Welcome to duststar theory

Maplestory Cyber Security Series – Part 2 of 4

Autor duststar

Continuing from this post.

Part 2 - Protecting your system

1. Defence-in-depth

a. Lockdown your system

When we lockdown our system, we introduce better granularity to the way we want our system to work. For example, we restrict the use of “Administrator” account and instead use a “User” account with the least privileges. This way we could minimise the damage caused by the installation of a malware. The gist here is that if you run the malware accidentally, the malware will be run with the least privileges.

However, Maplestory (and many other MMORPGs) requires us to run the game with full “Administrator” privileges. Do you know why? This is because they will probably uses 3rd-party security protection software such as gameguard, hackshield, x-trap etc which requires the kernel level access.

So ironically, now it gets more troublesome to play Maplestory securely. Let us see. To achieve a decent system lockdown to play Maplestory, you need to create 2 user accounts on your system: one with “Administrator” access, and one with “User” access. When you play Maplestory, you need to switch user to the one with “Administrator” access. When you want to surf net, check e-mail, msn or any other things, you need to switch user to the one with “User” access. Let us use the following scenario. Somehow, you were tricked to run a malicious file that installs a keylogger onto your computer. Depending on how well the keylogger was coded, it might not install at all in your system because it does not have full “Administrator” privileges. Or, it might install and affects only the “User” privileged account. Nice! Now our Maplestory login ID, 1st password and 2nd password are safe? Well, not really. A skilled hacker can still use “local privilege escalation attack” to get hold of “Administrator” privileges to install the keylogger.

b. Patch your system

Operating system such as Windows XP, Vista, 7 etc and software applications such as Internet Explorer, Mozilla Firefox, Adobe reader, Flash player etc are often found with vulnerabilities or bugs that needs to be patched if not they may be used as a vector to introduce malware into your system. Therefore, always patch your Windows (http://windowsupdate.microsoft.com) and update your software applications to the latest version.

c. Anti-virus

There is no such thing as … “XXX anti-virus is the best!”. There is no single anti-virus solution that is capable of 100% detecting all malware. Taken from AV-Comparatives, based on summary report for 2009, we can see that some is good at detecting known malware, some is good at removing malware, some is good at detecting new/unknown malware etc. Therefore, I am not recommending any anti-virus here. What I suggest is to get one that is within your budget, or consider using the free ones. Do not install more than 1 anti-virus on your system without checking for compatibility issues. More than often you might get zero protection rather than double protection.

Having anti-virus installed and working properly is first step. Ensuring your anti-virus’s signatures is updated when new signatures are released is the second step, and this should be done on a daily basis. Lastly, scan all files before copying them to your systems, and perform full system scan on a periodic basis.

Relating to Maplestory, sometimes the game files or the game security files such as Hackshield gets detected as a malware and was deleted which results in the game unable to start up properly. What you can do is to inform iBox and wait for your anti-virus company to release the corrected signatures and apply them to your anti-virus.

d. Firewall

Firewall in simplicity controls what goes out to the Internet and what comes in from the Internet. Windows firewall by default allows anything to go out to the Internet and nothing to come in from the Internet. Uh? How come Maplestory still can connect to the game servers? This is because the connection request was initiated by the Maplestory.exe process in your system which is accepted by the firewall since by default it allows anything to go out to the Internet. Other commercial or open-source firewalls work the same but allow more granularity in network access control. For example, you can decide which application can go out to the Internet rather than just “anything”.

It is really not easy for a normal user to configure his/her firewall correctly especially if you want to configure the firewall rules for Maplestory. There are so many IP addresses and ports to configure. Probably, the Maplestory’s “Helpdesk Support” will tell you to disable your Firewall.

e. Other less important yet must do things

i. Disable Autorun and Autoplay (That is how removable media malware spreads.)

ii. Disable your router’s wifi access if not in used, or secure it.

At minimum, ensure that you use WPA2 and use a strong passphrase (most useful). If possible, enable MAC filtering to allow only your own devices. Lastly, disable broadcasting of SSID (least useful).

The best is still not to use it, and use wired connections.

iii. Manage untrusted files with extra caution before running them

One way is to scan them through multiple AV and behaviorial analysis engines online before deciding to run them or not.

2. Security through system isolation, or virtualisation

By isolation, we refers to performing different functions independently. This means function A will be isolated from function B therefore when function A fails, function B is not affected and vice versa. How does this applies to cyber security, and how is it related to virtualisation? With virtualisation, it is possible to run multiple operating systems using a single physical system therefore achieving virtualised system isolation. We talk about the importance of having layers and layers of cyber security protections and defences. Using system isolation acts as another layer.

A real example to run a secure Maplestory system is as follows. We have a physical system installed with Windows XP (Host system). On top of it, we create 2 additional virtualised systems. One for trusted activities running on Linux, and one for untrusted activities running on Windows XP. Trusted activities can be personal e-mail checking, internet banking, stock brokering etc. Untrusted activities can be downloading and running a file from the Internet, checking seperate e-mail account for communicating with untrusted sources, running your instant messenger etc. We use the trusted system for accessing Asiasoft Passport’s functions. We use the untrusted system for accessing Playpark.net’s forum. Finally, we installs Maplestory client on the Host system and plays from there. If we do not use Host system for anything else except playing Maplestory, the risk of being infected by a trojan or keylogger is greatly reduced (Nothing is 100% secure). Everytime before we use the trusted system, we will revert it back to the original system snapshot. This way, even if it was infected with a trojan or keylogger at any point of time, the malware will not survive the revert operation.

If time permits, I would probably create a project and technical guide to create and manage this setup.

.duststar