[NewsFactory]

***Update****
Head here for the latest update from Valve, the most important point of the update is :
"What would be most helpful now are IP addresses of the people who were responsible for the intrusion or for the denial of service attacks."

***End Update***


Ever have one of those weeks? This has just not been the best couple of days for me or for Valve.

Yes, the source code that has been posted is the HL-2 source code.

Here is what we know:

1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.

2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.

3) For the next week, there appears to have been suspicious activity on my webmail account.

4) Around 9/19 someone made a copy of the HL-2 source tree.


5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook's preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn't been seen anywhere else, and isn't detected by normal virus scanning tools).

6) Periodically for the last year we've been the subject of a variety of denial of service attacks targetted at our webservers and at Steam. We don't know if these are related or independent.

Well, this sucks.

What I'd appreciate is the assistance of the community in tracking this down. I have a special email address for people to send information to, helpvalve@valvesoftware.com. If you have information about the denial of service attacks or the infiltration of our network, please send the details. There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great.

We at Valve have always thought of ourselves as being part of a community, and I can't imagine a better group of people to help us take care of these problems than this community.

Gabe

[craig588]

I have a pretty general idea of the main people beind all this, its gotta be someone that supports nvida and its annoyed about valves comments.

[kalx]

lol

The current Info points to

[GSM]Grim

who posted it on usenet before anyone else did, either he is close to ppl who did , or did it himself.
I belive the info was alreaqdy past a while back.

[MSX]

The plus side is that nobody can use the source to create a game... legally. However I imagine borrowing heavily from it, some could take real advantage of this problem.

I'm guessing Gabe learned something from this. They'll probably go LAN only for code and art like 3Drealms is.

[eyeguy616]

Quote:

Originally posted by NewsFactory
Our speculation is that these were done via a buffer overflow in Outlook's preview pane.

I can't believe they'd trust Outlook for anything....

~eyeguy616

[Kemal]

Ive been having the problem where I right click on executables and explorer will crash. Actually, Explorer crashes seemingly at random whenever I access a progeam. Norton 2003 Turns up nothing, and im clean according to SpyBot.

[craig588]

I had that problem too, reformatting saves all!

I have acctually gotten a few viruses that were freshly created just for me just because of the type of stuff I do.

[zerodamage]

From What I've seen, this is the handy work of MyG0t.

[craig588]

Whoa, I thought they shut down. Myg0t is the greatest! I'll have to find them again.

[Vengeance]

I hope they get caught, And I hope they pay I'll bet theres no way we will see HL2 this year now!
All because of people who think they can do what ever they want and get away with it! They think that the world is theres just for the taking and screw everyone else.
Yes and when they get caught I hope they do HARD TIME in a fed pen!
I'd like to see the little pimple faced Hacker/thief get put in a cell with a few guys named Bubba!

[Mazuko]

From what I have read here and there it might have been one of the "big boys" in myg0t that actually know what their doing that made the actual infilitration. Once again myg0t is under the microscope of the law as they were previously for stealing credit card information from "today's-clan" or something like that (when they hijacked their website etc. etc. etc.). The dolt in myg0t was tried as a juvenile and spent time in juvenile detention....the bastids.

[Veridian3]

An update from Valve:

1) We've taken our network connection down to pretty much a minimum. We're still finding machines internally that have been compromised.

2) The suite of tools that the attacker was using included the modified version of RemotelyAnywhere (basically a Remote Desktop-style remote admin tool), Haxker Defender (a process, registry key and file hiding tool), the key logger, and various networking utilities that allowed them to transfer files (compressors, NetCat, and FTP). We also are pretty sure they were sniffing our network to gather passwords and other information. Haxker Defender includes a file system driver that allows an attacker to have stuff on your machine that is invisible, unless you do something like mount the drive under another OS that has NTFS support.

We have determined one way of detecting some infected machines, which is using a connection viewer to detect connections to anomalous hosts external to our network.

We still don't know their entry method.

3) In general, the community has been remarkably swift at tracking down the sources of the leak. What would be most helpful now are IP addresses of the people who were responsible for the intrusion or for the denial of service attacks.

4) Also, please continue to send in URLs of websites hosting the source code. We've been contacting people and asking them to take it down.

5) There's anecdotal evidence that other game developers have been targeted by whoever attacked us. This hasn't been confirmed. We've been providing other game developers with more detailed information about the exploits and evidence of infiltration.

6) We're running a little bit blind with our network shut down, but it seems like some of the press has picked up the story. I've been fielding calls from the mainstream non-games, non-technical press.all day. Hopefully they will get to report shortly what a mistake it is to piss off a whole bunch of gamers and get them hunting you around the Internet.

For any information related to this, please send it to helpvalve@valvesoftware.com, or you can always send to gaben@valvesoftware.com as well.

[tek]

m y g 0 t

[RIV@NVX]

They are progressing... good to hear

[zerodamage]

I saw something on some IRC logs where ID had some source code stolen as well. Maybe Doom3 but this could all be speculation. However, whoever did this is being hunted like crazy. This "manhunt" makes the hunt for Osama and Sadam look small. lol


On another note, companies like Valve should be using software like ZoneAlarm or some other firewall where applications trying to access the internet require your permission. I think if this was used, there may not be an issue right now. I would say use some other firewall though. ZA is so often used that I think many hackers have ways to get around them now.

[Zardon]

well honestly a company like valve should be using dedicated hardware firewalls configured so tight nothing like this can happen. you will find (and im not saying this is the case) that alot of these companies need good informed IT dudes working around the clock to ensure nothing like this happens.

[MrCodeDude]

Quote:

Originally posted by Zardon
well honestly a company like valve should be using dedicated hardware firewalls configured so tight nothing like this can happen. you will find (and im not saying this is the case) that alot of these companies need good informed IT dudes working around the clock to ensure nothing like this happens.

Nothing is ever secure. The only way to be truely secure is to have all the computers that have anything having to do with the development of HL2 is to have them sepearated from:

1. The Internet
2. All other computers not having to do with HL2

That way, if something does get leaked you know it's an internal affair.