Argenis May 26, 2024 @ 12:29am
Proton Experimental Malware (Linux Steam)
When using:

Steam Beta Branch: Stable Client
Steam Version: 1716584667
Steam Client Build Date: Fri, May 24 13:48 UTC -08:00
Steam Web Build Date: Fri, May 24 13:31 UTC -08:00
Steam API Version: SteamClient021

I download Proton experimental packages, and my Linux endpoint protection says that there's variants of Babar, Fugrafa, and Fragtor malware found when scanning Steam's folders, specifically on the Proton Experimental folders.

Cleaning them makes Proton still work properly, but I wanted to report this somewhere as there's no place to do so properly in Steam, and while I own Proton Experimental, Steam still says I don't own it so I can't report it per-se.

Something went wrong while displaying this content. Refresh

Error Reference: Community_9708323_
Loading CSS chunk 7561 failed.
(error: https://community.fastly.steamstatic.com/public/css/applications/community/communityawardsapp.css?contenthash=789dd1fbdb6c6b5c773d)
< 1 2 >
Showing 1-15 of 25 comments
Kargor May 26, 2024 @ 1:53am 
There isn't much that Steam would be doing about this anyway; the virus scanner things have their own signature databases.
Argenis May 26, 2024 @ 9:51am 
Originally posted by Kargor:
There isn't much that Steam would be doing about this anyway; the virus scanner things have their own signature databases.

Well sure, but I don’t think this was a false positive, the anti malware cleaned the infections (identified by SHA2 and signatures presumably), and proton still works, so these files might’ve been infected by someone working on proton or the server that releases them so steam grabbed them? I’m not sure.
Qbert ⭐ May 26, 2024 @ 10:00am 
What endpoint are you using?
Argenis May 27, 2024 @ 12:56pm 
Originally posted by Qbert ⭐:
What endpoint are you using?
It's not important, since virustotal agrees with me. Avast, Avira, BitDefender and others agree with me.

Apparently they're all on the i386-windows directory:

See link: https://mastodon.online/@argenis/112514775859606881
m662 May 27, 2024 @ 1:10pm 
I disagree endpoint does matter.

You have to do behavioral analyse and deep scans to verify any claims and for that you have run it simulated see what it deploys what it injects which ports it accesses and which sites it retrieves or sends data to.


For that you either need a paid Virustotal account, one your endpoint provider offers or if you are reviewed and deemed trusted something like JoeSandbox. Or if you have the resources your own test-lab.

Can you provide a link to the scanned resource itself from the official source I can at the very least scan it with my enterprise endpoint see if it detects any behavior.


Addendum
Above offer stands for 48 hours from now. If by than you did not provide the information need which is a link to the build, commit URL I will assume you are not interested in the scan. No hard feelings just simply time restricted how long I can and want to spend on individual cases of this kind of nature.
Last edited by m662; May 27, 2024 @ 1:22pm
Haruspex May 27, 2024 @ 1:10pm 
Originally posted by Qbert ⭐:
What endpoint are you using?
Excellent question, and relevant to the accusation being made. Especially since millions of Steam users on Linux are not experiencing the same issue.


Originally posted by Argenis:
It's not important...
Hmm...
Satoru May 27, 2024 @ 2:01pm 
Tell me you don’t understand how anti virus reports work, without telling me you don’t know how anti virus reports work.

It’s funny when their link shows what you’d expect, false positives from a bunch of nonsense heuristics from unknown vendors or from ones who are known to be objectively bad because they want to make money so false positives are the way they do this.
Last edited by Satoru; May 27, 2024 @ 2:02pm
Argenis May 27, 2024 @ 2:01pm 
I happen to have an enterprise version of bitdefender, and both their signature and heuristics popped the malware.

Virustotal happens to agree with the malware findings too, those I ran afterwards.

Now either the SHA-256 signatures happen to match with known malware (very unlikely), or there was something on whomever compiled those or the server where they were compiled, or the distribution pipeline.
Last edited by Argenis; May 27, 2024 @ 2:02pm
Satoru May 27, 2024 @ 2:04pm 
You really have no clues what you’re talking about. Did you READ what category those trash anti virus used. You’ll notice it didn’t actually categorize it. If it “matched a SHA256” it would outright tell you the matched profile.

It’s all heuristic garbage or “we are so bad at this we’re just guessing, please tell us if this is real or not”

Don’t parrot off nonsense from VirusTotal if you have no clue what the output from the website actually means
Last edited by Satoru; May 27, 2024 @ 2:05pm
m662 May 27, 2024 @ 2:08pm 
Again if you are willing to link the build commit source of the data we can take a look as well.

False positives are very common especially when the scanners that it triggers think its a generic signature defined by gen.variant In addition of risk-ware which it can think of anything that does lowlevel operations which is required for emulation purposes if it need to connect to your network at any point.

And if you indeed have an Enterprise version simply contact your assigned support desk or liaison your paying for the subscription so why do all the work yourselves.
Last edited by m662; May 27, 2024 @ 2:09pm
Argenis May 27, 2024 @ 2:12pm 
Originally posted by m662:
Again if you are willing to link the build commit source of the data we can take a look as well.

False positives are very common especially when the scanners that it triggers think its a generic signature defined by gen.variant In addition of risk-ware which it can think of anything that does lowlevel operations which is required for emulation purposes if it need to connect to your network at any point.

And if you indeed have an Enterprise version simply contact your assigned support desk or liaison your paying for the subscription so why do all the work yourselves.


The build/commit source is:

Steam Beta Branch: Stable Client
Steam Version: 1716584667
Steam Client Build Date: Fri, May 24 13:48 UTC -08:00
Steam Web Build Date: Fri, May 24 13:31 UTC -08:00
Steam API Version: SteamClient021

I installed the Steam client, then once there, I enable Proton Experimental on a game and it downloads.

I've been able to replicate this via removing and re-downloading proton experimental:

App ID: 1493710
Build ID: 14456479
Installed content updated: May 24, 2024 at 21:49
m662 May 27, 2024 @ 2:16pm 
That is Steam information I have no use of that. I mean of the Proton package you reported that gets flagged. Your not saying Steam is infected so why should we scan the Steam installation.
Last edited by m662; May 27, 2024 @ 2:16pm
Ben Lubar May 27, 2024 @ 2:20pm 
Originally posted by m662:
Can you provide a link to the scanned resource itself from the official source I can at the very least scan it with my enterprise endpoint see if it detects any behavior.
Since they won't do it, I will:

https://steamdb.info/depot/1493711/history/?changeid=M:7743326805990044174
https://www.virustotal.com/gui/file/723c879ec2df19a5df12ca022d26e92c840662127b4715f4972cfa83aac84fb7/detection

Here's what I can tell you right now without having done any investigation locally: it's a false positive.

How do I know? Because it would be utterly pointless to hide malware in shutdown.exe inside a Proton installation. There are almost no cases where that program would be run by any game. Certainly no instances of shutdown.exe being called in any Steam game I'm aware of.

But in the interest of completeness, I will now load shutdown.exe into Ghidra, the NSA's software reverse engineering framework. We're looking for some difference from the source code at https://github.com/ValveSoftware/wine/blob/bleeding-edge/programs/shutdown/main.c which was last edited in 2019 and has had no substantial changes since 2015 (though one could argue that there were no substantial changes between that version and AT&T's implementation of /bin/true from 1984: https://trillian.mit.edu/~jc/humor/ATT_Copyright_true.html

And what do we find? About what we should expect:

int __cdecl _wmain(int _Argc,wchar_t **_Argv,wchar_t **_Env) { byte bVar1; byte bVar2; int iVar3; undefined uVar4; char *in_stack_ffffffec; if ((___wine_dbch_shutdown & 1) == 0) { if (_Argc < 1) { return 0; } } else { _wine_dbg_log.constprop.0(0,0x20,0xd8,"stub:",(char)in_stack_ffffffec); uVar4 = SUB41(in_stack_ffffffec,0); bVar2 = ___wine_dbch_shutdown & 1; if (_Argc < 1) goto LAB_004021fd; } iVar3 = 0; bVar1 = ___wine_dbch_shutdown; do { while (uVar4 = SUB41(in_stack_ffffffec,0), (bVar1 & 1) != 0) { iVar3 = iVar3 + 1; in_stack_ffffffec = _wine_dbgstr_wn.constprop.0(); _wine_dbg_log.constprop.0(0,0x20,0xd8,&DAT_0040401d,(char)in_stack_ffffffec); uVar4 = SUB41(in_stack_ffffffec,0); bVar2 = ___wine_dbch_shutdown & 1; bVar1 = ___wine_dbch_shutdown; if (_Argc == iVar3) goto LAB_004021fd; } iVar3 = iVar3 + 1; bVar2 = 0; } while (_Argc != iVar3); LAB_004021fd: if (bVar2 == 0) { return 0; } _wine_dbg_log.constprop.0(0,0x20,0xd8,&DAT_00404021,uVar4); return 0; }

An implementation of /bin/true with some debug logging.
Argenis May 27, 2024 @ 2:21pm 
Originally posted by m662:
That is Steam information I have no use of that. I mean of the Proton package you reported that gets flagged. Your not saying Steam is infected so why should we scan the Steam installation.

That's the part below, that's all the info I have, steam itself only says the following for Proton Experimental:

App ID: 1493710
Build ID: 14456479
Installed content updated: May 24, 2024 at 21:49

Anything beyond that I would not know how to get, on its directory there's a file called version that says some extra stuff: 1716388226 experimental-9.0-20240522

Manifest:

"manifest"
{
"version" "2"
"commandline" "/proton %verb%"
"require_tool_appid" "1628350"
"use_sessions" "1"
"compatmanager_layer_name" "proton"
}
76561199648916059 May 27, 2024 @ 2:23pm 
You sound like you found a real exploit or booboo steam "intensionally" missed.

I got a chuckle reading millions of steam users , use Linux, that's false are steams own demographic show linux at 1% of usage or less then, meaning even less then 300,000 people use Linux.

Math on that 30,000,000/1%

It's good you found and removed the infection, more people need to be vigilant, thanks op for bringing this issue to the surface
< 1 2 >
Showing 1-15 of 25 comments
Per page: 1530 50

Date Posted: May 26, 2024 @ 12:29am
Posts: 25