The Enigma Protector - Capcom

[JorgeBon]

Hello Research Center,
i was redirected to post here instead.

 

First things first, its not confirmed if these are malicious but I thought that someone with expertise could perhaps confirm if this software does any actual harm.

The Steam forums have been however very active lately about this issue, the main issue was that Capcom pushed this onto consumers with no warnings on old games, and to make matters worse, the company that made "The Enigma Protector" is sketchy as the company supposedly doesn't exist.

Apparently this has been put into the exe files of the 5th and supposedly the 6th Resident Evil games.

Resident Evil 5       https://www.virustotal.com/gui/file/751726f0ec8bd01c00b037af8ae64cdf0bc5cc5b9025f3f4d782ef6f66e04e26
Resident Evil 6       https://www.virustotal.com/gui/file/7d30dfd5f04b8090a41f0586e7c27d676d2bb0fbeae9c17632574bb13e1ad4f6

 

Now the issue why people are very paranoid about this is that there's this exe file which had the Enigma Protector and it triggered several AV engines including Malwarebytes, I however can't figure out if its tied to Capcom but it was brought up multiple times in the forums.

https://www.virustotal.com/gui/file/036d4530677bfbb14f8dc7476b88038aca5a1f9079bdef01a709ca0e560fb022

 

This could also very well just be blown out of proportion, but I unfortunately lack the skills to do a thorough investigation myself on this matter, what triggered this news to spread was when Capcom tried to implement this in Resident Evil Revelations but screwed up and made people notice. They have reverted the update for this game, however it is still in the other games.

Edited January 13 by JorgeBon

[David H. Lipman]

Thank You

• Resident Evil 5 - First Submission  2023-08-08 
• Resident Evil 6 - First Submission  2023-03-06
• Game Server - First Submission  2022-08-02

Please reference the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) can detect targeted but presently undetected new threats in the form of disk files.

Malware Hunters group
Purpose of this forum

All the files are too old as per the above guidelines.  The Resident Evil 5 is most likely a False Positive.

Edited January 13 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[Turmi]

Hi JorgeBon,

I'm not an employee of malwarebytes, but I've been exposed to and know about Enigma Protector, so I may be able to be of some help to you.
Enigma Protector is pretty much the same as VMProtect/Themida/Safengine (also known as NoobyProtect), an encryption protection and anti-debugging shell for software.
I don't have access to download the attachments from the Malwarebytes forum, but thanks for the VT link, I can get them from VT using the API.
The first two of the three files you provided are from CAPCOM, no problem, but the third is obviously not from CAPCOM.
It uses a trial version rather than an official version of Enigma Protector, and it's also not digitally signed by CAPCOM, and even more disastrously I can't debug and analyze it because of the presence of Enigma Protector.
It's true that these protectors affect analysis and detection by security software, but I don't think that just because they add encryption/virtualization protection that it's harmful.

[David H. Lipman]

Simply put, Games often use packers and cryptors to protect their code.  And yes, their use increases the likelihood of anti malware detections.  However, that does not make them malicious code.

 

 

Edited January 13 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[JorgeBon]

Yeah fair enough, wasn't really sure if this would be the right place to post this or not as its speculations, I usually don't mind DRM or packers myself but it did make me a bit anxious that it seemed rather obscure and the whole fearmongering happening in the steam forums. Just wish that someone could put a proper end to the discussion if this is really harmful or not.

[David H. Lipman]

I moved the thread to General Chat so the subject matter can be discussed.

As much as there is Information on the web, there is also misinformation.

For example the largest misperception is that all malicious software are viruses.

All viruses are malware but not all malware are viruses.  There is a taxonomy to malware and malware is a portmanteau of MALicious softWARE.  Malware consists of all trojans, viruses and exploit code.  Just like when it comes to cars; All Fords are automobiles but not all automobiles are Fords.  And just like there are no Ford Chryslers, there are no trojan viruses. 

Most people don't understand malicious activity or what is really malware.  They don't like the way some software works and they call it malware (or a virus) and totally mis-categorize the software.

Because of the general lack of understanding and the plethora if misinformation, people will come up with their own conclusions that may steer others in the wrong direction.

Games and their users fall prey to this.

Games are the ultimate "trojan horse" in reference to the Greeks use a large wooden horse statue that was a gift to Troy.  That was the entry point of the Greeks into to the city of Troy's enclave.

So games are often used alongside malware.  Unlike a virus which spread autonomously, a trojan needs assistance.  Social Engineering (the Human Exploit) and Software Exploits are often used to get the malicious software into your enclave, your computer.  Today we are seeing many fake Game Sites being setup offering Free Beta versions of some "game."  Using Social Engineering exploiting the gamers' "desire", people go to these sites and download what is malicious software, where the installer is often hosted on Discord's CDN (Content Delivery Network).  Another way is to take a legitimate Game Installer Package and wrap another installer around it that will also install malware.

So games are the ultimate "trojan horse."  They are desirable as a malware delivery system.

The Gamer Community is aware of "some" of this but not fully understanding of how, where and what games to obtain and play.

They see information about submitting a file or files to Virus Total where the file(s) can be scanned by a multitude of participating anti malware vendors, which includes the Windows Malwarebytes (Virus Total version) Engine and  Signature set.

In the old days when Virus Total was owned by Hspasec Sistemas, the name of the malware was quite indicative to the type of malware and the family it may be a part of.  There was a fairly well adopted convention to the naming of malware detections.  However Today that is not the case.  Thousands upon Thousands of new trojans are introduced daily and it just isn't viable to have a specific naming convention.  Anti malware vendors believe what is most important is that the malware is detected and removed, regardless of the name.  Additionally each anti malware vendor has their own naming convention for heuristic detections.  These are not based upon a particular signature or fingerprint but by a loose analogy logic of "If it walks like a Duck and squawks like a Duck, then it must be a Duck".   But that also leads to false detections which are known as False Positive defections.

So we come to the area that pertains to this subject matter.

If I have a given malware file (binary) and release it Today, it may not be detected.  However Heuristics may catch some new files.  As time goes by and the given malware binary is in-the-wild it will start to be signature detected and it will be shared and the number of anti malware vendors detections will ultimately rise.    In many cases this could be in hours but mostly in days.

What if I have a really good malware I want to deploy it and it it has now become well detected?

That's where packers and cryptors come into play.  These software utilities allow that malware to run and work as intended but the binary is completely altered.  All signatures that may have been reliably been detecting the binary will no longer detect it and thus the game of detections starts all over again.

Many of these packers and cryptors are quite legitimate and are used all the time to decrease the size of the executable and to protect Intellectual Property (the code).

A well known one is the "the Ultimate Packer for eXecutables", UPX

https://upx.github.io/

Some are not well known and I call them; Exotic Packers and Cryptors.

Game authors will use these packers and cryptors to protect their game's Intellectual Property.

So that's where he paradox comes in where malicious actors use the software to make their detected malware less or undetected while legitimate software vendors use the software to protect their Intellectual Property.

That's where an analysis of a Virus Total Report comes into play.

A true malware file represented on Virus Total will see a large number of detections of mostly signature based detections and not of heuristic detections.  If a file has been known to virus Total for months and has a very low number of defections then the file's detections may be only heuristic detections, False Positives or when it comes to Potentially Unwanted Applications/Programs (PUA/PUP) the file could be a case where a vendor's stance of what makes a PUA/PUP detection is based upon their criteria for the decision.  For example the criteria for a PUP detection by Eset may not meet the criteria of Malwarebytes.

So the Gamer Community sees "detections" on Virus Total and may come to the conclusion of Malware.

 

 

 

 

Edited January 13 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[MeowRabbit]

 

Hey guys

I'm not a Malwarebytes employee , But i know CAPCOM (PS : BIOHAZARD / Resident Evil 1-6 Old Player) .

 

More recently, Capcom's "malicious" behavior (adding a new DRM system to all games, including older ones. This prevents players from joining mods to customize the game) has caused a large number of players to be dissatisfied with Capcom.

 

Some people took this opportunity to start publishing fake Capcom game files in an attempt to discredit the company.

 

So, can you confirm that the third file is indeed from Capcom?

 

 

[David H. Lipman]

Since the third file is not Digitally Signed it has a lower chance of being from Capcom.  Some questions that arise are...

• Do they regularly Digitally Sign their binaries? 
• Do they include a specialty "watermark" in their binaries?
• Do they publish the Checksum values of their binaries to compare to?

Edited January 13 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[Clang]

 

[Dan_el]

Hello dear all

I've seen your answers and found that the detection of Enigma "shouldn't be Malware" necessarily. But it is possible to confirm with certainty that this is not Malware? Could we be sure 100% of that?

[David H. Lipman]

Malwarebytes was detecting the file in question as;  MachineLearning/Anomalous.100%

So I submitted the file as a possible False Positive in the appropriate file based submission sub-forum in;  Possible F/P - MachineLearning/Anomalous.100%

My suspicions were correct.  Staff have Whitelisted the file.  It is not malicious.  Please see miekiemoes' reply.

** Now you, the consumer of said Capcom game(s), should contact the author, and ask if they are to use the Enigma Protector to protect their intellectual property rights, why they don't Digitally Sign their files to avoid such detections and the ensuing confusion.

Edited January 18 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[David H. Lipman]

@JorgeBon

Does this now give you some piece of mind as the OP of this thread?

[JorgeBon]

Definitely has helped me feel less paranoid about this, especially the submission for whitelisting.

[David H. Lipman]

Glad to hear that @JorgeBon.