GTA V Mods infected with malware

[Uwillparish]

(Website is down, Original link:http://gtaforums.com/topic/794383-possibility-of-trojan-downloaderspyware-installed-via-gta-v-mod/Cached Version: http://webcache.googleusercontent.com/search?q=cache:9mYf0EgigG4J:gtaforums.com/topic/794383-possibility-of-trojan-downloaderspyware-installed-via-gta-v-mod/+&cd=1&hl=en&ct=clnk&gl=us 

So, The TLDR is 2 mods, Specifically the Angry Planes mod and the Noclip mod seem to install a program called "Fade.exe" into your temp files and your registry, If you did install the mod like i did, i would check your registry and run a malwarebytes scan

 

(originally posted here:http://www.reddit.com/r/pcmasterrace/comments/35xo8o/psa_gtav_modsalexander_blade_confirms_noclip_mod/ )

[werto165]

FUCKING TWATS, completely put me off modding GTA now. In the proccess of chaning my passwords, 2 step verification will be saving my ass here .

[Thony]

Here we go. Some fu*ktards ruining it for everybody.

Glad im staying away from mods until they get applied on community servers (one day it will happen my friends).

[Uwillparish]

FUCKING TWATS, completely put me off modding GTA now. In the proccess of chaning my passwords, 2 step verification will be saving my ass here .

I would be running malware bytes scans, checking regedit and looking for any trace of Fade.exe before doing it, no one is safe till you are sure you have it, and/or sure you dont anymore

 

Here we go. Some fu*ktards ruining it for everybody.

Glad im staying away from mods until they get applied on community servers (one day it will happen my friends).

Well, we had modding since before GTA 4, its been ~10 years man!

[Frix]

I would be running malware bytes scans, checking regedit and looking for any trace of Fade.exe before doing it, no one is safe till you are sure you have it, and/or sure you dont anymore

 

Well, we had modding since before GTA 4, its been ~10 years man!

Malwarebytes doesn't detect it.

 

http://linustechtips.com/main/topic/366420-gta-5-mods-angry-planes-and-noclip-installing-keyloggers/

[Thony]

Well, we had modding since before GTA 4, its been ~10 years man!

U had malware on a modded server before?

Because what i was implying is that servers will not have malware on them. Not that i never heard of mods before..

[Uwillparish]

U had malware on a modded server before?

Because what i was implying is that servers will not have malware on them. Not that i never heard of mods before..

no, i thought you meant mods on steam community, I read it wrong

 

 

Malwarebytes doesn't detect it.

 

http://linustechtips.com/main/topic/366420-gta-5-mods-angry-planes-and-noclip-installing-keyloggers/

Too shay, i ran AVG and saw nothing, also nothing in regedit http://i.imgur.com/vzyM3ij.png

[Trik'Stari]

Those douchebags. I hope someone catches their little punk asses

 

Someone needs to make a mod that increases the volume of the custom music channel. I've got my music in there, and it's all quiet as hell, I have to turn my system volume to max, and turn down everything else on GTA V just to be able to hear it.

 

Someone also needs to make a radio station that doesn't suck. Unlike previous GTA games, I've yet to find a single station I entirely like. Good songs here and there (lock and load, welcome to los santos, danger zone, etc) but the rest of it just annoys me.

[SeriousDad69]

Mods are a great addition to any game, you can add giant cocks to Skyrim and have your computer hijacked in GTAV lol.

[Admire]

I was quite worried about this with GTA IV, when I messed around trying to get the best mod results....there are just so much out there and a lot is not checked that much...

[silberdrachi]

And this is why mod support and something like mod curation in something like... oh say... steam? would be really nice.

 

edit: i should say real mod support and guantees that mods work/are malware free. not shitty steam support like they had when they "launched" with no curation no ability to get money back, and no guantee that any of it would work.

[cesrai]

LOL this is a first for me.

[Dabombinable]

Here are some more sources: 

 

http://gtaforums.com/topic/794383-possibility-of-trojan-downloaderspyware-installed-via-gta-v-mod/

 

http://www.gamespot.com/articles/some-gta-5-pc-mods-reportedly-include-malware/1100-6427338/
 

http://www.gameranx.com/updates/id/28124/article/warning-gta-v-s-angry-planes-and-noclip-mods-may-be-infected-by-a-keylogger-virus/

[Pesmerga]

oh what assholes. I had a similar problem with puush, it got infected and had to change all my pasword as well, now using keepass  and it's fucking annoying.

[Master Disaster]

Gtaforums posted removal instructions for the malware

Instructions on virus removal:

If these files do not exist, do not assume you weren't affected. The virus could have deleted itself after grabbing what it needed to cover its tracks, or your anti-virus could have deleted it after it grabbed what it needed.

If you have used the mods Angry Planes and/or Noclip mod, then here is how to get rid of the virus, or check if it is still on your computer.

1. Press Ctrl+Shift+Esc, go to processes, and end the csc.exe process.

2. Go to your Temp folder at "C:\Users\*YOUR USER NAME*\AppData\Local\Temp"

3. Sort the files by date added, and find .z and init..exe and delete those. Some reports say that .z might be named differently, like .x.

4. Some people also reported an unnamed archive file (.zip or .rar) that could not be opened that looks like this: http://www.twitch.tv...thedanishviking

77.68.209.7

Further investigation revealed the following modules active:

Facebook spam/credential stealing module

Twitch spam/credential stealing module

Messenger.com spam/credential stealing module

A Steam spamming module

A Steam module that evaluates the items in your inventory and their value based on current market value

A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)

A UDP flooding module

There were others I hadn't deciphered and didn't see in action.

All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.

It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.

Now, here's the juciest and most useful bit.

The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choopa.com

This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.

Tool used to investigate:

ProcessExplorer

WinDbg

Jetbrains DotPeek

Strings (https://technet.micr...s/bb897439.aspx)

Wireshark

IMPORTANT/TL;DR:

If you didn't read/understand all of the above the most important thing to take from this is that everything you typed while infected is in the malware admin's hands. Your active/logged in sessions to Facebook/Twitch/Youtube/Steam are in his hands. Change all your passwords, logout and log back in to every site mentioned above to invalidate the existing session.

p.s. I will include some strings from the modules referenced above in the following post.

[werto165]

oh what assholes. I had a similar problem with puush, it got infected and had to change all my pasword as well, now using keepass  and it's fucking annoying.

Except puush wasn't blatantly trying to be malicious, it could happen to anyone.

[snoopy6489]

got to run combofix.