For around a month, hackers have been infecting players of Call of Duty: Modern Warfare 2 with a self-spreading malware, also known as a worm. To do that, the hackers are exploiting a bug that was reported to the game’s publisher five years ago, TechCrunch has learned.
Someone on Twitter posted a screenshot showing the code behind the self-spreading malware. Maurice Heumann, a security researcher who for years has been finding and reporting bugs in several Call of Duty games.
“No fix was ever published. In fact, half a year later I sent a follow-up email to ask if they fixed it,” Heumann said. TechCrunch saw a screenshot of Heumann’s correspondence with Activision.
Heumann said he never published details of the bug since Activision did not fix it, and publishing the bug could put players at risk. Referring to the bug he reported, Heumann said that “it’s super easy to exploit.”
“It’s a simple buffer overflow with only very few limitations,” he said, referring to a well-known class of vulnerability. “Writing a full-fledged exploit is a simple task.”
A security researcher looked at the malware sample for TechCrunch and confirmed the strings in the screenshot are indeed present in the malware. The code Heumann is referring to also appears in the malware analysis posted on another online repository.
The sample is now flagged as “CoDworm” by some antivirus engines.
Activision did not respond to a request for comment.
Last week, the game publisher announced that it brought the game offline on the gaming platform Steam “while we investigate reports of an issue.”
It’s unclear why the bug reported by Heumann in 2018 was not fixed. Call of Duty: Modern Warfare 2 is 14 years old at this point, but the game is still on sale and still has a small community of players who play it online.
The hackers’ goal with this worm also remains a mystery.
Other than finding and reporting bugs on Call of Duty games, Heumann also used to develop an open source, modified and customized version of Call of Duty: Black Ops III that patched serious vulnerabilities that he and others found in the game. This way, Heumann effectively gave players a way to play the game safely. In May, Heumann said Activision sent him a cease and desist letter demanding that he stop the project, which forced him to shut it down.