Statement on GodLoader malware loader

A malware loader, “GodLoader,” has been found exploiting the Godot runtime. This highlights the importance of only downloading software from trusted sources.

Full details: Statement on GodLoader malware loader – Godot Engine

3 Likes

The risk is not higher than with any other game engine as far as I can tell…

However, doesn’t that provide a dangerous attack vector using game jams? A bad actor could create a low effort entry that is using the OS class to execute malicious code, only with the goal of infiltrating people that check out random jam games.

(I hope) this would not be possible for a Web build played in Browser since side loading should be run in cross-origin restrictions. But if the bad actor could trick anyone into downloading and starting the executable the complete OS access is open by default.

Perhaps it would be more responsible to restrict some features of the OS class by default. Or force a confirmation from the user for things like execution.

I know, this would mean complications for all serious projects that are depending on this functionality, but security is a sensitive topic.

Edit:
After some discussion at other places I came to the logical conclusion that there is literally no way Godot could prevent such an attack. Anyone can disable this restrictions by just editing the sources and complie again.

There is literally no possibility to prevent this unless the OS itself disabls those features. So running things in a sandbox is the only solution for this problem.

1 Like

It’s an interesting topic. I actually created a virus using Godot a while back (but never shared it obviously).

I read the report and disagree with the statement that “all Godot games are potentially in danger because people could swap out a file with a malicious one”. Literally any executable or important file (such as DLLs mentioned in the report) could be swapped out to a virus. If someone tampered with your file system, you are in danger full stop.

Anybody remember when Slay the Spire: Downturn got compromised? Anything that runs code on the system can be malicious. That includes any game engine, any program, and especially any pirated software from suspicious sources.

That said, I think the biggest takeaway is that this isn’t detected by Antiviruses, which is likely because Godot isn’t really used to make viruses and went under the radar and also not Godot’s problem.

I disagree. Other game engines can also run terminal commands, Godot is just more appealing because GDScript is easier to use. I made a Doom mod Launcher with Godot that relies on console commands to launch the game with custom flags, there are probably a lot more valid use cases for running commands.

1 Like

That’s always been a risk of game jams, you don’t know when you are downloading and running them if they will even be games at all. A low effort game with a malicious payload could be created in any game engine.

2 Likes

Yes that’s clear. My initial thought was that Godot could be the first to actively take counter measures against it.

However based on the fact that every executable can be edited and regain the possibility of execute malicious stuff , regardless of how it was created in the first place makes this try senseless.

Just brainstorming here, but could Godot require a validation method like publishing the .pck and/or .exe checksum on GitHub and have the program automatically check it before opening?

Another mitigation strategy could be to educate devs and users on how to build Godot themselves in the simplest way possible, encrypt, and keep their private keys safe.

To authenticate that a executable is actually coming from the source it’s pretending?

That could be something. But I assume publishing the checksum of a given build at a trustworthy position would also do the job here?

If I correctly understood the report, the issue is that many antivirus can’t detect malware that’s written in Godot. I see this a problem in the detection not in Godot. I would expect the same “exploit” would also be possible with other less mainstream interpreted languages.

I don’t know if anyone else is seeing this, but I’ve been able to share test builds with friends without issue until recently. Now Opera and Chrome are blocking friends from downloading builds.