I Found Malware in a BeamNG Mod

https://lemonyte.com/blog/beamng-malware

166•davikr•1d ago

Comments

davikr•1d ago

This is the second time (we know of) BeamNG.drive being exploited due to bad security practices - the first time, disabling ASLR [0], leading to Disney being hacked, this time, disabling CEF sandboxing. It is weird to see them go out of their way to disable conventional security features on their product.

[0]: https://news.ycombinator.com/item?id=41063489

pixl97•1d ago

>It is weird to see them go out of their way to disable conventional security features on their product

Honestly with most developers I know, unless they also have a strong security background, it's not weird or surprising at all. Security features (almost?) never make debugging easier. When confronted with a failure that presents challenges devs will disable things that limit access or otherwise randomize the output in order to catch the problem and then 'hopefully' come tighten it back up when they are done. Unfortunately the second part rarely happens unless you have security auditors follow you around.

pjmlp•18h ago

That is why then there are folks like me, complaining in code reviews, or adding configurations into the CI/CD pipeline.

However it is indeed a quixotic battle in some scenarios, regarding security best practices.

LegionMammal978•1d ago

I'd imagine by the time your program's security is critically reliant on ASLR and process-level sandboxing, you're already in deep trouble, since any given minor update may turn existing holes into viable exploits. It will only slow down the rate of attacks at best.

The lesson I'd take here is "don't embed a web browser to run untrusted code unless you can keep it up to date 24/7". Hence the popularity of Lua interfaces for mods. Or even the alternative JS engines built for such purposes.

ortichic•20h ago

I had forced ASLR on in windows for a while... You'd be surprised how much stuff breaks with that. Almost feels like more is broken than not. Just to name a few: MinGW (including git for windows), Unity, Whatever installer Framework Signal and some others use, some Anti-Cheats

pjmlp•18h ago

One could be using the safest programming language in the world, if the culture doesn't get the point, it doesn't matter how safe it can be.

everdrive•1d ago

But did the malware do anything significant through proton to the host OS?

fifteen1506•1d ago

I hate malware. I found two Android apps using an obfuscator loaded via JNI (libjiagu_64.so) which crashes on startup (on GrapheneOS) and I am at a loss at what to do next which doesn't involve send reports into the void hoping it reaches an human with the time, skills and willingness to check what is really going on.

Summary: https://user934.com/2025/04/29/investigating-suspicious-beha...

Cloudef•16h ago

That sounds familiar, I used <https://github.com/Cloudef/android2gnulinux> to reverse one libjiagu program in past. The deobfuscated code eventually ends up in the ram, and you can then extract it.

ThePowerOfFuet•14h ago

>Disclaimer: This blog post was written by Gemini, a large language model from Google AI, specifically the Gemini Pro model. My knowledge cutoff is June 2024. The information provided is based on my understanding and should not be taken as definitive professional advice.

I encourage you to cease contributing to the enshittification of the web.

Also, what did you expect from cheap no-name IoT shit? As we say, the S in IoT stands for Security...

fifteen1506•14h ago

I'm sorry I don't earn enough to hire a maid but still like to write blog posts :(

fifteen1506•12h ago

Ok I could have been less snarky.

What I meant is, I have ideas I like to explore but a two-liner blog post won't entice anyone.

For example on https://user934.com/2025/04/22/securing-home-and-smb-network... I mix several ideas together and define the test plan (chapter 5), and let LLM fill in the blanks. Plus I clearly identify it as mostly written by LLM, which is better than most SEO garbage spam. So I think I've achieved a good compromise.

techbrovanguard•10h ago

you’ve taken a slightly smaller shit on the floor than the seo slop factory next to you. do you want a medal?

TZubiri•21h ago

Unrelated, on mobile, background is quickly oscilating colours giving an epileptic vibe

yomismoaqui•15h ago

Seen the same on Android Chrome, for a moment I thought my screen was wrong.

r4indeer•9h ago

Firefox on Android seems to be unaffected.

tetris11•7h ago

It seems to scroll very jittery though

abhisek•21h ago

Still trying to understand - Did the mod developers intentionally shipped malicious code or they were compromised by some external attacker to target the downstream users?

throwaway314155•19h ago

The author indicates that the mod authors' account was "likely compromised" indicating a bad actor took over their account somehow, perhaps made easier by prolonged inactivity?

I don't think the author of this piece found it useful to speculate though and I have to agree. No need to break out pitch forks - let those involved get to the bottom of it.

lionkor•17h ago

I worked on BeamMP[0][1], for 5 years, both as a project manager and lead developer for the server and client. BeamMP is a wildly popular multiplayer mod for BeamNG (1M registered players, always at least 3k concurrent players, also it's AGPL licensed). I left the team this year, but I can tell you: Mods, if they manage to break the sandbox in any way, can do anything, and the BeamNG sandbox will never be perfect. To their credit, the BeamNG devs have hired people from the community who do a lot of security research, and they have found numerous issues and fixed them before they could be exploited.

We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of those exploits are fixed, now.

The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.

BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.

Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)

[0] https://beammp.com

[1] https://GitHub.com/BeamMP

snickerbockers•15h ago

I'm not familiar with lua, but when it's embedded as a scripting engine is it really just allowed to import whatever packages it wants and have full access to the host computer's resources? If so it seems like a really poor fit for any game that intends to have user-created mods (and yes I'm aware that it's one of the most popular scripting engines in gamedev-land and has been for about two decades).

I remember when FPS games first embraced the mod community back in the late 90s many of them had their own dedicated scripting engines (QuakeC, UnrealScript, later quake 3 arena had "real" c programs but they were compiled to a custom bytecode interpreter) that didn't have free reign over anything but the game state and that seems like a much better way to do things. Games used to have options to let you automatically download requisite mods from servers and it was safe to do so, at least in theory. I have no doubt that at some point in time there was a ROP vulnerability that could've been used to turn this into a devastating malware vector but at least then the scripting engine wouldn't be functioning as designed.

whatevaa•13h ago

Pretty sure it was not safe, people just cared less.

darkmighty•12h ago

Indeed before online banking and widespread online shopping there wasn't much to care for in computer security. Also before ransomware were invented. I guess the biggest application was stealing passwords (and an occasional credit card #), botnets for DDoSing game servers and such, in which case user wasn't much affected. Nowadays specially with crypto wallets you can get crazy essentially unbounded prizes, maybe millions. Don't do cryptocurrency, kids (unless losing all your funds is the least of your concerns[0]).

[0] Like you're some kind of activist or maybe in an oppressive regime

lionkor•7h ago

You can lock down Lua, but you need ffi to achieve really good performance. This is what BeamNG.drive does, and that does theoretically open up the sandbox quite a bit. Suddenly you allow Lua to call C++ functions, and naturally vice versa. That could be a problem, and that's not the end of it, the Lua standard library (if you wanna call it that) contains io, command execution, etc. so you need to be selective about what you allow mods to do, while still making it possible for people to make mods.

In short; you need to give Lua power over your program in some way, and that's the weak link. Lua itself can run with zero access to the world, but then you have nothing more than a calculator or config file.

registeredcorn•11h ago

I don't have anything meaningful to add to the discussion, but just wanted to say "Thanks!" to you, and the work that the Beam people have done to try and keep things as secure as they can. It'll never be perfect, but doing that work is important, and if it's done correctly the end user doesn't even know you did anything at all.

It's also really good to hear such an open and direct description of how things were/are, too. Clarity defeats the risks around obscurity of the unknowns. When the general public is given more info to work off of, they have a better idea of where the risks are, and how they can defend from, or if they are malicious - attack from, accordingly. The sharing of that information simply works to define what the areas of concern are for everyone involved.

sonofhans•3h ago

Thank you! My kid is one of the million. It’s a great mod. It took us a minute to figure out that it really is free.

Is there a business model? Just Patreon? It seems unbelievable that’s enough.

Cloudef•16h ago

Why is CEF used without sandbox?

lopanapol•12h ago

nice

Redis is open source again

Third Party Cookies Must Be Removed

The Day Anubis Saved Our Websites from a DDoS Attack

Claude Integrations

Mike Waltz Accidentally Reveals App Govt Uses to Archive Signal Messages

Felix86: Run x86-64 programs on RISC-V Linux

Chrome Origin Trial: Device Bound Session Credentials

Ask HN: Who is hiring? (May 2025)

The Anti-Capitalist Case for Standards

LLMs for Engineering: Teaching Models to Design High Powered Rockets

Show HN: CapOS – A responsibility-gated OS stack with signed process execution

Show HN: Kubetail – Real-time log search for Kubernetes

A faster way to copy SQLite databases between computers

Llasa: Llama-Based Speech Synthesis

DECtalk Archive

Ask HN: Who wants to be hired? (May 2025)

Offline-First with CouchDB and PouchDB in 2025

Blood droplets on inclined surfaces reveal new cracking patterns

Linkwarden: FOSS self-hostable bookmarking with AI-tagging and page archival

When ChatGPT broke the field of NLP: An oral history

Building Private Processing for AI Tools on WhatsApp

Millihertz 5 Mechanical Computer (2022)

Creating beautiful charts with JRuby and JFreeChart

Waypoint Transit (YC W25) is hiring a software engineer

Oxide’s compensation model: how is it going?

Show HN: Roons – Mechanical Computer Kit

Judge rules Apple executive lied under oath, makes criminal contempt referral

C++26: more constexpr in the standard library

Fivetran to acquire Census

Starting July 1, academic publishers can't paywall NIH-funded research