Sturmgewehr 15 Posted October 4, 2016 We see suspicious traffic to many IP addresses. To internal IPs like 192.168.x.x and also to "UK Ministry of Defence" ("25.44.14.112","25.45.0.4") . Payload Hex: "56 6f 15 27 00 59 00 01 00 00 00 00 00 00 00 00 00 00 00" The payload is everytime the same. 0000 34 31 c4 2c b4 49 6c 62 6d 25 6e 02 08 00 45 00 41.,.Ilbm%n...E.0010 00 2f 60 1b 00 00 80 11 00 00 c0 a8 b2 32 19 2d ./`..........2.-0020 00 04 09 00 09 00 00 1b 8c 38 56 6f 15 27 00 59 .........8Vo.'.Y0030 00 01 00 00 00 00 00 00 00 00 00 00 00 ............. 0000 34 31 c4 2c b4 49 6c 62 6d 25 6e 02 08 00 45 00 41.,.Ilbm%n...E.0010 00 2f 60 1c 00 00 80 11 00 00 c0 a8 b2 32 19 2d ./`..........2.-0020 00 04 09 00 09 00 00 1b 8c 38 56 6f 15 27 00 59 .........8Vo.'.Y0030 00 01 00 00 00 00 00 00 00 00 00 00 00 ............. This traffic will be generated by joining ANY Gameserver. Can someone tell me why the ArmA3 Client do this? 2 Share this post Link to post Share on other sites
da12thMonkey 1943 Posted October 5, 2016 Can someone tell me why the ArmA3 Client do this? https://community.bistudio.com/wiki/Arma_3_Analytics probably. Try turning it off with the info provided there Share this post Link to post Share on other sites
Horus 83 Posted October 5, 2016 Why arma3.exe launches Local Security Authority Process (lsass.exe) and that process try to connect to 50.63.243.228 aka GoDaddy.com? Share this post Link to post Share on other sites
teabagginpeople 398 Posted October 6, 2016 Well the UK ministery of defences interest in arma would probably be linked to - http://www.dailymail.co.uk/news/article-2937641/ISIS-fighters-distributing-video-game-allows-players-play-role-Islamist-kill-Westerners.html Arma was also at the centre of an embarrassing story released about the activities of the IRA . Seems arma 2's visuals were so good. the press in question believed the in game footage was of the IRA attempting to shoot down a British helicopter. Wooomp womp woomp. Share this post Link to post Share on other sites
Horus 83 Posted October 6, 2016 @Wizard Sorry, I misspoke. lsass.exe already running but every time when I start the game LSASS trying to connect to GoDaddy.com. Share this post Link to post Share on other sites
4 40 Posted October 7, 2016 So let me get this straight: Steam is secretly routing Arma game servers' internet communication data to the UK Ministry of Defence? And the Arma program itself upon startup is secretly trying to create secure connection to what is ostensibly a GoDaddy webserver? Share this post Link to post Share on other sites
