Instal Steam
login
|
bahasa
简体中文 (Tionghoa Sederhana)
繁體中文 (Tionghoa Tradisional)
日本語 (Bahasa Jepang)
한국어 (Bahasa Korea)
ไทย (Bahasa Thai)
Български (Bahasa Bulgaria)
Čeština (Bahasa Ceko)
Dansk (Bahasa Denmark)
Deutsch (Bahasa Jerman)
English (Bahasa Inggris)
Español - España (Bahasa Spanyol - Spanyol)
Español - Latinoamérica (Bahasa Spanyol - Amerika Latin)
Ελληνικά (Bahasa Yunani)
Français (Bahasa Prancis)
Italiano (Bahasa Italia)
Magyar (Bahasa Hungaria)
Nederlands (Bahasa Belanda)
Norsk (Bahasa Norwegia)
Polski (Bahasa Polandia)
Português (Portugis - Portugal)
Português-Brasil (Bahasa Portugis-Brasil)
Română (Bahasa Rumania)
Русский (Bahasa Rusia)
Suomi (Bahasa Finlandia)
Svenska (Bahasa Swedia)
Türkçe (Bahasa Turki)
Tiếng Việt (Bahasa Vietnam)
Українська (Bahasa Ukraina)
Laporkan kesalahan penerjemahan
Pedoman dan Aturan Diskusi
Laporkan postingan ini
How did it get proven? Are the samples uploaded on VirusTotal? Were they tested using dynamic analysis on one of the major sandbox vendors? Were they unpacked and reverse engineered to discover malicious code fragments and behaviors?
Where is the proof? I’m not discrediting that they are malicious, but I would like to know exactly what they did to determine it in case other mods try the same.
Edit: looks like this is all the modding discord finding out. Looks like they are decompiling the dlls and performing static analysis on the code and finding obfuscation techniques commonly used in malicious packages to get payloads.
https://youtu.be/T-OhKIWBA-I?si=eHoAmvUNrffA8_7H
I already gone through a couple computers for various reasons and I have been trying to be very careful with this one so any slight indication of a problem especially when it comes to that mainly I'll be cleaning whatever could have a virus in it or whatever the case may be.
So the person must have immediately got rid of the file and reported it to Nexus.
Technically the file is still in Nexus but they're monitoring it until further notice cuz they didn't delete it they're just watching it if that makes any sense so you can't download the file as of right now but it won't come up as deleted if that makes any sense to you. Plus if you downloaded the file before the 11th you should be fine like in my case but I'm not even taking the risk and I don't think anyone else should.
Until Nexus can confirm that it's okay now so I would suggest alternative mods that do the same thing for a while.
Also when it comes to the backpack I think that reupload got deleted immediately cuz I didn't even know it was an reupload cuz I still have the original before it was deleted from the Creator.
Yea I edited my original. Mod author sold their account and the new owner injected obfuscation and payload targets on the new version.
This is really a damn shame. It’s going to scare so many people off modding and that really shouldn’t happen. But, this is the internet, and someone always has to be edgy and hurt people.. so yea..
Not even just that but even though I download the mod on the 4th I'm still going to run a full scan next time I have my computer run just on the off chance
again no idea how they detected it but rather be safe then sorry, soon as i saw the reddit post i alt f4 without even saving the game lol
There are tools out there for free that allow you to decompile or view the calls that something will make.
My hunch is they were made aware the same way most people are. Someone updated, noticed something fishy or was caught by an AV heuristics, reported to the modding discord, and given they make mods and share resources to do so, they can probably just as easily pull a packed mod apart, found some code and reported to nexus. (Is normally how these things go, unfortunately)
Bigger communities are a bigger target, especially in this case, so the more people who immediately jump to update, the more people the Trojan will catch. Thankfully, most modders are super lazy and only update if something breaks, check for updates when game updates, or in some cases never update.
Fingers crossed the damage and people infected are minimal, and it’s not a nasty one that digs and tries to actively fight against removal
Hey, so I'm pretty sure i downloaded this mod prior to all the BS, but I'm still concerned...
Do you know what application i would need to use to open up the dll file and see if it contains the malicious code? I've done multiple scans on my system with various methods, malwarebytes, bitdefender, microsoft defender, all come back clean but I'm worried they aren't able to detect the threats.
Step 1 is to upload the DLL to virus total.
If you know for a fact that you downloaded it before the specified date in the Reddit thread, then you are safe. It’s only if you updated it after that date that you are at risk. You can’t get the Trojan if you didn’t upgrade the mod to the version that runs it thankfully. Check your downloads. If the download is BEFORE April 11, you’re good. The rest of this is optional
If you legitimately feel that you are at risk…
Disconnect the internet from your computer. On another clean computer, download the following and move to infected pc via usb. If that isn’t an option, check your etc/hosts for dns manipulation, delete any records that 0.0.0.0 virus removal stuff and download these in your computer to begin.
1. https://www.bleepingcomputer.com/download/rkill/
RKill will attempt to stop known malware processes and allow your AV to run and remove it. RKill does not remove viruses.
2. Use https://www.malwarebytes.com/mwb-download or https://www.hitmanpro.com/en-us to remove it if RKill does stop something.
https://www.eset.com/us/home/online-scanner/?srsltid=AfmBOoqtMcii5STLWH7XP6ftu29nOgPsg3A5I_CAjFBwb_jBnHX50xu3 And https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download are also great tools.
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer and https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns are great for viewing if you have a potential active infection as well. Be forewarned, some of the AV vendors do flag legitimate processes as malicious sometimes. Go into the options and enable submissions to VirusTotal. If it is a 1/70 and people are saying it’s safe and legitimate, it’s a false positive by the vendor and will be cleaned up in a few days. We are mainly looking for anomalies outside of system functions, and these are normally at the bottom of PE where threads like your browser will spawn.
As for inspecting dlls.. you can use https://www.jetbrains.com/decompiler/
https://www.dll-decompiler.com/
https://github.com/icsharpcode/ILSpy
https://binary.ninja/
To decompile it, but it’s not going to cleanly tell you exactly what the code does, since you have to do more to make it readable, and in many cases, de-obfuscate it.
Since this also happened in Cities Skyline 2 with a rogue DLL malware, this would be a good watch:
https://youtu.be/bvyklJ5Wie0?si=OH_Z4pSnU-775NnI
dont forget about that malwarebytes free trial