Second Life: players unknowingly recruited for a DDoS attack?

A group of Second Life players were taken for a ride as part of a digital revenge plot. Without their consent or knowledge, their machines were used to launch a series of denial of service attacks against another website.

To open Second Life, players have to install some software on their computers: in addition to the viewers distributed by Linden Lab, the company that developed Second Life, players also have the option of using viewers developed by third parties.

It was precisely through one of these third-party clients that the problem originated.

the Emerald Viewer client

The alternative client in question, called Emerald Viewer, is especially popular among the Second Life crowd. It’s developed by Modular Systems, which seems somehow tied to Linden Lab.

According to information available on The Alphaville Herald, a website dedicated to analyzing behaviors in virtual worlds like Second Life, everything started with a suspected leak of personal data concerning players who use Emerald Viewer.

Following these allegations, an individual from Modular Systems decided to change the homepage displayed when its users logged on to Emerald Viewer so as to generate a huge volume of HTTP requests aimed at the person who issued the charges.

modified HTML code attack

According to screenshots (here and here) published in this article on The Alphaville Herald, it’s pretty clear that the homepage HTML code was altered so that every player who logged on automatically generated 32 web requests to the site In three days, nearly 16 million requests were generated by the altered code.

Obviously, everything was hidden from the players, who thus became the unknowing agents of this attack. It was all hidden using standard HTML techniques (iframes tag integrated with an invisible div tag of 1 pixel by 1 pixel).

vague explanations from Modular Systems

The explanations offered by Modular Systems concerning these events are rather vague. All we know is that one of the main developers (known as Fractured Crystal) admitted, on the Modular Systems blog, to being the author of the homepage alterations. He decided to step off the project and handed it over to others. He also said that he never intended to create a DDoS attack.

But for me, this story smells fishy.

what lessons should we take away from this story?

Any company whose website receives a lot of hits can be an attractive target. If attackers are able to alter page code, they will have a natural amplification system at their disposal.

Of course, attackers can alter page code for other purposes, such as changing content or sending out attack codes or any other attack method of choice. You should therefore consider setting up a monitoring system for all of your web pages. Some online services allow for remote monitoring, or you can easily do it using a little script.

how can you detect an attack like this one?

The first detection mechanism is rather simple: an abnormally high number of requests is a good sign that something is up. But false alarms are always possible.

A more reliable system would be to analyze the web server logs to detect too many hits coming from one and the same referrer.


photo credit: © grannysmith -

This blog post was originally published in French here.

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens