Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
A developer of this app has marked a post as the answer to the topic above.
Discussions Rules and Guidelines
2 
Report this post
Can you please let us know the steps you took to get that kind of data or such ?
DME does not use or connect to any web service for any reason. It doesn't even require a internet connection to run (online services are planned for AI Assistant but right now it doesnt make any online connection anywhere).
Is it possible that your system has malware and if you can check in Malwarebytes Antimalware program ?
Just tried sniffing dme.exe for web sockets and connections and 0 results on our end.
PS: We are not douchebags and will obviously be not removing the topic. We will however request you to delete it yourself once the issue has been solved/clarified to your satisfaction.
I uploaded it to virustotal and it has been scanned before making me assume it's not a copy that was modified by potential malware on my computer (I just installed this today btw, I'd like to take a moment and say I truly appreciate this program it's really cool!)
https://www.virustotal.com/en/file/b55b563f1efe9cd64ea470b35c82ac0ad635601e0bc00e1bb46477561ecd365a/analysis/1529660150/
it appears to be clean, I think the one hit in there is a false positive.
I did upload it to a sandbox scanner, but it won't be complete for a few minutes, here is the link for when it is complete:
https://www.hybrid-analysis.com/sample/b55b563f1efe9cd64ea470b35c82ac0ad635601e0bc00e1bb46477561ecd365a/5b3379ef7ca3e1632a2d44f3
Here is some aditional checksum information: https://i.imgur.com/CRgUtUM.png
I also would like to note that I caught this because I use a program called proxifier, it just redirects connections to a proxy and logs their traffic -- not the data transmitted though.
If you need anything else let me know!
Yep we always scan all our builds on virtustotal and in-system cleaners before pushing them out. So this is definitely not a malware or something wrong in the build or code, as we searched and proof-checked both for the IPs and hostnames and found none.
Yet we have also confirmed your claims to be true via Windows Process Monitor, the .exe file does seem to be making network calls to that host.
In particular, it is making calls to 2 unknown IPs (ip.addr == 145.14.144.136 || ip.addr== 145.14.144.66), the .136 is that webhost one for which you provided URLs.
We are now deep sniffing the network via Wireshark to isolate where its making the calls from, its definitely not us, so our guess is its one of the Unity Assets/Plugins were using (even more strange if true as that would mean Unity does not QC or test assets before allowing them on their store).
Also, from what we have gathered so far, the calls seems to be harmless and some kind of "ping" requests. They are not sending or receiving any data, and the file they are calling seems to be broken/unavailable.
Will update the post in a couple of minutes.
No, thank you instead for reporting this backdoor and opening our eyes that we now need to check/sniff network activity as well along with VirusTotal checks before pushing out new update.
Also, we found the asset causing it. It was RTVoice Pro unity asset. No idea why or from where it was doing it (most probably its .dlls).
Right now I have no idea why its doing it or anything, but we are removing that asset from our project and pushing out a patch fix right now.
RTVoice was the inbuilt TTS (text to speech) synthesizer we were using for that AI Assistant demo (welcome message) when DME starts.
Will disable the AI Assistant welcome message for now and use GCM or Watson's TTS system instead in a new update next week.
-------------------
Again, thank you for reporting this and sorry that something like this happened in the first place. We just hope it did not cause any harm to any of our userbase.
Also, I would like to request you to remove all of the links you listed except for a link/mention to the hostname/domain. Many of those links have personal/private information about someone's PC, most probably from people who got malwared by some other asset or cause.
There is also private login information for someone's FB and Unity account in one of those links/files.
We have just sent an email to that user alerting him about his account(s) and a link to this report for detailed report.
Again, to inform other users, none of our user base should have been affected or harmed by this since the network call being made was to some broken/unavailable script. But for sake of caution, just scan your PC(s) once.
PS: Do not remove this topic now, it should stay now for sake of transparency and clarifications.
It's totally ok I really appreciate the way you handled this, it shows professionalism and good will.
Maybe make a statement in the next update post about this if there proves to be a virus involved.
Thank you very much!
Yep, have edited my quote as well and have sent a copy of it to our main email as a reference. Have just emailed those other people who were affected by something unrelated to us as well.
Well done. ^_^
We were in middle of working on those changes, so currently wrapping up things to prepare the patch build and will include the motion animation feature in it.
Can You confirm the issue was with "RTVoice Pro"? Is there a chance your builds back then were done as "development builds" and tried to connect to Unity Profiler?
It was fixed once we removed RTVoice Pro and it was definitely not Profiler or anything related to Unity or legit, as we checked the link and files available on it at that time and they were key loggers and login details of some random users (FB accs, etc,).
So it was surely a plugin causing it (in out case RTVoice Pro).
What I would advice is remove any and all plugins or assets you are using (in a test build or GIT commit) and see if it fixed it, then add them back 1 by 1.
We researched around later on and found this keylogger or injector was a problem common in nulled/cracked/pirated assets.
The issue is we can't detect any unexpected behaviour (and we're using exact methods You've described), we've failed to replicate the malicious connection on our systems, and as far as we can tell there is no call to the malicious IP/domain.
We don't use any binary assets (Except for Steam.NET) and no part of compiled code from external libraries is related nor allows networking. So either the malware has complex trigger behaviour (be it OS, IP location or some other variable) or it's capable of hijacking other processes - however, both cases seems possible, but not very likely.
On other hand, Unity is using a multicast broadcast to 225.0.0.222 for remote profiling. We believe this connection address can be hijacked, either by DNS spoofing or malicious host file edit, as the local/callback IP ranges are often misconfigured and susceptible to attacks. That would at least explain why we can't replicate the issue.
So in your case, removing the files of the plugin from Assets directory stopped the connections from happening, and in your opinion - the vector was a .unitypackage file?
Yes, and also to note, in our case the connection was to a hostname/domain/url and not a IP, so it was easier to trace back to that particular asset.
If its a IP in your case and not a specific URL/hostname, then perhaps its something else and/or a botnet on the user's PC and unrelated to Unity.