Malware inside Angry Planes & Noclip Mod

[MagikarpIsOP]

 

You realize you can't avoid .asi in GTA modding scene but you can atleast alleviate your exposition to it, right ?

Of course I do, since I develop them myself. But I'm not that f*cked up in the head to include malware in them

 

Just to clear things, Silent is probably the best modder i know, i use his mods non stop in every "classic" GTA and i couldn't play without them.

 

(I never had any issue, so)

[Drkz]

 

You realize you can't avoid .asi in GTA modding scene but you can atleast alleviate your exposition to it, right ?

Of course I do, since I develop them myself. But I'm not that f*cked up in the head to include malware in them

 

 

Yeah that's pretty damn messed up i'll give you that.

 

That motherf*cker really chose the perfect timing to release his garbage, since the GTA V modding scene is pretty new, and a lot of people are downloading files left and right + Youtubers trying to cash on the "mod review" scene. Best way to infect a lot of people.

 

But yeah, that's sad. Modding scenes are usually trustworthy, now people gonna freak the f*ck out on everything.

Edited May 14, 2015 by Drkz

[Silent]

Judging by the amount of downloads his sh*t got, I admit. Great vector of attack. Though if it becomes more mainstream, plugin makers are f*cked.

[Daynja]

Thank you OP for your diligence. I ,as have others, linked this thread on various social media sites to spread the word about the issue. Well spotted & thank you.

[MagikarpIsOP]

Judging by the amount of downloads his sh*t got, I admit. Great vector of attack. Though if it becomes more mainstream, plugin makers are f*cked.

This will ruin the trust in the modders.

 

Myself im only trusting maybe one or two modders.. And mostly only Silent. This is serious and something that might hurt the GTA modding community a lot.

[Ss4gogeta0]

 

could someone possibly toss me the exe? I want to do some research into it.

> implying you can do RE

> Implying I cant take the Trial and Error approach like I always have in the hopes of being able to atleast get some form of Reverse Engineering going. using my skills as a network security specialist and PC technician. (aka, a man who has no clue what in the hell he is doing)

 

 

 

 

 

 

 

Im not totally useless ya know

[Mr.Arrow]

Yea whoever made this malware is a genius

 

this guy did it in such a perfect timing god dam

[Daynja]

Judging by the amount of downloads his sh*t got, I admit. Great vector of attack. Though if it becomes more mainstream, plugin makers are f*cked.

I noticed that mods such as Angry Planes gets massive upvotes on Reddit because they are appealing mods to the age groups they are targetted for. I suggest anyone with any brains is to wait when these new super amazing "fun" mods appear.

 

The issue is who do we trust, and how does the normal everyday person know what to do before using a new mod. Are we going to have to wait for approval from you smart guys the mod creators AKA the good guys before we use anything new?

[Drkz]

Judging by the amount of downloads his sh*t got, I admit. Great vector of attack. Though if it becomes more mainstream, plugin makers are f*cked.

 

Yeah exactly. On the other hand you can still check if a .asi file is malicious or not without using it.

 

So we can basically designate some trustworthy (and dedicated) people to check files for users, since not everyone knows how to check for malwares inside .asi files (including me, because until now i really never gave a sh*t).

 

Or even adding a "checking for malware" process before your .asi file gets accepted and validated on GTA5-MODS.com for exemple.

 

Alexander Blade would be best placed for that, but i don't think drowning him under "clean check requests" would be a good idea. Dude is already on a million of things.

 

All in all this fa**ot killed users trust in modders. At least .asi mods. Bad thing or not, at least people are now aware that .asi files aren't just innocent script files.

Edited May 14, 2015 by Drkz

[Silent]

The issue is who do we trust, and how does the normal everyday person know what to do before using a new mod. Are we going to have to wait for approval from you smart guys the mod creators AKA the good guys before we use anything new?

That's why I'm worried. Good GTAF fame transfers little to the other sites too, so even trusted people might get their ASIs labeled as potentially unsafe.

[MagikarpIsOP]

 

Oh f*ck.. http://prntscr.com/753boo

 

What do? WAT DO? Am I okay if the antivirus picked it up? Has it ceased to go furhter? Are my passwords safe?

 

There's some cleanup to do (regedit.exe, then search "Winlogon" and remove the extra it added

 

 

 

Delete all of it traces and change password I my guess.

 

 

 

What is the "extra" it added?

Edited May 14, 2015 by MagikarpIsOP

[Bencici]

 

 

Oh f*ck.. http://prntscr.com/753boo

 

What do? WAT DO? Am I okay if the antivirus picked it up? Has it ceased to go furhter? Are my passwords safe?

 

There's some cleanup to do (regedit.exe, then search "Winlogon" and remove the extra it added

 

 

 

Delete all of it traces and change password I my guess.

 

 

 

What is the "extra" it added?

 

https://i.imgur.com/bBtk8HM.png After "explorer.exe"

Edited May 14, 2015 by Bencici

[MagikarpIsOP]

 

 

 

Oh f*ck.. http://prntscr.com/753boo

 

What do? WAT DO? Am I okay if the antivirus picked it up? Has it ceased to go furhter? Are my passwords safe?

 

There's some cleanup to do (regedit.exe, then search "Winlogon" and remove the extra it added

 

 

 

Delete all of it traces and change password I my guess.

 

 

 

What is the "extra" it added?

 

https://i.imgur.com/bBtk8HM.png After "explorer.exe"

 

Don't have it at all.

 

 

This is what i have.. Am i safe?

Edited May 14, 2015 by MagikarpIsOP

[Drkz]

 

The issue is who do we trust, and how does the normal everyday person know what to do before using a new mod. Are we going to have to wait for approval from you smart guys the mod creators AKA the good guys before we use anything new?

That's why I'm worried. Good GTAF fame transfers little to the other sites too, so even trusted people might get their ASIs labeled as potentially unsafe.

 

 

The good news is that the most popular mods website right now is GTA5-MODS.com. By "securing" the place we could make this website even more popular, and become the only website for gta v mods, sucessfully giving less rooms for these sh*tty babby malwares to spread.

 

The admin of the website seems like a pretty cool guy, so i'm pretty sure we could find a solution with him to add varous check layers towards .asi files.

 

I'm thinking about something like that on .asi files only (quick photoshop mockup) for a start :

 

http://a.pomf.se/veglnc.jpg

 

(to the author of this mod : no offense here, it's for the sake of the exemple as i was too lazy to do a proper mockup)

 

until some people are dedicated enough to check the files for the whole userbase. It will add a visual (bigger = better) visual indication that the files hasn't been checked yet, so users won't take any risks, or if they do they will know the risks they take. Still better than being clueless.

Edited May 14, 2015 by Drkz

[Ss4gogeta0]

Yea whoever made this malware is a genius

this guy did it in such a perfect timing god dam

its alot more common than you think... Happens every now and then where a game will either have a mod or a trainer that is infected with either a keylogger or trojan... same for recently released games, those are usually the ones that get hit alot with fake trainers. also same would go for the pirated versions of new games aswell, there are some rogue scene members who upload some really nasty payloads in the guise of a legitimate iso file... alot of them are usually padded out with dummy data that raises the size of the iso when the actual malware/trojan/etc is about 14kb depending on the complexity of it (whether its merely running a script or actually changing things itself... )

 

thus is why I actually dislike Trainers, nothing against legitimate ones, its just that I have dealt with a few infections caused by them (among other things) and it gets annoying getting a call at 2 am because someone downloaded a cheating tool and got infected...

 

 

 

 

The issue is who do we trust, and how does the normal everyday person know what to do before using a new mod. Are we going to have to wait for approval from you smart guys the mod creators AKA the good guys before we use anything new?

That's why I'm worried. Good GTAF fame transfers little to the other sites too, so even trusted people might get their ASIs labeled as potentially unsafe.

 

I think the whole youtuber situation is also exacerbating things quite abit aswell... I mean, you saw how popular the crazy planes mod was right? Youtubers were doing videos about it and advertising it which caused a huge influx of downloads to an infected file before anyone realized whats going on...

 

who knows if the next popular mod will create a botnet of all the PCs that it managed to infect...

 

Honestly, this is a very serious issue that should be addressed in some way. there are sites where I have seen mods that are uploaded be scanned for malicious software. I think that could be a possible solution but I am not sure of the complexity of doing so.

 

Maybe someone should inform some popular GTA streamers or even rockstar of this issue... so that word can get out or something...

[Snowshoe]

It's good to use a firewall for this. That way only trusted programs you put on a whitelist can access the internet.

 

Then the logger Fade.exe or whatever is useless because it's not on the list

[Ss4gogeta0]

 

 

The issue is who do we trust, and how does the normal everyday person know what to do before using a new mod. Are we going to have to wait for approval from you smart guys the mod creators AKA the good guys before we use anything new?

That's why I'm worried. Good GTAF fame transfers little to the other sites too, so even trusted people might get their ASIs labeled as potentially unsafe.

 

 

The good news is that the most popular mods website right now is GTA5-MODS.com. By "securing" the place we could make this website even more popular, and become the only website for gta v mods, sucessfully giving less rooms for these sh*tty babby malwares to spread.

 

The admin of the website seems like a pretty cool guy, so i'm pretty sure we could find a solution with him to add varous check layers towards .asi files.

 

I'm thinking about something like that (quick photoshop mockup) for a start :

 

http://a.pomf.se/veglnc.jpg

 

until some people are dedicated enough to check the files for the whole userbase. It will add a visual (bigger = better) visual indication that the files hasn't been checked yet, so users won't take any risks, or if they do they will know the risks they take. Still better than being clueless.

 

 

That would be a good place to start, but theres room for abuse when it comes to a dedicated unsafe button... whose to say that someone who is really pissed off at a mod could just spam the unsafe button using a vpn to hop from one IP to another causing a perfectly legitimate mod to go belly up...?

 

always gotta think ahead

[Drkz]

or even rockstar of this issue

 

 

Rockstar doesn't give a f*ck about modding or modders in general. Hell, they barely tolerate modding in the first place, when they're not actively trying to break mods.

 

No, this is a bad idea.

What needs to be done is a dual layer of checks on popular modding websites, and a big ass "UNSAFE - AT YOUR OWN RISK" on mods pages containing .asi files until they're checked by someone and confirmed clean. Done.

 

 

 

The issue is who do we trust, and how does the normal everyday person know what to do before using a new mod. Are we going to have to wait for approval from you smart guys the mod creators AKA the good guys before we use anything new?

That's why I'm worried. Good GTAF fame transfers little to the other sites too, so even trusted people might get their ASIs labeled as potentially unsafe.

 

 

The good news is that the most popular mods website right now is GTA5-MODS.com. By "securing" the place we could make this website even more popular, and become the only website for gta v mods, sucessfully giving less rooms for these sh*tty babby malwares to spread.

 

The admin of the website seems like a pretty cool guy, so i'm pretty sure we could find a solution with him to add varous check layers towards .asi files.

 

I'm thinking about something like that (quick photoshop mockup) for a start :

 

http://a.pomf.se/veglnc.jpg

 

until some people are dedicated enough to check the files for the whole userbase. It will add a visual (bigger = better) visual indication that the files hasn't been checked yet, so users won't take any risks, or if they do they will know the risks they take. Still better than being clueless.

 

 

That would be a good place to start, but theres room for abuse when it comes to a dedicated unsafe button... whose to say that someone who is really pissed off at a mod could just spam the unsafe button using a vpn to hop from one IP to another causing a perfectly legitimate mod to go belly up...?

 

always gotta think ahead

 

 

There will be no "unsafe" buttons since by default an .asi mod SHOULD BE considered unsafe. No matter the mod author behind it.

 

So basically any mod released with an .asi file will have the unsafe tag, until it has been checked by an approved (maybe add a new category of users ? like trusted uploaders on various torrent websites ?) dedicated check member.

[TJGM]

Hey look, some guy decided to be a c*nt and put malware inside an ASI mod and now people are paranoid and want to label all ASI mods as unsafe. Seriously, this is pretty silly and probably what the guy wanted in the first place.

[Bencici]

Don't have it at all.

 

 

This is what i have.. Am i safe?

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and look at the Shell string

[MarshallRawR]

Never received so much "your password has been changed" e-mails.

[Drkz]

Hey look, some guy decided to be a c*nt and put malware inside an ASI mod and now people are paranoid and want to label all ASI mods as unsafe. Seriously, this is pretty silly and probably what the guy wanted in the first place.

 

Yeah, anyone can come out the wood to spout obvious and judgemental sentences like you did, except it doesn't help with anything and i hope you realize that.

 

People will consider .asi as the devil now, there's no other way around it. I don't need to prove my words, the comment section of asi mods page will do it for me in the next few days. Every new file will be drowned under "is this file safe ???????????????? i want to use it for my next xXXDuBsT3pXXx 420 mod review but i don't want virus!!!! pls respond" type of comments.

 

No. This situation can happen again and probably will. GTA V is an extremely popular title with a very young userbase, which means lots of download, which means gigantic spread potential. Letting such a situation without control is a perfect recipe for disaster. Be glad it was just a "standard" sh*tty password stealer.

Edited May 14, 2015 by Drkz

[MagikarpIsOP]

 

Don't have it at all.

 

 

This is what i have.. Am i safe?

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and look at the Shell string

 

 

Here, looks clean.

[Ss4gogeta0]

 

Hey look, some guy decided to be a c*nt and put malware inside an ASI mod and now people are paranoid and want to label all ASI mods as unsafe. Seriously, this is pretty silly and probably what the guy wanted in the first place.

 

Yeah, anyone can come out the wood to spout obvious and judgemental sentences like you did, except it doesn't help with anything and i hope you realize that.

 

People will consider .asi as the devil now, there's no other way around it. I don't need to prove my words, the comment section of asi mods page will do it for me in the next few days.

 

well hey, sometimes people need a wake up call... while mods are all fine and dandy, they need to realize that there are some security risks...

[Alexander Blade]

Don't tell them that and they won't , this is it .

 

 

Hey look, some guy decided to be a c*nt and put malware inside an ASI mod and now people are paranoid and want to label all ASI mods as unsafe. Seriously, this is pretty silly and probably what the guy wanted in the first place.

 

Yeah, anyone can come out the wood to spout obvious and judgemental sentences like you did, except it doesn't help with anything and i hope you realize that.

 

People will consider .asi as the devil now, there's no other way around it. I don't need to prove my words, the comment section of asi mods page will do it for me in the next few days. Every new file will be drowned under "is this file safe ???????????????? i want to use it for my next xXXDuBsT3pXXx 420 mod review!!!! pls respond" type of comments.

 

Edited May 14, 2015 by Alexander Blade

[Drkz]

 

 

Hey look, some guy decided to be a c*nt and put malware inside an ASI mod and now people are paranoid and want to label all ASI mods as unsafe. Seriously, this is pretty silly and probably what the guy wanted in the first place.

 

Yeah, anyone can come out the wood to spout obvious and judgemental sentences like you did, except it doesn't help with anything and i hope you realize that.

 

People will consider .asi as the devil now, there's no other way around it. I don't need to prove my words, the comment section of asi mods page will do it for me in the next few days.

 

well hey, sometimes people need a wake up call... while mods are all fine and dandy, they need to realize that there are some security risks...

 

 

Indeed.

 

Don't tell them that and they don't , this is it .

 

Telling them what ? Who ? Users ? I really don't think telling them "no guys it's k my file isn't malicious i swear you can do your youtube review" would be enough. Even if it would be way more easy for everything i'll give you that.

Edited May 14, 2015 by Drkz

[xHaviiHx]

I don't trust sh*t no more because of this.

[TJGM]

 

Hey look, some guy decided to be a c*nt and put malware inside an ASI mod and now people are paranoid and want to label all ASI mods as unsafe. Seriously, this is pretty silly and probably what the guy wanted in the first place.

Yeah, anyone can come out the wood to spout obvious and judgemental sentences like you did, except it doesn't help with anything and i hope you realize that.

 

People will consider .asi as the devil now, there's no other way around it. I don't need to prove my words, the comment section of asi mods page will do it for me in the next few days. Every new file will be drowned under "is this file safe ???????????????? i want to use it for my next xXXDuBsT3pXXx 420 mod review but i don't want virus!!!! pls respond" type of comments.

 

No. This situation can happen again and probably will. GTA V is an extremely popular title with a very young userbase, which means lots of download, which means gigantic spread potential. Letting such a situation without control is a perfect recipe for disaster. Be glad it was just a "standard" sh*tty password stealer.

 

I understand that this is a problem, but the idea that we label ASI mods as the devil and never download them again is absolutely stupid. If we went by that logic nobody should download anything on the internet again, it might be 'unsafe'.

 

It happened once, I doubt it'll happen often. Throwing up big text saying a mod is potentially unsafe because it's an ASI is silly and just makes the community smaller by scaring people away.

 

This has happened before with previous GTA mods. GTA games has always had an extremely popular audience with younger people. But when stuff like this happened before, nobody went around calling some mods unsafe and acting like we should never download them again.

 

EDIT: To sum it up, if you're paranoid about getting a virus from installing mods, then you shouldn't be installing mods in the first place.

Edited May 14, 2015 by TJGM

[Vadim M.]

Kudos to OP! Found and deleted.

 

BTW, is there any way to look at the session logs in that bin file? I am just curious what gathered.

[K.Walters]

Wow, good thing I haven`t started modding yet.