Quantcast
Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
aboutseven

Malware inside Angry Planes & Noclip Mod

Recommended Posts

Silent

That's the second time I see someone associating this Fade thing with V mods, yet this time it's a different mod... Interesting.

 

EDIT:

 

The other rogue mod was this:

http://gtaforums.com/topic/790315-vrel-simple-noclip/

 

Need to look into this matter as it seems quite suspicious. Sucks.

Edited by Silent

Share this post


Link to post
Share on other sites
sasuke78200

I analyzed the .asi, and yes it seems to be installing a malware on the temp directory.

Don't run it !

 

 

(For those who want to see it, right after the .asi register the script thread, it create a Thread (with CreateThread), look at this thread you'll see the thing)

Edited by sasuke78200

Share this post


Link to post
Share on other sites
Alexander Blade

Confirmed , noclip as well as angry planes are with malware , Fade.exe is password stealer , chage every password you have including steam .

Edited by Alexander Blade

Share this post


Link to post
Share on other sites
Zer0w5

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

Edited by Zer0w5

Share this post


Link to post
Share on other sites
DarklyinDarkness

OK, wow, this actually really sucks. I only ran the NoClip mod once, so there's no Fade.exe sh*t anywhere on my system except a .ini file which i got rid of quick.

Share this post


Link to post
Share on other sites
ikt

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

If this becomes a really big problem, can't you force all ScriptHookV using mods to have their source code published? It'd make it harder to include malware in them. You're now essentially free to do whatever the heck you want in those dll files, and normal users won't reverse-engineer it. Edited by ikt

Share this post


Link to post
Share on other sites
DarklyinDarkness

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

You mind researching into the Simple Native Trainer mod please??

 

Nah, jk

Share this post


Link to post
Share on other sites
Zer0w5

Yeah now I wouldn't know which .asi files would be clean thanks to the bastards who are infecting it.

Share this post


Link to post
Share on other sites
Alexander Blade

What will it change since they can publish clean source among with infected binary .

 

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

can someone check if this one is clean too?
https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

If this becomes a really big problem, can't you force all ScriptHookV using mods to have their source code published? It'd make it harder to include malware in them.

 

Share this post


Link to post
Share on other sites
DarklyinDarkness

 

What will it change since they can publish clean source among with infected binary .

 

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

If this becomes a really big problem, can't you force all ScriptHookV using mods to have their source code published? It'd make it harder to include malware in them.

 

 

Excuse me, but what are you using to check if the ASI files are without Fade.exe?

Share this post


Link to post
Share on other sites
ikt

What will it change since they can publish clean source among with infected binary .

 

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

If this becomes a really big problem, can't you force all ScriptHookV using mods to have their source code published? It'd make it harder to include malware in them.

 

 

It's easier for people to check if the compiled clean binary matches the released binary and red-flag the mod if it doesn't check out. It might even be integrateable on modding websites, which compiles the source on uploading on their servers, ensuring safety.

Share this post


Link to post
Share on other sites
Silent

What surprises me is that it gets 0 hits on virustotal. Also couldn't find anything weird in the disassembly.

 

f*cking c*nts.

 

 

EDIT:

 

Checked, it's indeed there. Thanks, @sasuke78200 :^:

Edited by Silent

Share this post


Link to post
Share on other sites
iloominaty

 

What will it change since they can publish clean source among with infected binary .

 

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

If this becomes a really big problem, can't you force all ScriptHookV using mods to have their source code published? It'd make it harder to include malware in them.

 

 

Cant you just match the md5 hash with the compiled source with the downloaded mod?

Share this post


Link to post
Share on other sites
FlyingSligGuard

sh*t, I loved the Angry Planes mod. Does somebody know if it steals saved passwords (i.e. my Steam autologins because I saved my details and told the client to log at boot, not needing to enter any password) ?

 

 

What will it change since they can publish clean source among with infected binary .

 

Well, paranoid people would be able to read the code, see if contains any malware and then compile it themselves. If the modder published an infected binary and clean source, it would be one less infection for those who compiled in their machine.

Share this post


Link to post
Share on other sites
MagikarpIsOP

Having used the angry planes mod in the past.. I don't have any of those files "fade.exe" etc.. Can someone enlight me on this?

Share this post


Link to post
Share on other sites
sasuke78200

sh*t, I loved the Angry Planes mod. Does somebody know if it steals saved passwords (i.e. my Steam autologins because I saved my details and told the client to log at boot, not needing to enter any password) ?

 

 

What will it change since they can publish clean source among with infected binary .

 

Well, paranoid people would be able to read the code, see if contains any malware and then compile it themselves. If the modder published an infected binary and clean source, it would be one less infection for those who compiled in their machine.

 

Change your steam credentials, since you use the autologin feature, it means that the password it stored somewhere in your HDD.

Share this post


Link to post
Share on other sites
Silent

Cant you just match the md5 hash with the compiled source with the downloaded mod?

Doubt it. Especially if you use a different compiler than the author.

 

 

 

sh*t, I loved the Angry Planes mod. Does somebody know if it steals saved passwords (i.e. my Steam autologins because I saved my details and told the client to log at boot, not needing to enter any password) ?

Safer to change them, I guess. This seems like a well sealed malware, so f*ck knows what it does.

Share this post


Link to post
Share on other sites
Ss4gogeta0

i believe Fade.exe originated in belgium, no?

 

could someone possibly toss me the exe? I want to do some research into it.

Share this post


Link to post
Share on other sites
Jax765

Yeah, looking at my malwarebytes history, it quarantined a trojan called init.exe the same day I first used Angry Planes. f*ck that mod author.

Share this post


Link to post
Share on other sites
Silent

could someone possibly toss me the exe? I want to do some research into it.

> implying you can do RE

 

 

 

Yeah, looking at my malwarebytes history, it quarantined a trojan called init.exe the same day I first used Angry Planes. f*ck that mod author.

Well indeed. init.exe IS a thing inside this ASI too.

Edited by Silent

Share this post


Link to post
Share on other sites
MagikarpIsOP

Sorry for bumping.. But this is a important question.

 

Like many people, i've used that mod.. But i don't have any of those files in my system.. Why is it different for me then? Can't really understant that.

Share this post


Link to post
Share on other sites
Jax765

Sorry for bumping.. But this is a important question.

 

Like many people, i've used that mod.. But i don't have any of those files in my system.. Why is it different for me then? Can't really understant that.

 

Do you have malwarebytes or any other anti-malware software?

Share this post


Link to post
Share on other sites
Silent

The malware might as well be self-nuking. It's safer to assume you did get infected.

Share this post


Link to post
Share on other sites
MagikarpIsOP

 

Sorry for bumping.. But this is a important question.

 

Like many people, i've used that mod.. But i don't have any of those files in my system.. Why is it different for me then? Can't really understant that.

 

Do you have malwarebytes or any other anti-malware software?

 

 

Im running malwarebytes now and i use Kaspersky.. But since this comes from a mod im kinda sceptical, this is a new low.

Share this post


Link to post
Share on other sites
Jax765

 

 

Sorry for bumping.. But this is a important question.

 

Like many people, i've used that mod.. But i don't have any of those files in my system.. Why is it different for me then? Can't really understant that.

 

Do you have malwarebytes or any other anti-malware software?

 

 

Im running malwarebytes now and i use Kaspersky.. But since this comes from a mod im kinda sceptical, this is a new low.

 

 

Check your malwarebytes history. See if it's got a quarantined trojan in there.

Share this post


Link to post
Share on other sites
MagikarpIsOP

 

 

 

Sorry for bumping.. But this is a important question.

 

Like many people, i've used that mod.. But i don't have any of those files in my system.. Why is it different for me then? Can't really understant that.

 

Do you have malwarebytes or any other anti-malware software?

 

 

Im running malwarebytes now and i use Kaspersky.. But since this comes from a mod im kinda sceptical, this is a new low.

 

 

Check your malwarebytes history. See if it's got a quarantined trojan in there.

 

I instaled malwaresbytes now.. Im running a scan.

 

Kaspersky detected nothing and the .asi file seemed "clean". Maybe he updated the mod recently and added this? (I had the files from some days ago)

Share this post


Link to post
Share on other sites
Jax765

 

 

 

 

Sorry for bumping.. But this is a important question.

 

Like many people, i've used that mod.. But i don't have any of those files in my system.. Why is it different for me then? Can't really understant that.

 

Do you have malwarebytes or any other anti-malware software?

 

 

Im running malwarebytes now and i use Kaspersky.. But since this comes from a mod im kinda sceptical, this is a new low.

 

 

Check your malwarebytes history. See if it's got a quarantined trojan in there.

 

I instaled malwaresbytes now.. Im running a scan.

 

Kaspersky detected nothing and the .asi file seemed "clean". Maybe he updated the mod recently and added this? (I had the files from some days ago)

 

 

I mean check your history. At the top of the window, next to settings. It should show your quarantine.

Share this post


Link to post
Share on other sites
MagikarpIsOP

Once again, nothing from kaspersky and malwares is running the scan still.

 

We kinda need more info on this if possible. (And thanks for the help)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • 1 User Currently Viewing
    0 Members, 0 Anonymous, 1 Guest

×

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.