!Toolkit contains trojans and viruses - please read for infected file list and report

[dpub]

Hi,

 

Disclaimer: I bet this is was not author's intention, as infected files are third-party programs included in the tool archive (but these programs are executed by the toolkit, so you WILL be infected). Please DO NOT IGNORE this - these backdoors and trojans are real and allow to take over your pc.

These versions of "Custom Song Creator Toolkit for Rocksmith" contain trojans (other version might as well, but checked only these last 2 versions):

 

rstoolkit-2.9.2.0

rstoolkit-2.9.2.1

 

Virustotale metaengine detected these trojans (check for yourself on https://www.virustotal.com):

 

Trojan/Win32.Occamy, HackTool.Agent.cch, BScope.Trojan.Mbot, Backdoor.Win32.A.Agent.306688[uPX]

 

I narrowed down infected files list (this was quite a lot of work, so please do not take lightly my report) to:

 

DDC.EXE

OGGDEC.EXE

REVORB.EXE

OGGCUT.EXE

To software author: please kindly provide clean version of the tool by recompiling or re-downloading these dependencies. Thank you for your hard work!
 

 

Best regards

[raynebc]

Ever hear of a false positive?  For both of those, around one tenth of the antivirus products claim to see malware, but nine times as many other antivirus products see the toolkit as clean.  Several thousand people use the toolkit and don't report problems.  You're going to have to draw your own conclusions about whether you'll use the toolkit, but you shouldn't take a small minority of AV products as gospel about a program's safety.  Some will flag programs as suspicious for no reason other than them not being digitally signed, or for other arbitrary reasons not involving the presence of malware.

[dpub]

Thank you for your answer.

 

Ever hear of a false positive?

Sounds really patronizing, but I will answer shortly: yes. I do also understand heuristics used in AV software pretty well, like from the implementation side. And BTW this particular case has nothing to do with signing.

 

 

Several thousand people use the toolkit and don't report problems

 

Well, ignorance is a bless and this is not an argument :) Suit yourself, guys - botnets need eager members, too :). Anyway, I would really-really recommend pulling new/rebuilt versions of these exe files. I would do this myself and contribute these here, but I recall trying some time ago and these were not easy to get. I mean, worst case the OGG-related ones could be replaced by opensource ffmpeg.

 

Cheers and thank you for your hard work,

[raynebc]

Short answer:  You're probably wrong and shouldn't fear monger.  If you want to be more productive, send the binaries to one of the few AV products that claimed it was malware and ask them to confirm it's not a false positive.  If they check it manually and still consider it malware, that would have significantly more weight than an automated scan which could have flagged it just because it had a particular string of byte values.

[mczero]

@@dpub. It's a false positive for sure. Ray is entitled to be patronizing. You've insulted his product which he freely gives away, because you got panicked by a virus scanner that wants to frighten you to justifty the bucks you paid for it or will pay for it. It's a scam McAffee started in 1987 and made billions. Also Ray has to put up with same old same old every couple of years or so. I've seen it. He's given you a very thorough reasoned explanation under the circumstances.

[Guest]

I can confirm that false positives happen. I was writing my own C++ code, as I'm learning C++, and one of MY projects that does literally nothing (it runs and instantly ends when it starts) got marked as malware.