STEAMDISCOVER (steam_ihs_discovery)

Hey there,

was checking my gaming-traffic lately with wireshark: Running Steam on Ubuntu 18.04. using OpenVPN.

First thing I discoverd was that STEAMDISCOVER-protocol was send to broadcast (local). It contains some information about the computer used and the Steam-account.

Nothing unusual so far, but as I looked deeper into the packets I found that it would pull the MAC-adress of an interface which I previously manually took down via ifconfig (eth0).

Second thing: It pulled the original MAC-adress of my wlan0-interface which I was using and this MAC-adress was spoofed.

How does it do that? It seems that steam pulls these information directly from the chips, ignoring/bypassing the settings of the OS:

(Wanted to attach screenshots, but I'm not allowed until I have 60 points, lulz...)

Screenshots added:

  1. image description

    1. image description
h1ghchilled's avatar
1
h1ghchilled
asked 2020-01-22 15:45:40 +0000, updated 2020-01-23 14:55:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Post screenshots, or even better captures, to a public file share, e.g. Google Drive, DropBox etc. and post a link to the item(s) back here.

grahamb's avatar grahamb (2020-01-23 07:22:11 +0000) edit
more
  • delete

added screenshots to the original post. Everybody running Steam can check themselves. No program I ever saw pulled original MAC's from interfaces that were down or spoofed, I'm into that for years now, never saw that. I think it's because Steam writes stuff into the MBR, but I can be wrong here. It's an absolute rootkit-like program if you ask me.. Anybody else?

h1ghchilled's avatar h1ghchilled (2020-01-23 14:56:38 +0000) edit
more
  • delete
add a comment see more comments