD5s anywhere I wonder what they [i]are[/i] doing with them. Why does IDA have to be so expensive and other C decompiliers garbage. :\ The only problem I have with people thinking Valve is pulling this data and then throwing it over the shoulder is that seems a bit stupid... If I'm doing a local compare, there is no point in hashing it. Just store and compare. However if I'm passing it to some central database and want to obfuscate the actual values....

Also additionally while everyone screams and cries that it comes from a hacker site, this seems to be a bunch of hack writers sharing VAC dumps. Pretty cool stuff if you ask me (through the end result sucks). I'm sitting here staring at the same module and same code from a VAC dump (except mine isn't resolved to winapi calls). I'd like to see a writeup on how the VAC dumps are done so I can independently verify this, though having a bad VAC dump on a site full of people making money off VAC dumps will get your head kicked in rather quickly (some people say you just need to dump the running process, others say it's more involved... hmm...).

-snip-

Here's the [URL="http://www.reddit.com/r/GlobalOffensive/comments/1y0kc1/vac_now_reads_all_the_domains_you_have_visited/"]original source[/URL]: [QUOTE]Decompiled module: [URL]http://i.imgur.com/z9dppCk.png[/URL] [1] What it does: Goes through all your DNS Cache entries (ipconfig /displaydns) Hashes each one with md5 Reports back to VAC Servers So the domain reddit.com would be 1fd7de7da0fce4963f775a5fdb894db5 or organner.pl would be 107cad71e7442611aa633818de5f2930 (Although this might not be fully correct because it seems to be doing something to characters between A-Z, possible making them lowercase). Hashing with md5 is not full proof, they can be reversed easily nowadays using rainbowtables. So they are relying on a weak hashing function You dont have to visit the site, any query to the site (an image, a redirect link, a file on the server) will be added to the dns cache. And only the domain will be in your cache, no full urls. Entries in the cache remains till they expire or at most 1 day (might not be 100% accurate), but they dont last forever. We don't know how long this information is kept on their servers, maybe forever, maybe a few days. It's probably done everytime you join a vac server. It seems they are moving from detecting the cheats themselves to computer forensics. Relying on leftover data from using the cheats. This has been done by other anticheats, like punkbuster and resulted in false bans. Although im not saying they will ban people from simply visiting the site, just that it can be easily exploited. Original thread removed, reposted as self text (eNzyy: Hey, please could you present the information in a self post rather than linking to a hacking site. Thanks) EDIT1: To replicate this yourself, you will have to dump the vac modules from the game. Vac modules are streamed from vac servers and attach themselves to either steamservice.exe or steam.exe (not sure which one). Once you dump it, you can load the dll into ida and decompile it yourself, then reverse it to find the winapi calls it is using and come to the conclusion yourself. There might be software/code out there to dump vac modules. But its not an easy task. And on a final note, you shouldn't trust anyone with your data, even if its valve. At the very least they should have a clear privacy policy for vac. EDIT2:Here is that vac3 module: [URL]http://www.speedyshare.com/ys635/VAC3-MODULE-bypoink.rar[/URL][2] It's a dll file, you will have to do some work to reverse it yourself (probably by using ida). Vac does a lot of work to hide/obfuscate their modules. [/QUOTE] This guy is CLAIMING that vac is doing this. There's nothing in that code that indicates vac is actually sending the info back to valve. VAC is most likely doing a local compare with known cheat websites. Also, here's our lord and savior, [URL="http://www.reddit.com/r/gaming/comments/1y70ej/valve_vac_and_trust/"]Gaben's response[/URL]: [QUOTE]Trust is a critical part of a multiplayer game community - trust in the developer, trust in the system, and trust in the other players. Cheats are a negative sum game, where a minority benefits less than the majority is harmed. There are a bunch of different ways to attack a trust-based system including writing a bunch of code (hacks), or through social engineering (for example convincing people that the system isn't as trustworthy as they thought it was). For a game like Counter-Strike, there will be thousands of cheats created, several hundred of which will be actively in use at any given time. There will be around ten to twenty groups trying to make money selling cheats. We don't usually talk about VAC (our counter-hacking hacks), because it creates more opportunities for cheaters to attack the system (through writing code or social engineering). This time is going to be an exception. There are a number of kernel-level paid cheats that relate to this Reddit thread[1] . [B]Cheat developers have a problem in getting cheaters to actually pay them for all the obvious reasons, so they start creating DRM and anti-cheat code for their cheats. These cheats phone home to a DRM server that confirms that a cheater has actually paid to use the cheat. VAC checked for the presence of these cheats. If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban. Less than a tenth of one percent of clients triggered the second check. 570 cheaters are being banned as a result.[/B] Cheat versus trust is an ongoing cat-and-mouse game. New cheats are created all the time, detected, banned, and tweaked. This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers' client machines. Kernel-level cheats are expensive to create, and they are expensive to detect. Our goal is to make them more expensive for cheaters and cheat creators than the economic benefits they can reasonably expect to gain. There is also a social engineering side to cheating, which is to attack people's trust in the system. If "Valve is evil - look they are tracking all of the websites you visit" is an idea that gets traction, then that is to the benefit of cheaters and cheat creators. VAC is inherently a scary looking piece of software, because it is trying to be obscure, it is going after code that is trying to attack it, and it is sneaky. For most cheat developers, social engineering might be a cheaper way to attack the system than continuing the code arms race, which means that there will be more Reddit posts trying to cast VAC in a sinister light. Our response is to make it clear what we were actually doing and why with enough transparency that people can make their own judgements as to whether or not we are trustworthy. Q&A 1) Do we send your browsing history to Valve? No. 2) Do we care what porn sites you visit? Oh, dear god, no. My brain just melted. 3) Is Valve using its market success to go evil? I don't think so, but you have to make the call if we are trustworthy. We try really hard to earn and keep your trust. [/QUOTE]

Yeah a friend of mine and myself were discussing how it may be a multi-tiered approach on Sunday, but it'll take a lot of very intensive digging to find out. Glad to hear that this is more of the case and that Valve wasn't so tight-lipped about this one (which I can understand why you'd want to be). However that doesn't clear the Rust forums that were exploding with basically "the hackers are lying" (which the original post on the hacker site with the VAC dumps never said anything about uploading, just that they're gathering for some reason) and any other defense of "well hackers are all just lying shady people that don't know how to program". At the end of the day that WAS a VAC module (I had grabbed one of them and threw it through a decompiler to get more or less the same code), it does do what the code states it does, it just only had done it under specific conditions. Pretty much wrote that entire forum section off as retarded at this point (I know I know, it's Rust and consists of 99% armchair IT expert 12 year olds that "know how to Google", should have known).

So because we assumed a hack site had ulterior motives and demanded an account from an unbiased source, and code was pasted at random, we're supposed to assume that Valve is evil or we're retarded. Ok. Real fine journalism skills you've got there. The code was said to hash your DNS records and send them to Valve. It doesn't do that. If cheats are detected, it goes through your DNS cache and hashes until it finds those cheat server IPs and sends that to Valve. Those are two very different, if broadly similar, things, and saying one is the other is dishonest at worst, misguided and working on incomplete information at best.

[QUOTE=elixwhitetail;43960178]So because we assumed a hack site had ulterior motives and demanded an account from an unbiased source, and code was pasted at random, we're supposed to assume that Valve is evil or we're retarded. Ok. Real fine journalism skills you've got there. The code was said to hash your DNS records and send them to Valve. It doesn't do that. If cheats are detected, it goes through your DNS cache and hashes until it finds those cheat server IPs and sends that to Valve. Those are two very different, if broadly similar, things, and saying one is the other is dishonest at worst, misguided and working on incomplete information at best.[/QUOTE] What ulterior motives would a hack site have? Think that through.

[QUOTE=Altimor;43965955]What ulterior motives would a hack site have?[/QUOTE]To discredit the system that makes their lives harder and work costlier? Come on, at least [i]pretend[/i] you're paying attention.

[QUOTE=The Kins;43967228]To discredit the system that makes their lives harder and work costlier? Come on, at least [i]pretend[/i] you're paying attention.[/QUOTE] You still aren't thinking it all the way through. What would they gain from discrediting it? It also does neither of the above. Anticheats are the sole reason pay2cheat sites make money.

"What would they gain from discrediting it?" Cause backlash against perceived privacy invasions to force Valve to remove it? Edit: This very thread was you claiming Valve is monitoring your browsing habits and exposing them.

[QUOTE=TheDecryptor;43967293]"What would they gain from discrediting it?" Cause backlash against perceived privacy invasions to force Valve to remove it? Edit: This very thread was you claiming Valve is monitoring your browsing habits and exposing them.[/QUOTE] This is once again actually counterproductive for a cheat site. Put defenses against it in your own cheat and hopefully other sites' cheats get hit by banwaves.

[QUOTE=Altimor;43967310]This is once again actually counterproductive for a cheat site. Put defenses against it in your own cheat and hopefully other sites' cheats get hit by banwaves.[/QUOTE] Cause distrust in the anticheat. People stop running VAC-secured servers - they might be TAKING your DNS CACHE! People demand Valve remove VAC. Developers stop adding VAC to their games.

[QUOTE=supersnail11;43967345]Cause distrust in the anticheat. People stop running VAC-secured servers - they might be TAKING your DNS CACHE! People demand Valve remove VAC. Developers stop adding VAC to their games.[/QUOTE] You've ignored what I said before. If people stopped running VAC secured servers you could just download any public cheat with no risk of ban. Anticheats help pay2cheat sites.

[QUOTE=Altimor;43967256]Anticheats are the sole reason pay2cheat sites make money.[/QUOTE]They're also, as mentioned in Gabe's response, fairly expensive and time-consuming to bypass at the level that's being discussed (Kernel-level cheats?! Jeeee-zus.), and considering that these cheats have to have [I]their own intricate DRM systems[/I], it at least seems from an outsider's point of view that getting your investment into such work back is difficult at the best of times. Scuttlebutt, in comparison, is much cheaper, spreads further, and can sow distrust in the system that forces you to reinvent the wheel once a month.

their specific income advantage is in a VAC-undetected hack - the last thing they'd want is for VAC to be removed because it would take their income with it. anticheats make hacking much harder -> not everyone can make hacks anymore -> a need for specialized products arise ->pay2win hacks profit

[QUOTE=Juniez;43967701]their specific income is in a VAC-undetected hack - the last thing they'd want is for VAC to be removed because it would take their income with it.[/QUOTE]Without a core central anticheat, a bunch of smaller, decentralized, [I]crappier[/I] fan-run anticheats would step in and try and do the same job with less success. Just look at old games like Tribes 2 and UT99. What looks better on your sales page: That your fancy subscription product beats [I]one[/I] anticheat, or that it beats [I]all[/I] of them?

[QUOTE=The Kins;43967736]Without a core central anticheat, a bunch of smaller, decentralized, [I]crappier[/I] fan-run anticheats would step in and try and do the same job with less success. Just look at old games like Tribes 2 and UT99. What looks better on your sales page: That your fancy subscription product beats [I]one[/I] anticheat, or that it beats [I]all[/I] of them?[/QUOTE] and now you have to work around all of the anticheats instead of just one - you have to reinvent 20 wheels every month and on top of that (since fan-run anticheats are easier to circumvent) cheaper or free alternatives arise and people don't really care which hacks work [I]better[/I] as long as they can spam chat and headshot from miles away

[QUOTE=The Kins;43967736]Without a core central anticheat, a bunch of smaller, decentralized, [I]crappier[/I] fan-run anticheats would step in and try and do the same job with less success. Just look at old games like Tribes 2 and UT99. What looks better on your sales page: That your fancy subscription product beats [I]one[/I] anticheat, or that it beats [I]all[/I] of them?[/QUOTE] Crappier still means more cheat sites. The only people who'd want that are subpar cheat programmers, and I'm guessing whoever was reversing VAC3 wasn't a subpar cheat programmer. It seems counterintuitive but a good anticheat is very beneficial to high tier paycheat sites. It literally kills competition for you.

[QUOTE=Juniez;43967749]and now you have to work around all of the anticheats instead of just one - you have to reinvent 20 wheels every month and on top of that (since fan-run anticheats are easier to circumvent) cheaper or free alternatives arise and people don't really care which hacks work [I]better[/I] as long as they can spam chat and headshot from miles away[/QUOTE]Such fan-anticheats would, on account of being developed by fans in their spare time and not a full-time team, not necessarily update with any real regularity or consistency. As a result, paid cheat authors could more easily "cover all the bases" and justify the price with quality-of-life features and/or new and interesting ways to piss other players off.

[QUOTE=Altimor;43967781]Crappier still means more cheat sites. The only people who'd want that are subpar cheat programmers, and I'm guessing whoever was reversing VAC3 wasn't a subpar cheat programmer. It seems counterintuitive but a good anticheat is very beneficial to high tier paycheat sites. [b]It literally kills competition for you.[/b][/QUOTE] [i]"What I'm trying to say is VAC will literally slaughter anyone who tries to step up to the best cheaters in town with their low-tier programming skills. It will painfully destroy them within the physical realm. Literally.[/i]