Quantcast

Jump to content

» «
Photo

Malware inside Angry Planes & Noclip Mod

  • This topic is locked This topic is locked
1,124 replies to this topic
.Alex.
  • .Alex.

    Player Hater

  • Members
  • Joined: 19 Sep 2014
  • None

#181

Posted 14 May 2015 - 05:13 PM

I did a scan with AVG and Malwarebytes and they found nothing

Then i searched in regedit and this is the situation

I'm fine?

o2SZzqa.png


iOnlyEatCops
  • iOnlyEatCops

    Player Hater

  • Members
  • Joined: 01 Dec 2010

#182

Posted 14 May 2015 - 05:14 PM

You aren't supposed to remove userinit.exe from Registry.

https://technet.micr...y/cc939862.aspx

So am I clean? This is in my Registry:

 

OiWDSPA.png


ZZCOOL
  • ZZCOOL

    http://www.youtube.com/user/taltigolt

  • Members
  • Joined: 15 Feb 2009
  • Sweden

#183

Posted 14 May 2015 - 05:15 PM

 

 

PLEASE ANSWER, IF YOU CAN!

I don't want to take any chances, i'm not even going to check for the virus...i'm formatting my SSD and changing the passwords on an other PC.

I only have 2 important questions:

 

1- Is this virus capable of remaining in the hard disk (SSD) even after complete formatting? I know some viruses can

2- If that's the case, can the virus spread to other drives in the computer.

 

Anyway i find all the thread confusing.

If i wanted to check if i'm infected (for curiosity), how can i do it?

I have avast, but i can install an other antivirus if needed.

Thanks...i'm freaking out...really worried!!!!!!!!

you can be absolutely sure that formating is going to erase it

 

 

Ok thanks.

How to check for its presence?

Need to imput some special type of scan to my antivirus?

I also heard you can check for the fade.exe and others on your own, but how?

Simply using the "SEARCH" feature in windows?

 

Also last question. Can i move some files from documents (GTA V SAVEGAMES) to an other drive without transporting the virus.

I know...i'm a virus n00b but i'm super anxious right now :S

 

C:\Users\yourname\AppData\Local\Temp

check for the file here but i'd advise just to format and change passwords it's the safest route


GooD-NTS
  • GooD-NTS

    OpenIV lead developer

  • Members
  • Joined: 03 May 2008
  • Russia
  • Best Tool 2012 [OpenIV]
    Major Contribution Award [Mods]

#184

Posted 14 May 2015 - 05:15 PM

Prehaps it's time for OpenIV to be open source.

Yeah, it would be great to have few OpenIV clones with malware inside.
No thanks.
  • Gforce, rappo, SWEETSAPRIK and 12 others like this

lewistair1
  • lewistair1

    Player Hater

  • Members
  • Joined: 02 Apr 2014
  • United-Kingdom

#185

Posted 14 May 2015 - 05:16 PM

I installed the planes mod and now I'm concerned. I deleted the files but have not found fade.exe nor has my anti virus picked up anything. I did find however that the registry files (userinit and shell) were there. Is there anything else i have to do to remove the virus on top of deleting trhe registry entries and the .asi file? 


loseruser
  • loseruser

    Walking disease.

  • Members
  • Joined: 29 May 2004

#186

Posted 14 May 2015 - 05:17 PM

Looks to be a pretty weak attempt to steal information. From what it looks like if you used the mod and never rebooted, the malicious files shouldn't be in Windows memory anymore, since the attempt to run the executable was from a lame Windows Shell hook. Pretty stupid of the mod developers, all they got out of it was their vilification from all GTA-related communities. Also assuming they weren't smart enough to hide their identity in any place the scripts were uploaded.

 

Also that angry planes mod was really sh*tty. The effect was funny, but the programming was absolutely amateur.

 

A lesson is learned, with a community as immature and malevolent as GTA's, you should never run obfuscated code downloaded from untrusted sources. Hopefully GTA5-Mods goes through with their plan for stricter mod reviewing. It'd be safest just to ban the upload of any pre-compiled code.

  • Ss4gogeta0 likes this

ZZCOOL
  • ZZCOOL

    http://www.youtube.com/user/taltigolt

  • Members
  • Joined: 15 Feb 2009
  • Sweden

#187

Posted 14 May 2015 - 05:18 PM

Is it possible that this malware was only added in later versions of the script? As I have the first release version and I can find no trace of the fade.exe, the game doesn't start in windowed mode, there is no csc.exe running in the background and there is no trace of the added "shell" that linked to it, as the op posted

 

wMqT3Vd.png

 

So is it possible this was added in a later version? I never had the noclip mod installed so i cant say for that. But i run the game right after i read this to make sure that it wasnt running in the background and I've had it installed and running for a few weeks now

no that cannot be possible as fade.exe is in my quarantine since day 1 this was may 8th and i am usually quick with testing and showing mods

  • vithepunisher likes this

iOnlyEatCops
  • iOnlyEatCops

    Player Hater

  • Members
  • Joined: 01 Dec 2010

#188

Posted 14 May 2015 - 05:19 PM

So what do you do if you do find Fade in your temp? What's the best way of deleting it? 


Silent
  • Silent

    Chief Fixing Officer

  • GTA Mods Staff
  • Joined: 01 Feb 2010
  • Poland
  • Contribution Award [Mods]
    Best Script/Plugin 2014 [SilentPatch]
    Most Respected 2014
    Most Helpful [Mods] 2014
    Most Helpful [GTA] 2013
    Most Helpful [Mods] 2013
    Most Talented [Modding] 2013
    Best Map 2013 [ViceCityStories PC Edition]
    Best Vehicle 2013 [III Aircraft]
    Most Helpful [Mods] 2012
    Modder of the Year 2012

#189

Posted 14 May 2015 - 05:19 PM

you should never run obfuscated code downloaded from untrusted sources


This code is not obfuscated. Still, how would a regular user find out? Can't expect people to RE mods before they install them.

lewistair1
  • lewistair1

    Player Hater

  • Members
  • Joined: 02 Apr 2014
  • United-Kingdom

#190

Posted 14 May 2015 - 05:21 PM

Well apparently deleting userinit means you cannot logon next time you try.

  • iloominaty likes this

ckck
  • ckck

    Player Hater

  • Members
  • Joined: 14 May 2015
  • United-States

#191

Posted 14 May 2015 - 05:24 PM

I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod.

 

I was able to do a bit more sleuthing.

 

The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).

 

The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.

It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.

 

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

 

I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory

 

My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.

According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module.
The target of these attacks was:
77.68.209.7
 
Further investigation revealed the following modules active:
 
Facebook spam/credential stealing module
Twitch spam/credential stealing module
Messenger.com spam/credential stealing module
A Steam spamming module
A Steam module that evaluates the items in your inventory and their value based on current market value
A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)
A UDP flooding module
There were others I hadn't deciphered and didn't see in action.
 
All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.
 
It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.
 
Now, here's the juciest and most useful bit.
The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com
This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.
 
 
Tool used to investigate:
ProcessExplorer
WinDbg
Jetbrains DotPeek
Wireshark
 
 
IMPORTANT/TL;DR:
If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session.
 
p.s. I will include some strings from the modules referenced above in the following post.
  • rappo, gamerzworld, ikt and 29 others like this

Darth_Clark
  • Darth_Clark

    Player Hater

  • New Members
  • Joined: 14 May 2015
  • China

#192

Posted 14 May 2015 - 05:26 PM

asi shows clean because antivirus has no signature match , so it goes into dynamic analysis i.e. emulating library execution and finds still nothing because this stuff is called only when script starts ingame (no proper environment for antivirus) , so there will be signatures in av bases soon for the downloader function inside asi , signatures for logger which it is downloading are already in 1/4 of antiviruses

Is the downloader function working through GTA5.exe? 

If so, is it means I won't be infected if I blocked GTA5.exe in my Windows firewall since the trojan couldn't get the keylogger exe from hacker's site?

I've made a cracked copy of the game for playing mods while keep my legal copy clean for playing Online. And I blocked the cracked GTA5.exe from reaching internet. 

I didn't found either fade.exe or init..exe, and nothing in my AV history.


Tomasak
  • Tomasak

  • The Yardies
  • Joined: 04 Jan 2009
  • None

#193

Posted 14 May 2015 - 05:27 PM

And now let's call spiderman to get that douchebag!


Falenone
  • Falenone

    Mapper

  • Members
  • Joined: 07 Jun 2008
  • Estonia

#194

Posted 14 May 2015 - 05:29 PM

I didn't find any trace of the fade.exe nor registry keys in my computer. I only used the noclip. I uninstalled the mod.

Am I safe from it? I ran cCleaner few hous ago and I didn't know about it then. Even if the program was there and now gone, if there's no registry entries then I should be good? I use both Malwarebytes and ESET and they never alerted me.

Silent
  • Silent

    Chief Fixing Officer

  • GTA Mods Staff
  • Joined: 01 Feb 2010
  • Poland
  • Contribution Award [Mods]
    Best Script/Plugin 2014 [SilentPatch]
    Most Respected 2014
    Most Helpful [Mods] 2014
    Most Helpful [GTA] 2013
    Most Helpful [Mods] 2013
    Most Talented [Modding] 2013
    Best Map 2013 [ViceCityStories PC Edition]
    Best Vehicle 2013 [III Aircraft]
    Most Helpful [Mods] 2012
    Modder of the Year 2012

#195

Posted 14 May 2015 - 05:29 PM

p.s. I will include some strings from the modules referenced above in the following post.


Great analysis! Thank you :)

BlackScout
  • BlackScout

    Big Homie

  • Members
  • Joined: 08 Sep 2013
  • United-States

#196

Posted 14 May 2015 - 05:30 PM Edited by TrustedInstaller, 14 May 2015 - 05:32 PM.

That's some real, real, real f*cked up analysis.

Still, we need to go deeper xD

Great job :D


rappo
  • rappo

  • Members
  • Joined: 02 Oct 2003
  • United-States

#197

Posted 14 May 2015 - 05:30 PM Edited by rappo, 14 May 2015 - 05:31 PM.

p.s. I will include some strings from the modules referenced above in the following post.

 

@ckck Thank you for that information - I can confirm that both Angry Planes and No Clip were uploaded by IP addresses from Denmark.


iOnlyEatCops
  • iOnlyEatCops

    Player Hater

  • Members
  • Joined: 01 Dec 2010

#198

Posted 14 May 2015 - 05:31 PM

Deleted the folder that Fade.exe was in. Is my registry good or do I need to delete anything?

 

OiWDSPA.png


MarshallRawR
  • MarshallRawR

    Probably paid by Rockstar

  • Members
  • Joined: 14 Aug 2010
  • United-States

#199

Posted 14 May 2015 - 05:31 PM

 

IMPORTANT/TL;DR:
If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands.

 

 

If my antivirus picked it up before all my password changes, am I fine?


.Alex.
  • .Alex.

    Player Hater

  • Members
  • Joined: 19 Sep 2014
  • None

#200

Posted 14 May 2015 - 05:32 PM

I did a scan with AVG and Malwarebytes and they found nothing

Then i searched in regedit and this is the situation

I'm fine?

o2SZzqa.png


ZZCOOL
  • ZZCOOL

    http://www.youtube.com/user/taltigolt

  • Members
  • Joined: 15 Feb 2009
  • Sweden

#201

Posted 14 May 2015 - 05:32 PM

 

I'm going to chime in because I was also unwittingly infected on May 8th, by the Angry Planes ASI mod.

 

I was able to do a bit more sleuthing.

 

The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).

 

The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.

It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.

 

The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.

 

I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory

 

My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.

According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module.
The target of these attacks was:
77.68.209.7
 
Further investigation revealed the following modules active:
 
Facebook spam/credential stealing module
Twitch spam/credential stealing module
Messenger.com spam/credential stealing module
A Steam spamming module
A Steam module that evaluates the items in your inventory and their value based on current market value
A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)
A UDP flooding module
There were others I hadn't deciphered and didn't see in action.
 
All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.
 
It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.
 
Now, here's the juciest and most useful bit.
The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com
This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.
 
 
Tool used to investigate:
ProcessExplorer
WinDbg
Jetbrains DotPeek
Wireshark
 
 
IMPORTANT/TL;DR:
If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session.
 
p.s. I will include some strings from the modules referenced above in the following post.

 

what is fade.exe was detected and quarantined


LoneMerc
  • LoneMerc

    Player Hater

  • Members
  • Joined: 11 May 2015
  • United-Kingdom

#202

Posted 14 May 2015 - 05:32 PM

Epic analysis. How do we know whats wrong in the registry and what to remove?


rappo
  • rappo

  • Members
  • Joined: 02 Oct 2003
  • United-States

#203

Posted 14 May 2015 - 05:32 PM

Was someone using us to get more visitors to their Twitch page?

  • TheUnit likes this

Cysiek
  • Cysiek

    1+1=69

  • Members
  • Joined: 06 Jan 2013
  • Poland

#204

Posted 14 May 2015 - 05:32 PM

Delete all files in this folder C\Users\YOU\Appdata\Local\Temp and problem solved. Now scan your pc.


Drkz
  • Drkz

    Punk-ass Bitch

  • Members
  • Joined: 17 Apr 2015
  • None

#205

Posted 14 May 2015 - 05:33 PM Edited by Drkz, 14 May 2015 - 05:34 PM.

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine. 


ZZCOOL
  • ZZCOOL

    http://www.youtube.com/user/taltigolt

  • Members
  • Joined: 15 Feb 2009
  • Sweden

#206

Posted 14 May 2015 - 05:34 PM Edited by ZZCOOL, 14 May 2015 - 05:34 PM.

Was someone using us to get more visitors to their Twitch page?

i would think someone was using people to flood a twitch page to attack someones stream


jippa_lippa
  • jippa_lippa

    Vice City...first and only love <3

  • Members
  • Joined: 07 Dec 2008
  • Italy

#207

Posted 14 May 2015 - 05:35 PM Edited by jippa_lippa, 14 May 2015 - 05:38 PM.

Fellas, regarding the NOCLIP MOD only (i didn't use the other one) something doesn't feel right.

Is the mod ITSELF infected or is there a chance only the one uploaded to GTA5 MODS being infected?

 

I downloaded mine from here:

 

www.gtaall.com/gta-5/mods/60829-noclip.html

 

And i don't have any "fade.exe" in my temp folder

 

By the way i'm super pissed, because the noclip mod is actually very useful for recording videos!!! Might we see it one day in the Official Native Trainer?


Zeynohh
  • Zeynohh

    Rat

  • Members
  • Joined: 16 Nov 2014
  • Canada

#208

Posted 14 May 2015 - 05:35 PM

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine. 

Can you tell me exactly which ones I shall remove?

LoneMerc
  • LoneMerc

    Player Hater

  • Members
  • Joined: 11 May 2015
  • United-Kingdom

#209

Posted 14 May 2015 - 05:35 PM Edited by LoneMerc, 14 May 2015 - 05:39 PM.

According to what i saw and read it doesn't sound like a state of the art malware guys, actually it looks more like a first try with .asi in mind, like a test of potential / what could be done. Just remove that sh*t from your temp folder and registry and you will be fine. 

What should we look for in the registry? I've searched for both the types of .exe and found nothing, is there anything we should be looking out for? I'd like to be 1000% in knowing it's not running/removed + clean from the reg before changing all my passwords for obvious reasons :)

 

Does anyone else have an idea if this would steal PuTTY sessions?? I've been SSH'd on my servers/clients servers all day with bloody work...


ckck
  • ckck

    Player Hater

  • Members
  • Joined: 14 May 2015
  • United-States

#210

Posted 14 May 2015 - 05:38 PM

Strings from one of the running Twitch module:
Spoiler


Strings from the running Steam Inventory evaluation module:
Spoiler



Strings from the Facebook information stealing module:
Spoiler


If you have any questions or requests let me know and I'll see if I can figure out more. I don't have a ton of time to spend on it as my lunch break is over.
  • lpgunit, ffzero58, Silent and 7 others like this




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users