Double KO! Capcom's Street Fighter V installs hidden rootkit on PCs

Fatality – wait, no, what? That's the other game


A fresh update for Capcom's Street Fighter V for PCs includes a knock-out move: a secret rootkit that gives any installed application kernel-level privileges.

This means any malicious software on the system can poke a dodgy driver installed by SFV to completely take over the Windows machine. Capcom claims it uses the driver to stop players from hacking the high-def beat 'em up to cheat. Unfortunately, the code is so badly designed, it opens up a full-blown local backdoor.

Let's drill down to the technical details: the capcom.sys kernel-level driver provides an IOCTL service to applications that disables SMEP on the computer, executes code at a given pointer, and then reenables SMEP. In other words, it switches off a crucial security defense in the operating system, then runs whatever instructions are given to it by the application, and then switches the protection back on.

SMEP [PDF] is a feature in modern Intel and AMD x86 processors that, when enabled, prevents kernel-level software from executing code in user-owned memory pages. It's there to stop hackers from tricking the operating system into running malicious software smuggled into an application's virtual memory space – the OS should only be able to run its own trusted code, not anything provided by any old app.

Capcom.sys completely blows this away on Windows: an application simply has to pass control codes 0xAA012044 and 0xAA013044 to the IOCTL, and a pointer to some instructions, and the driver will then jump to that block of code with full kernel permissions.

Capcom is seemingly using this driver to allow its user-mode game to poke around the machine at the lowest level and spot any attempts by the player to cheat. The tool was bundled within an update, issued earlier this week, to Street Fighter V that brought in a new character, Urien. The title went on sale in February this year.

"As a part of the new content and system update releasing later today, we’re also rolling out an updated anti-crack solution (note: not DRM) that prevents certain users from hacking the executable," a Capcom rep explained on Thursday.

"The solution also prevents memory address hack that are commonly used for cheating and illicitly obtaining in-game currency and other entitlements that haven’t been purchased yet.

"The anti-crack solution does not require online connectivity in order to play the game in offline mode; however, players will be required to click-confirm each time they boot up the game. This step allows ‘handshake’ to take place between the executable and the dependent driver prior to launch."

Gamers realized something was a little off when the upgrade brought in a new driver and demanded operating-system-grade access to the computer before the game starts. A number of players say they couldn't even get the new version to work at all. A full-blown online meltdown ensued.

Just after we published this article, a Capcom rep tweeted:

We are in the process of rolling back the security measures added to the PC version of Street Fighter V. After the rollback process to the PC version, all new content from the September update will still be available to players. We apologize for the inconvenience and will have an update on the time-frame for the PC rollback solution soon.

A lesson quickly learned, it seems. ®


Other stories you might like

  • The ‘substantial contributions’ Intel has promised to boost RISC-V adoption
    With the benefit of maybe revitalizing the x86 giant’s foundry business

    Analysis Here's something that would have seemed outlandish only a few years ago: to help fuel Intel's future growth, the x86 giant has vowed to do what it can to make the open-source RISC-V ISA worthy of widespread adoption.

    In a presentation, an Intel representative shared some details of how the chipmaker plans to contribute to RISC-V as part of its bet that the instruction set architecture will fuel growth for its revitalized contract chip manufacturing business.

    While Intel invested in RISC-V chip designer SiFive in 2018, the semiconductor titan's intentions with RISC-V evolved last year when it revealed that the contract manufacturing business key to its comeback, Intel Foundry Services, would be willing to make chips compatible with x86, Arm, and RISC-V ISAs. The chipmaker then announced in February it joined RISC-V International, the ISA's governing body, and launched a $1 billion innovation fund that will support chip designers, including those making RISC-V components.

    Continue reading
  • FBI warns of North Korean cyberspies posing as foreign IT workers
    Looking for tech talent? Kim Jong-un's friendly freelancers, at your service

    Pay close attention to that resume before offering that work contract.

    The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

    In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

    Continue reading
  • Elon Musk says Twitter buy 'cannot move forward' until spam stats spat settled
    A stunning surprise to no one in this Solar System

    Elon Musk said his bid to acquire and privatize Twitter "cannot move forward" until the social network proves its claim that fake bot accounts make up less than five per cent of all users.

    The world's richest meme lord formally launched efforts to take over Twitter last month after buying a 9.2 per cent stake in the biz. He declined an offer to join the board of directors, only to return asking if he could buy the social media platform outright at $54.20 per share. Twitter's board resisted Musk's plans at first, installing a "poison pill" to hamper a hostile takeover before accepting the deal, worth over $44 billion.

    But then it appears Musk spotted something in Twitter's latest filing to America's financial watchdog, the SEC. The paperwork asserted that "fewer than five percent" of Twitter's monetizable daily active users (mDAUs) in the first quarter of 2022 were fake or spammer accounts, which Musk objected to: he felt that figure should be a lot higher. He had earlier proclaimed that ridding Twitter of spam bots was a priority for him, post-takeover.

    Continue reading

Biting the hand that feeds IT © 1998–2022