Malware in Network Extensions 3 mod

As mentioned in OP, the malware is trivial:

• When someone starts the game with the NExt3 mod enabled, it checks if the game is running in Steam portal and, if so, then checks the player's Steam ID against two lists of Steam IDs[github.com].
  
• One of the lists appears to be mostly modders and CO employees; the other is a list of ordinary steam users many of whom will not be aware that they are direct targets of malware.
  
• If the player ID matches an entry on the list, the mod proceeds to change road speeds to a random - but always slow - value[github.com].
  
• This gives the false appearance that it's the other mods which contain bugs - a topic which I'll cover in a later comment.

As you know, TM:PE team have been working hard to fix speed-related bugs over the past few weeks, so you can imagine how it felt to discover that some of those problems were created on purpose by another modder and that they were directly targeted at us.

Given the persistent and escallating actions of Chaos / Holy Water / drok (same person), we are now treating all those mods as potentially malicious until proven otherwise. Even if they do not currently contain malware, we don't know what will be added in future updates (especially via "Update from Github" mod which bypasses Steam workshop entirely).

Tripwire code in Network Extensions 3

Holy Water has now largely scrubbed all evidence of this, but a version of the mod was released with code specifically designed to create bugs if it was used with the main Harmony mod[github.com] which Holy Water is trying to discredit (you can also see in that code update he's added more steam users to the malware target list).

Almost the entire modding community have devoted considerable time to transitioning their own mods - and lots of older mods - to Harmony framework. Again, you can imagine the frustration caused when it became apparent that one modder had specifically designed their mod to cause bugs when used with that mod.

If you need to recover a city broken by the NExt 3 mod, use this collection which contains complete set of NExt roads but without the NExt mod:

https://steamcommunity.com/sharedfiles/filedetails/?id=2642484580
This youtube video explains how it works: https://www.youtube.com/watch?v=O-If-hXz2KA

Causing bugs, then presenting a solution

It should be obvious, but I'm going to point it out anyway.

Holy Water is targeting mods with over 1 million users (NExt, Harmony, TM:PE, etc), causing bugs in them, and then presenting his own versions as the 'fix'.

When modders complain, they get added to a targeted malware list in at least one of his mods, are also blocked them from creating derivative works of his versions of their mods.

For example, I contributed code to Network Extensions (specifially a project called "TAM" - Transit Addon Mod, you've probably seen it mentioned in log files if you use NExt 2 or NExt 3). If I try to "fork" (clone) the Network Extensions 3 project I get an error because Holy Water has blocked cloning that code that I once worked on.

Holy Water then goes to great lengths to reiterate over and over (something known as "repeat assertion technique" aka "proof by assertion") that his code is "open source", and also then claims that _he_ is the actual victim when people rightfully point out that he's the one causing problems.

As the number of users grows, more bugs appear in other popular mods... rinse, wash, repeat.

This is a discernable pattern and one which is very familiar to anyone trained to spot it due to their line of work, not that I would be such a person or doing that line of work ofc.

It's a technique used to split communities; it starts by drawing some people away, telling them that they are part of something special, that they must ignore all the disruption and other problems that are starting to happen, and that everyone else is out to get them... I don't need to say more, you can work out what's going on here.

Misleading reporting in Harmony "redesigned" mod

The reports generated by Harmony "redesigned" are very familiar to anyone who worked on or observed the creation of the main harmony mod, and the transition of dozens of mods to using it.

Part of that work was a proposed system whereby errors could be trapped and associated with the mod where the error occurred. However, there are issues with this approach - namely, where an error is detected is often not the source of the problem but rather a symptom of the problem. It can be hugely misleading to anyone who doesn't uderstand what's acutally going on under the hood.

Holy Water is going round telling everyone that the original Harmony mod doesn't catch errors, and that they should use his which does. To most end users this will likely sound entirely logical - the mod that catches errors is surely better. But to anyone who knows what's going on under the hood, and also having to support one or more mods, it's an absolute disaster.

Again, this is designed to promote the "redesigned" mod as the solution, whilst simultaneously making all other mods seem broken "because they don't use that redesigned mod".

Claiming that the main Harmony mod isn't tested

The transition to Harmony was a huge task involving most of the modding community. Harmony library was new at the time and undergoing regular updates to fix bugs, and sometimes those updates would cause new bugs. That's the nature of rapidly evolving software.

Holy Water has waited until the mod became stable, copied it, and then devoted huge amounts of time to reminding everyone that the original version _used_ to have bugs. That's gaslighting.

The main Harmony mod, with over 1 million users, was just updated with almost no problems reported (except for one notable mod as mentioned above that had "tripwire" code to specifically make that mod break once the new Harmony was released).

That update came after almost 1 year of testing by modders and players alike. The notion that the main Harmony mod is a "buggy mess" is absurd in the extreme, and is being peddled by one single mod developer - Holy Water - who's actually added code to his mods that causes bugs to make other mods look like they are broken.

There is a bunch of other stuff, including doxing, which I've not even discussed yet.

As always, up to you who's mods you use. And I can practically guarantee that Holy Water will release a TM:PE clone that magically fixes a bunch of problems with slow speed limits and is magically compatible with Harmony mod again (_his_ Harmony mod, that is).

UPDATE: We have confirmed that "Supply Chain Coloring" and "Transfer Broker BETA" - the workshop versions only (which are locked to prevent updates) - do not contain any malicious code. TM:PE will mark them as compatible again from version 11.6.5.0 onwards.

Actually, there is some other stuff I want to mention.

First, the "update from github" mod that Holy Water is pointing people to. That mod completely bypasses Steam - and thus all of the checks that Steam does when stuff is uploaded to workshop. If there's malware in an update, there is no way to know or resolve that situation.

Second, Holy Water is claiming that modders aren't testing thier mods with his mods... yeah, no suprise there given that his mods contian malware aimed directly at those modders, and code specifically designed to break their mods.

Third, my first encounter with Holy Water was on the workshop page of my Mod Compatibility Checker mod (abandoned due to RL issues): He was claiming that its successor, "Compatibility Report" mod (which is awesome btw!), is "malware" because it was legitimately pointing out issues with his mods. That's something called "Projection" - where the person responsible for creating some kind of harm "projects" that on to others (usually those affected by the harm and/or those trying to prevent the harm). Again, it's a familiar pattern that's discernable to people trained to spot it due to their line of work.

LOL, he's already created a clone of TM:PE https://steamcommunity.com/sharedfiles/filedetails/?id=2749420751

"This is a fork of TM:PE that does work with all my mods, including Next3 and Harmony (redesigned)" -- Holy Water

LOL, as if by magic the speed limits and Harmony compatibility issues disappeared simply by uploading a clone of the mod without changing anything. Imagine that!

BTW, I've just been reliably informed that the "Harmony redesigned" mod by Holy Water is already bypassing Steam and pulling data directly from Github. If you're using that mod I seriously urge you to start tracking it's disk activity and check any code it downloads.

EDIT: The version from github does this, not the version in the workshop (that version is already locked from updates due to account violations apparently, which is why Holy Water is directing people to the github version).

Several modders are now investigating what's in the "download from github" version of the "Harmony (Redesigned)" mod, and it's not looking good.

Notably, the code it contains does not exist in any of the workshop releases, nor does it exist in the source code repository. It appears to be a different mod (modders are still investigating). Additionally, the way it downloads a zip file isn't controlled in any way; it can be any zip file that Holy Water uploads - it is automatically executed (run) when you start the game, even if the mod is disabled (it self-enables itself).

Image link of collapsed code view after decompiling the "download from github" version of "Harmony (Redesigned)": https://imgur.com/C8GZaQ9

Update: The `MalwareBypass` code blocks are doing stuff like disabling bits of Boformer's Harmony mod, and also remove feeds, workshop ads, whatsnew panel, dlc panels, paradox account panel and whole game telemetry. The code is still being investigated.

What the actual ♥♥♥♥

Wow what a bombshell. First glad you're back and hope that your irl issues have been resolved.

It looks like he also created a new sub-forum in his Harmony for Games cult for asking what mods to ripped off next so it should be watched for future developments.

Originally posted by aubergine18:

LOL, he's already created a clone of TM:PE https://steamcommunity.com/sharedfiles/filedetails/?id=2749420751

Originally posted by TM:PE Chaos Virus clone edition steam page:

Thank you Krzychu1245 for the awesome mod

LMAO Krzychu1245 spoke against him on my "A warning about NeXT3" discussion:

Originally posted by Krzychu1245:

How you calculated that? Do you really think that file size is equal to memory allocated when loaded by the game? If so you have no idea how NeXT works...

See, Next2 is creating ton of assets at runtime when you are loading map (it's worse than CSUR), rough calculations and user reports from the past says about 1.5-3GB of RAM required to load everything (not counting VRAM) as textures cannot be optimized (shared and reused by other assets). It's outdated, memory-inefficient technology that should have been forgoten long time ago IMO or at least completely rebuild from scratch eliminating known issues. You probably don't know but once you save the game with Next enabled you won't be able to load it without issues in case of any initialization problem. Since it's a modification that requires running the code to initialize it will be prone to external factors.

Also, do you want to create new asset based on one of the roads from that mod? No problem but all its users will be forced to use Next just to load your new variant even if they only want just your asset and nothing else...

Originally posted by aubergine18:

BTW, I've just been reliably informed that the "Harmony redesigned" mod by Holy Water is already bypassing Steam and pulling data directly from Github. If you're using that mod I seriously urge you to start tracking it's disk activity and check any code it downloads.

EDIT: The version from github does this, not the version in the workshop (that version is already locked from updates due to account violations apparently, which is why Holy Water is directing people to the github version).

Yeah the fact he is creating a botnet (that what it really is now) is extremely petty. And that he's now not updating his source code on GitHub means he can no longer make the excuse that he's doing this for open source.

Originally posted by aubergine18:

Update: The `MalwareBypass` code blocks are doing stuff like [removing] whole game telemetry. The code is still being investigated.

So he ripped off one of the less Steam mods?

Originally posted by aubergine18:

Image link of collapsed code view after decompiling the "download from github" version of "Harmony (Redesigned)": https://imgur.com/C8GZaQ9

Is the code obfuscated and is there a link to the decompiled code? I'm not a C# programmer so I don't what to spend time getting a decompiler but would still like to take a look.

For capable decompilers I can recommend:
JustDecompile from Telerik (free).

There is also a "diff" tool, which only shows differenes between 2 assemblies:
JustAssembly from Telerik (also free).

@aubergine18 you should change the links to GitHub permalinks (referring to the commit hash), because if the access lists are moved to another file / directory, the current links will break ;)

Like this:
https://github.com/drok/NetworkExtensions3/blob/0c705c394e6bc48ad5776941bf73d8c5629a183a/Transit.Framework/Mod/AccessControlLists.cs

I have been subscribed to his Supply Chain Coloring mod for ages. I just unsubscribed, but I have no idea how to check for malware or anything else you claim he has done...

Should I be worried about that having been subscribed to SCC??