Jump to content

!Toolkit contains trojans and viruses - please read for infected file list and report


dpub
 Share

Recommended Posts

Hi,

 

Disclaimer: I bet this is was not author's intention, as infected files are third-party programs included in the tool archive (but these programs are executed by the toolkit, so you WILL be infected). Please DO NOT IGNORE this - these backdoors and trojans are real and allow to take over your pc.

These versions of "Custom Song Creator Toolkit for Rocksmith" contain trojans (other version might as well, but checked only these last 2 versions):

 

rstoolkit-2.9.2.0

rstoolkit-2.9.2.1

 

Virustotale metaengine detected these trojans (check for yourself on https://www.virustotal.com):

 

Trojan/Win32.Occamy, HackTool.Agent.cch, BScope.Trojan.Mbot, Backdoor.Win32.A.Agent.306688[uPX]

 

I narrowed down infected files list (this was quite a lot of work, so please do not take lightly my report) to:

 

DDC.EXE

OGGDEC.EXE

REVORB.EXE

OGGCUT.EXE

To software author: please kindly provide clean version of the tool by recompiling or re-downloading these dependencies. Thank you for your hard work!
 

 

Best regards

Link to comment
Share on other sites

Ever hear of a false positive?  For both of those, around one tenth of the antivirus products claim to see malware, but nine times as many other antivirus products see the toolkit as clean.  Several thousand people use the toolkit and don't report problems.  You're going to have to draw your own conclusions about whether you'll use the toolkit, but you shouldn't take a small minority of AV products as gospel about a program's safety.  Some will flag programs as suspicious for no reason other than them not being digitally signed, or for other arbitrary reasons not involving the presence of malware.

  • Like 3
Link to comment
Share on other sites

Thank you for your answer.

 

Ever hear of a false positive?

Sounds really patronizing, but I will answer shortly: yes. I do also understand heuristics used in AV software pretty well, like from the implementation side. And BTW this particular case has nothing to do with signing.

 

 

Several thousand people use the toolkit and don't report problems

 

Well, ignorance is a bless and this is not an argument :) Suit yourself, guys - botnets need eager members, too :). Anyway, I would really-really recommend pulling new/rebuilt versions of these exe files. I would do this myself and contribute these here, but I recall trying some time ago and these were not easy to get. I mean, worst case the OGG-related ones could be replaced by opensource ffmpeg.

 

Cheers and thank you for your hard work,

Link to comment
Share on other sites

Short answer:  You're probably wrong and shouldn't fear monger.  If you want to be more productive, send the binaries to one of the few AV products that claimed it was malware and ask them to confirm it's not a false positive.  If they check it manually and still consider it malware, that would have significantly more weight than an automated scan which could have flagged it just because it had a particular string of byte values.

  • Like 2
Link to comment
Share on other sites

@@dpub. It's a false positive for sure. Ray is entitled to be patronizing. You've insulted his product which he freely gives away, because you got panicked by a virus scanner that wants to frighten you to justifty the bucks you paid for it or will pay for it. It's a scam McAffee started in 1987 and made billions. Also Ray has to put up with same old same old every couple of years or so. I've seen it. He's given you a very thorough reasoned explanation under the circumstances.

Unaccredited Charter

Link to comment
Share on other sites

I can confirm that false positives happen. I was writing my own C++ code, as I'm learning C++, and one of MY projects that does literally nothing (it runs and instantly ends when it starts) got marked as malware.

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...

Important Information

By using this site, you agree to our Guidelines. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. - Privacy Policy