Malware Analysis Black Desert Online game anti-cheat also malware?

[Kubla]

I wanted to play this MMO Black desert Online it is supposed to have the best graphics and combat system of any MMO however when I tried to install it multi-layers of my AV and malware protection setup went nuts quarantining some of the game files that are part of the games anti-cheat software. After doing some research a lot of people have hand problems with it where that had to exclude if from their AV, modify Windows Defenders exploit protections and app control to allow it, even uninstall their AV's just to get the game to run.

The main offending file is called xcorona.xem

This is the what I get from my AV:

Abnormalities (5/22)

• This binary contains abnormal section names which could be an indication that it was created with non-standard development tools
• The Entry point for this binary has an uncommon section name
• The Entry point for this binary is in a section not marked as a code region
• The Entry point for this binary is an RWX section. It might contain self-modifying code.
• This binary has an RWX section. It might contain self-modifying code.

Hiding/Stealthiness (1/10)

• The majority of sections in this PE have high entropy which is a sign of obfuscation/packing.

I have this game on Steam, this is a chart of of the connections and file access when I start the game launcher:

1244 files accessed & 138 IP connections made, and that is before the game even loads because I have been reluctant to give it exclusions to allow it run.

I ran a trace using xSOS firewall to see where it was connecting to:

I was able to see a list of connection IP addresses with a CSV reader and it is connecting to to over 60 different IPs.

I don't know the first thing about anti-cheat software for games, perhaps this is normal but sure seems like a lot of data being accessed sent out on quite literally a global scale to verify you don't cheats on your PC.

Why do you think?

 

[Svoll]

There is no way around it, their anti-cheat xcorona.xem needs to be run, it also loads xhunter.sys in system32 folder, there has been much discussions about this on offical BDO forum and reddit. Xhunter.sys could be classified as a rootkit, it installs itself and stay hidden till you close game and sometimes it doesn't get deleted.

Best of luck, I quit the game last year due to fail pen roulette but what i do is isolate windows in a VM and let xcorona and xhunter.sys do whatever it wants, its a blank VM with just windows, drivers, and BDO. There has been reports of it coin mining but its only proven on Russian Servers. nothign found or proven or "admitted by kakao" on EU and NA yet.

 

[Akolyte]

A lot of anti-cheat software is similar to spyware, it just gets whitelisted by antivirus vendors. Somtimes they do actually install themselves as a rootkit (sort of) and monitor what is running and what software you are using, for the purpose of identifying cheats for Black Desert Online, and with all the modern hacks that are out there, cheat software generally tries to hide from anti-cheats, so perhaps this anti-cheat wants low-level access so it can monitor the entire system for possible cheats.

At the core though, whether it is malware or not depends on you, and on your opinion of the software. I'd read the privacy policy of all the companies associated with Black Desert online and see if they have any data collection. They may even just collect data anyway.

Keep in mind though, a lot of software could be malware if you just classified it to be. A lot of antivirus vendors like Avast, Mcafee, Kaspersky & Bitdefender (esspecially) spy on you and compromise your root certificates, do you consider them malware? What about Steam, Uplay, etc? Windows 10?

I'm just trying to state the point that it's not abnormal for strong anti-cheat software to behave this way, and you should judge it based on what you think of the company behind the software, because in the end, you allow a lot of software that behaves similarly because you have a level of trust of the developers, so look into the developers.

 

[Kubla]

There is no way around it, their anti-cheat xcorona.xem needs to be run, it also loads xhunter.sys in system32 folder, there has been much discussions about this on offical BDO forum and reddit. Xhunter.sys could be classified as a rootkit, it installs itself and stay hidden till you close game and sometimes it doesn't get deleted.

Best of luck, I quit the game last year due to fail pen roulette but what i do is isolate windows in a VM and let xcorona and xhunter.sys do whatever it wants, its a blank VM with just windows, drivers, and BDO. There has been reports of it coin mining but its only proven on Russian Servers. nothign found or proven or "admitted by kakao" on EU and NA yet.

That is an excellent idea!

Thanks