Is Starfriend safe - Security Wise I mean

brightb · July 15, 2011, 06:16:00 PM

I was reading on a blog, and a user had to say this about the whole SC2 LAN thing from China:

"1)this is a heavy modification that needs to be done from chinese to something like english version its not an actuall english crack! just modification of mpq files that try to make it look like English!(even the developer never said ok to darkblizz users with what they did)

also this will need extra knowledge from people to do and above all, most of us dont want to scrue our installation maybe because its also legel, just to try a lan mode. when something clean and english will be available that is not altering gamefiles or has at least a restore process, then we can talk about it.

2)and most important reason, all non chinese users should know that the 90% of stolen data and spam are comming from chincese related software!
we cant be anything but extreamly suspicious when using a closed, mysterious so called "server.exe" file, about what it does! i am not saying it doesn't work in this tw version, ok it does but with what cost? how sure can you be when its not open source? (starcrack team was the best with it's b.net emulator project), what else is gothering and transmitting too? maybe your real b.net account?your visa data? how can you be sure 100% its not a sleeping trojan that will wake and start manimulating your system and data!?

when some people like the Chinese developers have such a "reputation" on "stealing and cyberattack" and when lan for sc2 is all that most of the users want, its pretty damn sure that will find a LOT of positional VICTIMS!

a simple antivirus search will not prove anything!
its very easy to gather system information and open backdoors and no antivirus will ever detect it, because its a damn normal software!

none knows this chinese "developer" he never talked to anybody in english about this, he has no previous record of other successful software and proven reliability to trust him, he doest "cooperate" with anyone trust worthy, so its very risky and i think users should not be exposed. you wanna play with your data and system, do it with your own risk!"

Are we taking this project for granted, or are we too quick to think this program is evil? I just want to make sure that as long as I am having fun with SC2 LAN, some other guy on the other end of the world isn't trying to have fun by draining my resources, personal resources that is.

Myst · July 15, 2011, 08:35:30 PM

The original virus scan which I did link in the chinese edition post, the report show 5 hits of suspcious activity. But the developer said those were false positives. Which is understandable because those things do happen.
A lot of people have downloaded this already, and I'm sure if they were mass infecting all users of starfriend, some1 would've caught on by now and exposed or atleast warned someone about it.

Do a packetlog of the program. See what transmissions the server is sending out. It should all be only related to sc game packets and grabbing their site news.

miguelgalit · July 16, 2011, 04:36:03 AM

still not trustin that lan... everyone got his own ideas about it. Im still waiting for v7's lan if its successful since his lan will not modify files from sc2... hehehe

Myst · July 16, 2011, 11:24:31 AM

Nothing is really being modified. Just files are being replaced to make the TW client English. And Vernam7 ain't gonna have LAN until someone gives him source to one or public info. He does stuff like that. -.- There was some topic about that awhile back, and many people who developed sc2 stuff all say so also.

bobski · July 18, 2011, 07:22:45 AM

I found somewhere in net these files StarFriendBeta_0.44 and this package is virus free. So, it is a little suspiciously and i am agree with brightb.
Here is uploaded files from me to chek it for viruses: http://www.megaupload.com/?d=Y2LYNZ0P

SibirskyiWolk · July 22, 2011, 04:01:23 PM

Hey folks,
i checked that starfriend i downloaded here with avira and got a TR/Kazy.29300 reported in the Server_0.44.exe.
Does anyone already know if its just wrong alert, or really a virus?

Starman4xz · July 22, 2011, 08:42:53 PM

Quote from: SibirskyiWolk on July 22, 2011, 04:01:23 PM
Hey folks,
i checked that starfriend i downloaded here with avira and got a TR/Kazy.29300 reported in the Server_0.44.exe.
Does anyone already know if its just wrong alert, or really a virus?

Some Anti-virus programs sometimes mark the program as a "False positive". It is not a virus.

sYk0 · July 23, 2011, 02:44:21 AM

The reports of a virus are all "False Positives", Kaspersky Internet Security 2012 didn't pick up anything.

Q: Why would your Anti-Virus flag these files as "suspicious"?
A: Because the way that the LAN crack it written, it uses detours ("hooks") to intercept system API calls and redirects them to where needed.
Anti-virus programs don't like this because it could be potentially dangerous, that doesn't mean it is!

If you would like to find out more about API Hooking read these articles: http://en.wikipedia.org/wiki/Hooking and http://research.microsoft.com/sn/detours

rnbby · July 23, 2011, 03:17:38 AM

Quote from: sYk0 on July 23, 2011, 02:44:21 AM
The reports of a virus are all "False Positives", Kaspersky Internet Security 2012 didn't pick up anything.

Q: Why would your Anti-Virus flag these files as "suspicious"?
A: Because the way that the LAN crack it written, it uses detours ("hooks") to intercept system API calls and redirects them to where needed.
Anti-virus programs don't like this because it could be potentially dangerous, that doesn't mean it is!

If you would like to find out more about API Hooking read these articles: http://en.wikipedia.org/wiki/Hooking and http://research.microsoft.com/sn/detours

Isn't your post a bit misleading?

Server.exe doesn't do hook or detours. Just FYI.

sYk0 · July 23, 2011, 07:55:16 PM

Quote from: rnbby on July 23, 2011, 03:17:38 AM
Quote from: sYk0 on July 23, 2011, 02:44:21 AM
The reports of a virus are all "False Positives", Kaspersky Internet Security 2012 didn't pick up anything.

Q: Why would your Anti-Virus flag these files as "suspicious"?
A: Because the way that the LAN crack it written, it uses detours ("hooks") to intercept system API calls and redirects them to where needed.
Anti-virus programs don't like this because it could be potentially dangerous, that doesn't mean it is!

If you would like to find out more about API Hooking read these articles: http://en.wikipedia.org/wiki/Hooking and http://research.microsoft.com/sn/detours

Isn't your post a bit misleading?

Server.exe doesn't do hook or detours. Just FYI.

Lol, out of everything I said you pick up one thing...

I never specified which file(s) use detours, nor did I point out any specific file(s) that didn't, I was merely trying to give some "general" information as to why an anti-virus program would flag some files.

I you really want to nitpick, you could point out that none of the .txt, .ini, .manifest, .mpq, ect files use detours either.

My previous post may not be 100% correct but it is neither 100% incorrect, next time I shall specifically point out the suspicious files in question.

For argument sake:

QuoteStarCraft II.exe
StarCraft II.dll
SC2.dll
SC2.exe

May all or may not be considered suspicious by your anti-virus product.

rnbby · July 23, 2011, 10:19:59 PM

Quote from: sYk0 on July 23, 2011, 07:55:16 PM
Quote from: rnbby on July 23, 2011, 03:17:38 AM
Quote from: sYk0 on July 23, 2011, 02:44:21 AM
The reports of a virus are all "False Positives", Kaspersky Internet Security 2012 didn't pick up anything.

Q: Why would your Anti-Virus flag these files as "suspicious"?
A: Because the way that the LAN crack it written, it uses detours ("hooks") to intercept system API calls and redirects them to where needed.
Anti-virus programs don't like this because it could be potentially dangerous, that doesn't mean it is!

If you would like to find out more about API Hooking read these articles: http://en.wikipedia.org/wiki/Hooking and http://research.microsoft.com/sn/detours

Isn't your post a bit misleading?

Server.exe doesn't do hook or detours. Just FYI.

Lol, out of everything I said you pick up one thing...

I never specified which file(s) use detours, nor did I point out any specific file(s) that didn't, I was merely trying to give some "general" information as to why an anti-virus program would flag some files.

I you really want to nitpick, you could point out that none of the .txt, .ini, .manifest, .mpq, ect files use detours either.

My previous post may not be 100% correct but it is neither 100% incorrect, next time I shall specifically point out the suspicious files in question.

For argument sake:
QuoteStarCraft II.exe
StarCraft II.dll
SC2.dll
SC2.exe
May all or may not be considered suspicious by your anti-virus product.

Yeah my bad. Not really trying to nitpick or anything.

It's just that the main issue is "server.exe in starfriend is flagged as TR/Kazy variant".

Neither of the other files you posted were flagged. That's why I hinted that it's misleading.

sYk0 · July 25, 2011, 03:24:55 PM

Quote from: rnbby on July 23, 2011, 10:19:59 PM
It's just that the main issue is "server.exe in starfriend is flagged as TR/Kazy variant".

Oh, sorry mate, I misread what you where saying, I didn't know that "server.exe" was flagged.
I just had a look on virustotal.com, 4 out of 43 engines flagged "server.exe", this is pretty low (9.3%), I'd say low enough to be considered (choice is the end users') a "false positive".

johnnyMnemonic · July 28, 2011, 01:03:26 PM

there are more to consider here than few AV reports!

just by giving away your IP, is risky imho, i would play with starfriend into a compltly isolated enviroment!
you never know if your system one day will take part in a DoS attack for example against google or cia or what ever, those chinese are crazy!

so for me complete private LAN isolated from my work systems, and no internet access if possible.
i am waiting actually syk0 tools to try it i am to lazy to copy past files arround