“The driver first registers itself using a pseudo-randomly generated name. That's kind of suspicious,” writes extrwi. “It also doesn't specify any security, so any user at any privilege level can attempt to open and control the device.”
Extrwi goes on to write that it sets up a few custom handlers for opening the device object, however, Capcom for reasons unbeknownst to us made a critical blunder. “A driver that didn't set up basic security when creating its device should perform security checks when opening the device,” writes extrwi. “This driver does not.”
To make matter worse, the driver then “disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions.”
Another redditor, Oxidopamine, offered this excellent summary of what this rootkit is capable of:
Basically, the highest possible level of access you could grant any piece of software. It sits aside your operating system. SFV can now read or change any file on any drive, or steal information from any other software currently running on your computer. Anyone who cares about their privacy and security should be deeply worried by Capcom's decision to resort to these tactics. This is effectively malware.
In case you were wondering, Capcom’s latest update was meant to put an end to rampant cheating that has been taking place in Street Fighter V. When the update was released, Capcom described the update via a Steam posting:
As a part of the new content and system update releasing later today, we’re also rolling out an updated anti-crack solution (note: not DRM) that prevents certain users from hacking the executable. The solution also prevents memory address hack that are commonly used for cheating and illicitly obtaining in-game currency and other entitlements that haven’t been purchased yet.
The anti-crack solution does not require online connectivity in order to play the game in offline mode; however, players will be required to click-confirm each time they boot up the game. This step allows ‘handshake’ to take place between the executable and the dependent driver prior to launch.
However, as we can see from the multitude of user complaints and detailed analysis of the installed rootkit, Capcom did far more than stifle cheaters — it put its customers as risk. To its credit, Capcom responded rather quickly to the online backlash with a series of tweets:
We're currently investigating the issues surrounding the latest update to the PC version of SFV. Thank you for your continued patience.— Street Fighter (@StreetFighter) September 23, 2016
And it followed up shortly with a tweet informing customers that a rollback patch was posted to remove the offending update for Street Fighter V from their Windows machines:
The rollback to the PC version of SFV prior to the security measure update is now live. The new September content is included.— Street Fighter (@StreetFighter) September 24, 2016