Ultra Combo Kill Move, Capcom Retreats After Street Fighter V Installs Rootkit On PCs

Street Fighter V
Gamers that downloaded the latest update for Capcom’s Street Fighter V are getting quite a bit more than they bargained for — an unsecured rootkit. Redditor LoGicMoTion issued a warning to gamers that the latest update for the Windows version of the game was attempting to gain kernel level access to the operating system. The update puts capcom.sys in your System32 directory and in essence provides backdoor access to your PC, allowing a non-privileged user to run code.

“The driver first registers itself using a pseudo-randomly generated name. That's kind of suspicious,” writes extrwi. “It also doesn't specify any security, so any user at any privilege level can attempt to open and control the device.”

Extrwi goes on to write that it sets up a few custom handlers for opening the device object, however, Capcom for reasons unbeknownst to us made a critical blunder. “A driver that didn't set up basic security when creating its device should perform security checks when opening the device,” writes extrwi. “This driver does not.”

campcom sys

To make matter worse, the driver then “disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions.”

Another redditor, Oxidopamine, offered this excellent summary of what this rootkit is capable of:

Basically, the highest possible level of access you could grant any piece of software. It sits aside your operating system. SFV can now read or change any file on any drive, or steal information from any other software currently running on your computer. Anyone who cares about their privacy and security should be deeply worried by Capcom's decision to resort to these tactics. This is effectively malware.

In case you were wondering, Capcom’s latest update was meant to put an end to rampant cheating that has been taking place in Street Fighter V. When the update was released, Capcom described the update via a Steam posting:

As a part of the new content and system update releasing later today, we’re also rolling out an updated anti-crack solution (note: not DRM) that prevents certain users from hacking the executable. The solution also prevents memory address hack that are commonly used for cheating and illicitly obtaining in-game currency and other entitlements that haven’t been purchased yet.

The anti-crack solution does not require online connectivity in order to play the game in offline mode; however, players will be required to click-confirm each time they boot up the game. This step allows ‘handshake’ to take place between the executable and the dependent driver prior to launch.

However, as we can see from the multitude of user complaints and detailed analysis of the installed rootkit, Capcom did far more than stifle cheaters — it put its customers as risk. To its credit, Capcom responded rather quickly to the online backlash with a series of tweets:

And it followed up shortly with a tweet informing customers that a rollback patch was posted to remove the offending update for Street Fighter V from their Windows machines:

However, the response may be too little too late for Capcom. Gamers are understandably outraged over the rootkit and have likened its actions to previous security blunders by Sony and Lenovo.