PC game alerting to trojan from outbound connections

[GamerG]

I bought a game on Steam called "Project Zomboid", I was looking for multiplayer servers in the game but they were all passworded. I minimized the game while in this multiplayer menu and Malwarebytes started giving me about 7 alerts for Trojans, RiskWare and Malware. I have attached 3 of them.

I've since refunded the game so can't do any further investigation but some people on the Steam forums have since told me it's a false positive or I have Windows malware that hijacked the game exe.

I did find someone else with the exact same complaint:

https://steamcommunity.com/app/108600/discussions/0/3198117312264346884/

Does Malwarebytes staff ever get involved in checking games for exploits? It would be useful to know the source of these worrying alerts. I already refunded the game in a panic so there's not a lot I can contribute beyond the attached screenshots. As I said, the alerts seem to happen when I was looking at the multiplayer servers which I guess are hosted by third parties.

[Porthos]

3 minutes ago, GamerG said:

It would be useful to know the source of these worrying alerts.

As for why Malwarebytes blocks Steam and other games, this is because Steam is Torrent based software, are what are known as Peer-to-Peer (P2P) applications meaning it connects to many different servers/IP addresses (this is how files are downloaded through Torrent based software) and because of this, sometimes Torrent based software will connect to a server that is also known for hosting malicious content.  This is because servers/IP addresses are often shared by multiple sites, so while what you are Playing/downloading through Torrent based software may be perfectly safe, some of the sites hosted on some of the IP addresses that Torrent based software connects to may be malicious.  Such connections are not a threat however, and you may exclude Torrent based software from the Web Protection component in Malwarebytes to stop the blocks from happening without compromising your protection (your web browser and other critical web facing programs will still be fully protected from malicious websites and other malicious content).  To do so, add the game exe to your exclusions using the method described under the Exclude an Application that Connects to the Internet section of this support article.

[GamerG]

Thanks for your reply.

I've been downloading and playing Steam games for years but I've never seen anything like this.

Sounds more like the game needs fixing. I'm told the port 16261 is used for multiplayer connections so I'm taking a wild guess that someone has found a vulnerability in the game.

[Porthos]

1 minute ago, GamerG said:

I've been downloading and playing Steam games for years but I've never seen anything like this.

Does not happen for all the games and it comes and goes. It depends on the status of the servers and what IP's they are on.

5 minutes ago, GamerG said:

Sounds more like the game needs fixing. I'm told the port 16261 is used for multiplayer connections so I'm taking a wild guess that someone has found a vulnerability in the game.

I doubt there is anything wrong with the game as long it is directly from Steam.

[Porthos]

22 minutes ago, Porthos said:

Such connections are not a threat however, and you may exclude Torrent based software from the Web Protection component in Malwarebytes to stop the blocks from happening without compromising your protection (your web browser and other critical web facing programs will still be fully protected from malicious websites and other malicious content). 

 

[GamerG]

It's an early access game from an independent developer so there is scope for vulnerabilities.

I don't want to debate this any further but the information is here if Malwarebytes ever want to investigate the alerts.

[Porthos]

4 minutes ago, GamerG said:

but the information is here if Malwarebytes ever want to investigate the alerts.

The actual detection logs instead of the screenshots would be appreciated.

 

[GamerG]

Sure, I will try to post them tomorrow when I have access to the computer. Thanks

[AdvancedSetup]

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

 

If you click on the View option you should get something similar to the following with other options available.

 

 

 

 

 

[GamerG]

I've attached 7 alerts that appeared before I closed the game, deleted and refunded it.

I am aware that my Windows has needed updating since last week, I will take care of that.

I'd like to leave this discussion now as I've refunded the game and done my part to inform MalwareBytes. I do believe this game has some issue maybe around the multiplayer server browser and I've detailed in my earlier posts what I was doing in-game just prior to the alerts appearing. It is not normal to receive such alerts in a game, it's the first I've ever seen it.

1.txt 2.txt 3.txt 4.txt 5.txt 6.txt 7.txt

[Porthos]

10 minutes ago, GamerG said:

I'd like to leave this discussion now as I've refunded the game and done my part to inform MalwareBytes.

Thank you for the logs. I have moved your post so the web team can investigate.

12 minutes ago, GamerG said:

It is not normal to receive such alerts in a game, it's the first I've ever seen it.

There is a good chance you will see them again. That is the reason the explanation/instruction post was written in the first place. This happens because of the P2P (peer to peer) nature of games now.

Game company's do not host multi-player games on their own private servers. They connect thru IP's from all over and most of those IP's are shared servers that can also be hosting malware.

Best wishes and again thanks for your submission.

[TeMerc]

Hello- the IP in question is related to Mozi: VirusTotal - Ip address - 122.118.99.206

Unlikely we'll disable that block, you'll need to create exceptions for it if you want to play the game.

As far as I know we do not check games for exploits

[Porthos]

1 minute ago, TeMerc said:

the IP in question

What about the rest of them? There are several in the logs.

[thisisu]

Hello,

I'm removing the block on 141.98.101.133.

[thisisu]

This one will remain 98.128.228.230 - https://www.virustotal.com/gui/url/85a9a9c0a604d96b439d47080dda36378ea6d447afb56aec5fbc7c5458887fe0/details

[thisisu]

80.246.81.224 => https://www.virustotal.com/gui/url/984b4183b0797ae9809a8b7a67d8bc633b72451afd2921d2a3faf301c9beaa94/detection
122.118.99.206 => https://www.virustotal.com/gui/url/e388069807e252c44e11ac4a9e0c5ecc02dd09b7ab86850e5da9bb29a408aa48/detection
183.215.139.204 => https://www.virustotal.com/gui/url/6432331d9af2b5405b6d11f07cd0b35dd4bdd9d6e0e1fcdd524f66f1a00ac17d/details
113.110.228.45 => https://www.virustotal.com/gui/url/51091fb8692b38d175ce43e0e6668c39162ca18101d7da995643744c69cf4170/details

The remainder of the blocks with the reason they are blocked are listed above. Until they are cleaned up, they will remain blocked.

Thank you for reporting.