Is Evony malware?

87

Trojan Horse

When you play a browser based game a number of things are happening. The game itself is running in a big remote computer, all your machine is doing is displaying the game and recording your inputs. It is being what is called a thin client. However in order to be a thin client for a game your computer needs to have in it the client software. So when you play a browser game like Runescape or Habbo the first thing that happens is that this client software is loaded into your machine. This is very trusting of you because anything could be included with that client software. Obviously legitimate western games like Runescape and Habbo can be trusted. But what about games from Chinese gold farmers like Evony and Empire Craft?

Malware is software that lives in your computer without your consent. Trojan horses are malware that gets into your computer by being part of something else, say the client software for a browser game. Malware can allow someone else to make use of your computer as part of a botnet, which are widely used for sending spam and other illegal activities where the real sender doesn’t want to be traceable. Or it can be used to spy on everything in your computer and everything you do with your computer and so harvest things like credit card details.

Tens of millions of computers have malware in them without their users realising. Currently 376,000 malware bots are activated every day in the world for malicious use. This is huge. The people who create and use malware have a wide range of tactics for getting it into your computer and they are getting ever more sophisticated. Client software for a browser game would be the perfect mechanism for infecting millions of computers with malware.

With the above in mind it is very interesting to read the comment by jonnycake on the article More about Evony: “Now I am wondering if you have any insight into how much damage the game does to your browser, and your system in general. What I thought was very flaky software appears as though it may have malicious content. In Firefox, shortcuts have been re-targeted and attempting to fill in text fields gives mixed results.

There is this forum post from an Evony user: “Something happened this morning. Just when i logged in my account to play Evony, my Anti-Virus detected 4 trojans horse in explorer.exe. They came right when i entered my server. I am no expert about virus so I don<t know what happened there. Any help on the forum would be great as i do not want to join that server again until some admin tells me its clean. Took me 3 hours to clean my computer.

And another one: “Hello, i would like to inform ye that your site is infested with Adaware. http://www.pctools.com/mrc/infection…e.Mostofate.E/ Every time i log onto evony this comes as part of it. I have tried it several times, deleting it THEN just opening up evony and presto its back on my Computer. Its the “monitors the users browsing activity.” that im not paticulary fond of !

Now I am not saying that Evony has a trojan in its client software. This would take proper technical investigation. What I am saying is that the possibility of this being so is such that I would not let Evony anywhere near my computer. These people have already spammed the internet like crazy and stolen most of their game content, with behaviour like this I would not put anything past them.

More Evony articles:

Evony advert ridiculed by PopCap.

Queen of Evony competition.

Related stories

  1. Don’t play Evony
  2. More about Evony
  3. Empire Craft, the next Evony?

87 Comments


  1. i was planning to blog about them a few weeks ago for our site but we changed our mind when they started spamming our blog comments for many days…that means my computer is totally free from malwares woop woop…oh wait..i signed up at their forum a few days ago so i can post their stupid links and ads…* rescanning my pc with eset nod32*….


  3. Tis a sad world indeed to know how many ways people will use to exploit others. Is there no more decency in the world? Then again… was there ever?

    Caid.

    444


  4. Another one: http://www.circvsmaximvs.com/showthread.php?s=07ad039ddbd0c0ab88bf219707f78aae&p=971362#post971362

    I suspected something fishy was going on when I started getting e-mails from friends who had started playing Evony. I figured either their computer had been Trojan’d and taken over, or their e-mail address had been spoofed. Either way, shady.
    Even shadier when I asked my friends if they knew they were e-mailing me and they said “no”.
    Moral of the story: don’t click on ads with boobies in them.
    Other moral of the story: don’t install shit on your computer if you aren’t sure what it does.


  5. There may be a lot of dodgy web games out there, but is everything bad necessarily Chinese?


  6. I don’t think Evony directly spams comments. They do pay people measly credits for referals and for spamming your emails. The referal link looks like yourname.evony.com, but unlike e-mails, you get paid only if someone joins, not for spamming blogs.

    As well, Evony is Flash based (Flex source) and it shouldn’t be possible to have a flash-based malware (shouldn’t, not isn’t, annoying ads excluded).

    The iEvony client software however (the referal software) can do whatever it wants, and can be a malware, but I don’t see a reason for Evony to make it one. The game might be buggy occasionally, but it is a good game that they invested a lot of money in. Besides, they already got lots of credit cards from their players legitimately.


  7. “There may be a lot of dodgy web games out there, but
    is everything bad necessarily Chinese?”

    The answer is a resounding YES! Not just web games but food, electronics, toys, and tons of other stuff. Even the way they breed animals for fur and how barbaric they kill them (or skin them alive)!


  8. Get your hoods boys! Its time the Klan rounded up some Chinamen!

    Ah, racism and prejudice in action. Good to see after thousands of years we still hate people simply because they are different.


  9. Well now, Asswerer.. a little bit racist are we.. nice job with the blanket comments regarding a culture…

    cracker…..


  10. Your quickness to blow the racism trumpet in this situation only proves your own ignorance of world politics in this situation. Hes not bringing up that Chinease programs are more likely to contain spyware than well established western games like Runescape because he hates Chinease. Hes bringing it up because its true, and when you bury your head in the sand you only make your butt a target for your enemies.


  11. Chinese business models and Chinese people are two different things. The business model will screw over anyone and anything to make an extra buck. The people are usually pretty nice, but often very xenophobic (dollars may help overcome this for a moment). That is the way it is. My Chinese landlord even warned me about it. Don’t be a sucker.


  12. I spent on Evony and didn’t get what I paid for…and guess what, they refused to respond.
    All I can say is never spend a penny with these crooks!


  13. Steps could be taken to see for sure if iEvony has any malware within. It wouldn’t be hard to do using a virtualization program like VirtualBox, which can give useful information for debugging software, but it also comes in handy for detecting malware.

    I might do it sometime, and I encourage anyone else who is familiar to try their hand at it. If I do I will post the results here so Bruce can add it to the list of evidence. At the moment, I can imagine some obstacles, but I am willing to try and work through them.

    Of course, even if someone did do an in-depth analysis of their software and found a malicious aspect to it, they probably wouldn’t change it anyway. A report showing the inner-workings of iEvony would be a lot more convincing to a court, however.


  14. Okay, ran into a bit of a snag…

    I presume that iEvony would be distributed in the form of an installer, so I first went to find a download link, but no success. They want you to have an account to download it, but you also need an “invitation code”. I tried scouring the web for such codes, but I found none that are active. Until I get a working code, it will be unlikely that I will be able to do any sort of analysis on the program.

    Also, I came across this interesting bit from their news page (posted 7-12-09):
    “Dear Players,

    We have been excited at the success of iEvony, but we have also come across an unintended side effect of the iEvony system. Some players have abusively and unethically engaged in spamming practices on a variety of websites with the intent of boosting their credits. (…) Our goal with the iEvony program is for our players to be rewarded for being our goodwill ambassadors on the sites which they normally frequent and for the most part that is exactly what is happening.”

    I can think of only a few ways they could tell what people post on websites, but regardless that doesn’t sound like something anyone I know would want on their computer. I don’t want to point the finger just yet, though.


  15. Correction: I guess the method they use to track referrals it to use a sub-domain such as “namehere.evony.com”. I guess I didn’t see that initially. (props to Merkavah for pointing that out first here) Anyway, this method of referral tracking has been shown to promote spam time and time again. It probably isn’t the company itself, unless the spammed link doesn’t contain referrer information.


  16. Clearly your lack of knowledge on the subject is apparent.

    Perhaps it would make more sense to actually have an understanding of how flash based clients work, before you attempt to slander a company.

    Your first paragraph is grossly inaccurate.


  17. Why are you plugging evony on your site then?


  18. Am I to be the first to mention that the ad to the right is for evony? Delicious.


  19. @Paul

    They no what people are posting because there is a referral system. People are spamming with there referral code and websites are complaining to Evony and telling Evony what the referral code or link is.

    You do not need iEvony to play the game, iEvony is only there if you want to receive credits for advertising Evony.

    I play Evony, but I do not use iEvony. I trust very few downloads.


  20. The following quotation is somehow delicious!
    If this were just another site where kids who’ve
    nothing better to do than to flex their ignorance
    in public, it would be something to shrug off.
    Seeing as this is a game site where the author has
    shown that he does indeed have knowledge of games,
    networking and assumedly knows a wee bit about
    trojans and viruses, etc…

    His last line “I would not put anything past them.”
    sums it up the best for me… I don’t want to do the
    work, so I’ll just say their business sucks so they’re
    possibly(but totally inferred PROBABLY) hacking into
    everyone’s system… Why not yell fire in a theatre
    just because you can smell the popcorn burning in
    front… There must be fire if you can smell smoke…
    NO

    Now I am not saying that Evony has a trojan in its client software. This would take proper technical investigation.


  21. Evony is a very addicting game. I spent money on the game, but never again. The value is not worth it, plus recently their was a recent charge to my account, 5 cents! With THOUSANDS of current and more future gamers. Add it up please.

    Ron K.


  22. I don’t know where all this hate is coming from. I play (and love) this game. Who cares if their ads show boobs? Why spread ridiculous malware rumors and hate on something you never tried?

    Bruce, you sound bored (and old). Maybe if you played Evony you wouldn’t have so much time on your hands to make an idiot out of yourself on the internet.


  23. Hey Bruce, wouldn’t it be a good idea to adjust your Google AdSense account so you’re not dispalying ads for the game you’re advising us to avoid?


  24. The Google ads for Evony on my site come from different urls. Each time I ban some urls the Evony people just come up with new ones. They are spamming the whole Google advertising system.


  25. This pretty much sums the game up for me.

    I’ve seen this game evolve from Civony to Evony to just a pair of boobs on an ad… at first, I was interested, because I love strategy games in general. Then, I forgot about it. Recently saw a friend playing it, and looked it up. They should’ve called the game Travian, since thats where 90% of the game was stolen.

    The game is pretty much set up to steal money on a click by click basis. I wouldn’t be surprised if it had trojans in it. I wouldn’t put it past an imaginary company with ties to Chinese gold farmers for World of Warcraft. Its how they make a bunch of money to start.


  26. Bah, I’m chinese and I agree with the stereotype about shady chinese biz models as being generally true (but not 100% of the time of course). Just like the stereotype about Indian tech support as being overwhelmingly sucky is ALSO TRUE. Of course, there is also the stereotypical American propensity to overengineer whether it comes to code or machines… but hey, how would geeks get their excitement without aircraft carriers and Saturn V to fantasize over, eh? 😉


  27. I too was wondering about this game, after having seen many of these ads and being an avid strategy game player i was interested. So my girlfriend clicked one of the links to see what the game was about, after a little review and some looking over we decided it looked cheap and not for us.

    The next day however her world of warcraft account was hacked and her gold and items sold and given away. she is safe with her computer and its updates and says she has not clicked any ingame links. came to mind when i read on here about evony being connected to a gold farming site. something to think about anyways.


  28. If they’re going to steal content from Age of Empires and Civ and stick it in their game, why NOT steal passwords and other things from their players?

    There’s a sucker born every minute after all. I’m staying the hell away from Evony. If it’s actually owned by Chinese goldfarmers, maybe the government will run over Lam’s house with a tank and, left rudderless, the company will try going legit. I mean at the very least can’t they stick him a detention center and force him to do that Thriller dance like on Youtube? Pfeh.


  29. This article is somewhat misinformed.

    A “thin client” may or may not be capable of containing malware. It depends on the technology involved.

    There are TWO evony clients, and they use TWO technologies. One is the in-browser game client. This is implemented using Flash, and it is as secure as Flash.


  30. (continued)
    The second is “iEvony” which is a .EXE file and DOWNLOADING a EXE FILE is VERY DANGEROUS!!!! because this technology has close control over your computer.

    The iEvony client is positioned as a spam-sending client, helping you to advertise evony in exchange for in-game currency. As such, the iEvony process is allowed access to your IM contacts. I would assume that the iEvont client also contacts the Evony servers, to record email addresses found.


  31. In other words, the issue of security may be one of Flash vs. EXE.


  32. http://www.examiner.com/x-18917-Phoenix-MMORPG-Examiner~y2009m8d9-Evony-Controversy

    “Second on the list is that the viral ad campaign itself contained a trojan called SHeur.AYRM. It would appear that a computer could be infected with this trojan by clicking through on some of the Evony ads hosted on the game. The infected code has been removed from the game as noted by an administrator on June 8, 2009 on the GameAxis forums and Evony has submitted for a review from Google to be cleared.”


  33. http://www.curse.com/articles/curse-en-news/526956.aspx

    Recently there were a number of websites compromised due to an Adobe flash player vulnerability. This vulnerability allowed the injection of flash scripts that download keyloggers onto unsuspecting visitors’ computers……………

    Thursday Adobe released an update, and it’s important for everyone who has Adobe flash player installed to download this patch. If you do not, your computer and video game accounts are at risk.

    Find out about the update, or download it and start installing it as soon as you can. You can also use the auto update feature within the flash player if you desire updating through that method.

    Please, do this as soon as you can. This vulnerability is very real, and there are people attempting to steal accounts this very moment. Any website you visit until you’ve updated may be a potential threat to your computer’s security.

    As an extra precaution, please make sure to run virus scans on your computers to ensure they’re clean of threats. The known keylogger files circulating related to this are:

    * a.exe
    * b.exe
    * c.exe
    * 6to4ex.dll


  36. http://nitrob.blog.friendster.com/

    we were also targeting Evony, We found out that it could be easily have a SQL Injection Exploit. Simple as that we can now see the users and passes of other people. For the first time ever. We managed to pass through Security on June 11, 2009 About 8:24PM GMT+ 8 and we saw a hell lot of CCVs and CCs. Just as Viral would said that and i was amazed. Now here am i and my buddies infront of many information we can gather through it. One more thing in Evony if you noticed that the Login ID on the old days of Evony June 10 Down. Can be copy and pasted & saved it to use it as a shortcut. Well for me it isn’t a shortcut its an Exploit. Join the forums AvDose Forums to see alot more exploits but first you need to be a member to view the full forum.

    -Chow,
    n1tr0b | MinGeBag


  37. http://arpwn.com/modules.php?name=Forums&file=viewtopic&t=482

    ya I knew about this spyware, I had thought I mentioned it but perhaps not here on the AR forums.. but on another forums.. yes there is indeed flash cookie and tracking mechanism that comes along with the game.. but, this is similar to any other flash game based website.. use firefox, set it to clear browsing history and cookies when the website closes.. also, go to adobe.com to the flash control panel and you can remove your flash history and cookies as well.. if you play evony, try setting your flash cookie memory space to like 0 or 1, and evony wont even work..

    so ya… there is a spyware built into the game.. but, it’s no worse than things you pick up all the time and dont even know about it… just think ‘microsoft’ the biggest chunk of spyware ever invented… haha


  38. Hmm, I think I’ll use a different definition of malware.

    In this definition, I’d like to state that malware is any software and community created with the express purpose of misleading, misinforming, and fleecing people while providing a bare minimum service, such as a fly by night operation.

    Extensive play on Evony reveals many things apparent. First, the combat mechanics are so overly simplistic.

    Fights start at the maximum range of a unit. wall defenses max range is 5000 with traps, army units max range is 1300, ballista and archer. When a fight starts, units move towards each other at a set distance each “round”, prescribed by their “speed” statistic. Now, 1 of ANY unit will cause 100000 enemy cavalry, swordsmen, or anything else to spend one round where that warrior is. even if the warrior is easily killed by 1 cavalry, the rest of the units still are apparently stuck together like foozeball. Now, there are ways around it without calculating 1 million individual units movements per second, but they didnt do it. It was made as bare bones as possible to work as soon as possible.

    Then theres the gold bug. too much gold, and it will go into negative numbers. There’s a limitation to the type of coding they used on the string for gold. Had they known more about programming, they would have easily accommodated for it with floating point.

    Lets not forget that 99% of their artwork is stolen from everywhere else. A quick look through the character picture profiles, and you’ll see some that are highly cartoonish or caricatured, while others have a highly polished realistic look. There are pictures out there a person can use freely, but I think that with the intent of making money violates the free use policy if they didnt state they were going to use it. And I highly suspect that not asking or telling is the case with them.

    Many times, patches are “silently” placed in, and people suddenly find things working in strange and often detrimental ways. This continues to be a major complaint.

    Medals are a required progression tool. After their first batch of servers, they learned that people could easily gain medals and thus avoid buying medal packages. Medals are found in valleys and barbarian towns through attacking. Now they have dropped the medal rate to 1%, so that progression is almost impossible without either 1000 hours of grinding (sounds more MMO now doesnt it) or buying medal packages. But the thing is, a grind in an RTS, even if its an MMO doesn’t make sense. The only sense it makes is making money.

    Now, there are so many other things to spend money on to gain superiority easily by cash over other players. But a required progression to get more ranks and more towns requiring money now as well just seems over the top. The only ones it hurts are the ones that dont pay anyway. And they call Evony “free”, but when a person can only have 2-3 towns now, that doesnt compete with a medal buyer having 10 towns. This forces the dilemma of paying money for more towns. Good for evony, bad for players that were mislead about it being Free to Play.

    I understand that a business needs to gain money, and any business that provides quality service should rightfully be paid for their services if that is what they ask as compensation. However, the never ending parade of ads that show just female cleavage and nothing else, the lack of communication, the poor coding that proves the game should’ve never left beta, the numerous spelling errors, the NEW coding errors that crop up such as numbers getting censored in game because the coder doesnt know what theyre doing, its past and all its current and past problems, and the way they silence honest dissent on the forums like a gestappo, and I can only consider this game social malware.


  39. My friend was telling me yesterday that he read the Evony Terms of Use. I hadn’t because I registered right through the flash client which makes no reference to the terms. Just now I went through them and found the following

    —-
    # Acknowledgments.
    You hereby acknowledge and agree that:

    1. WHEN RUNNING, THE GAME MAY MONITOR YOUR COMPUTER’S RANDOM ACCESS MEMORY (RAM) AND/OR CPU PROCESSES FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH EVONY. AN “UNAUTHORIZED THIRD PARTY PROGRAM” AS USED HEREIN SHALL BE DEFINED AS ANY THIRD PARTY SOFTWARE THAT, WHEN USED SIMULTANEOUSLY OR IN CONNECTION WITH THE GAME, WOULD CONSTITUTE A VIOLATION OF SECTIONS 1, 2 OR 9. IN THE EVENT THAT THE GAME DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, REGAN MERCANTILE US, LLC MAY (a) COMMUNICATE INFORMATION BACK TO REGAN MERCANTILE US, LLC, INCLUDING WITHOUT LIMITATION THE ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE THE UNAUTHORIZED THIRD PARTY PROGRAM WAS DETECTED; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER THIS AGREEMENT OR THE EULA, WITH OR WITHOUT PRIOR NOTICE TO THE USER.
    2. WHEN THE GAME IS RUNNING, REGAN MERCANTILE US, LLC MAY OBTAIN CERTAIN IDENTIFICATION INFORMATION ABOUT YOUR COMPUTER AND ITS OPERATING SYSTEM, INCLUDING WITHOUT LIMITATION YOUR HARD DRIVES, CENTRAL PROCESSING UNIT, IP ADDRESS(ES) AND OPERATING SYSTEM(S), FOR PURPOSES OF IMPROVING THE GAME AND/OR THE SERVICE, AND TO POLICE AND ENFORCE THE PROVISIONS OF THIS AGREEMENT AND THE EULA.
    3. REGAN MERCANTILE US, LLC may, with or without notice to you, disclose your Internet Protocol (IP) address(es), personal information, Chat logs, and other information about you and your activities: (a) in response to a request by law enforcement, a court order or other legal process; or (b) if REGAN MERCANTILE US, LLC believes that doing so may protect your safety or the safety of others.
    4. REGAN MERCANTILE US, LLC MAY MONITOR, RECORD, REVIEW, MODIFY AND/OR DISCLOSE YOUR CHAT SESSIONS, WHETHER VOICE OR TEXT, WITHOUT NOTICE TO YOU, AND YOU HEREBY CONSENT TO SUCH MONITORING, RECORDING, REVIEW, MODIFICATION AND/OR DISCLOSURE. Additionally, you acknowledge that REGAN MERCANTILE US, LLC is under no obligation to monitor Chat, and you engage in Chat at your own risk.
    5. You are wholly responsible for the cost of all telephone and Internet access charges along with all necessary equipment, servicing, repair or correction incurred in maintaining connectivity to the Servers.

    Now I believe that on its own is frightening enough. However the following image shows that one day while browsing the 4chan image boards during gameplay, the site used my computer to do a little advertising for themselves:
    http://img412.imageshack.us/img412/927/34866654.jpg

    Now the game appears to be inoperable at the moment, but the next time I manage to log in I’m simply going to give away my items. I regret using a real e-mail address to sign up…


  40. And this is what happens on the forums if you post something negative about Evony et al…

    You have been banned for the following reason:
    Posting libel and false statements against staff and company. Not tolerated.

    Date the ban will be lifted: 08-29-2009, 01:00 PM


  41. Evony gives ads with boobs a bad name. There is nothing inherently evil about boobs. Please remember that.


  42. Oh irony you are a sweet mistress, theres an ad for Empire Craft on this very page


  43. This article and comments are full of ignorance. iEvony invites work just like FaceBook’s Friend Finders. It WARNS you straight out that it will import your address book and send invites to everyone, and then you have to CONFIRM it. If you get iEvony “spam”, it’s because your friends are greedy for Evony credits, _whether they admit it or not_. If your friends e-mail you chain letters, does that mean MS Outlook is malware? No, it means you need better friends.

    Yes, I’ve actually checked out both Evony and iEvony software, which is exactly what you should have done before writing a slanderous article about it.


  44. After reading this I got abit worried. I have briefly tried Evony myself, so even though I had just this very day done my monthly anti-virus scan and my weekly anti everything else scan, I decided to do them again. And what do you know. I found several root-kit worms. And the scans aren’t even done yet.


  45. Seems I forgot to clarify the most important piece off my last statement. I tried evony briefly AFTER my monthly/weekly anti-virus/anti everything else scans.


  46. I seem to have forgotten to mention that my Evony testing occurred only between the first and second round off scanning.


  47. When I have Evony on my browser, I normally have other tabs because of LONG construction times and such,so normally the broswer will slow down my computer so when I close Evony, things go back to normal.I’m not amazing with computers, so I don’t know if it could be malware or not if someone could answer it for me?


  48. “Obviously legitimate western games like Runescape and Habbo can be trusted. But what about games from Chinese gold farmers like Evony and Empire Craft?”

    Surely that statement should read “Obviously legitimate games should be trusted”? There do exist games made outside the EU and USA which are nontheless legit, and, shock horror, even trojans made in the west. Making this a national issue seems pointless and a little xenophobic when the real divide is between reputable and disreputable software.


  49. I find all this very interesting. I have been playing evony for a couple months now. I am also signed up for ievony and have installed the app associated with it.

    I have not come across any of these problems. I goto 4chan all the time and haven’t been banned yet. My computer doesn’t run slow when playing it (I do have a fairly decent computer though). Virus scans have never turned up anything. I don’t see any signs of a virus (I work in computers, I can recognize them usually). I will definitely be keeping a closer eye on things now, but all has been going just fine with me.


  50. and if ur that paranoid of the internets, try google chrome

Comments are closed.