cross-posted from: https://lemmy.zip/post/27055106

​Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,000 systems in just three months.

  • recursive_recursion they/them@lemmy.caOP
    link
    fedilink
    English
    arrow-up
    67
    ·
    edit-2
    30 days ago

    From Rémi Verschelde:

    As the Check Point Research report states, the vulnerability is not specific to Godot. The Godot Engine is a programming system with a scripting language. It is akin to, for instance, the Python and Ruby runtimes. It is possible to write malicious programs in any programming language. We do not believe that Godot is particularly more or less suited to do so than other such programs.

    Users who merely have a Godot game or editor installed on their system are not specifically at risk. We encourage people to only execute software from trusted sources.

    For some more technical details:

    Godot does not register a file handler for “.pck” files. This means that a malicious actor always has to ship the Godot runtime together with a .pck file. The user will always have to unpack the runtime together with the .pck to the same location and then execute the runtime. There is no way for a malicious actor to create a “one click exploit”, barring other OS-level vulnerabilities. If such an OS-level vulnerability were used then Godot would not be a particularly attractive option due to the size of the runtime.

    This is similar to writing malicious software in Python or Ruby, the malicious actor will have to ship a python.exe or ruby.exe together with their malicious program.

    • unexposedhazard@discuss.tchncs.de
      link
      fedilink
      arrow-up
      44
      arrow-down
      1
      ·
      edit-2
      29 days ago

      I think its malicious to even mention Godot in a headline with this weak context. It will confuse and scare people into thinking godot is unsafe. Some stupid people downloading and executing code from a malicious source is not noteworthy enough to justify a headline like this. It almost sounds like godot has a RCE from how clickbaity this headline is written.

      • Kelly@lemmy.world
        link
        fedilink
        English
        arrow-up
        21
        ·
        edit-2
        29 days ago

        This is probably the larger story from the OP link:

        The Stargazers Ghost Network uses over 3,000 GitHub “ghost” accounts to create networks of hundreds of repositories that can be used to deliver malware (mainly information stealers like RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer) and star, fork, and subscribe to these malicious repos to push them to GitHub’s trending section and increase their apparent legitimacy.

        Edit: a bit more info:

        The malicious GodLoader is distributed by the Stargazers Ghost Network, a GitHub network that distributes malware as a service. Throughout September and October, approximately 200 repositories and over 225 Stargazers were used to legitimize the repositories distributing the malware.

        https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/

        My take is that Godot has never claimed to be sandboxed, as long as OS.execute() is enabled by default then running arbitrary code in the user context is trivial. The solution of course is to only run code that you trust.