How to: Identify malicious Plugins

Resources Community Tutorials
, , , ,
#1

Greetings Devforum, newbies and oldies alike, today I stumbled upon this plugin which is what prompted me to create this quick tutorial. I’m going to try to make this as short yet informative as I can, while using the linked plugin as a prime example of what not to install.

What is a malicious plugin?

A malicious plugin is one that allows external parties (i.e. hackers) server-sided access to your game.

Why is that a bad thing?

Hackers who have server-sided access to your game can:

  • Gives themselves/others admin commands in-game
  • Create, modify, and delete DataStore information in your game
  • Insert inappropriate assets in your game which can ruin gameplay experience & put your account at risk of moderation
  • Teleport users to other games and/or send and fetch data to/from external web servers depending on your game’s security settings

First Line of Defense

Before you even consider installing a plugin, try searching for topics about it here on the Devforum. Normally the creators of reputable plugins will create threads for them where users can ask questions and the creator can provide them with information.

Now let us enter our scenario:

You:

You’re a new-to-intermediate game developer who just found a plugin on the Roblox marketplace that catches your eye. You’re considering installing the plugin but you do not want to get burned by a malicious plugin which drops backdoor scripts into your game.

The Plugin:

image
image905×471 42.7 KB

The Plugin creator:

image
image894×276 31.3 KB

image
image913×146 5.24 KB

Red Flags: On the surface

Here we will be analyzing the description and statistics provided on the page for the plugin itself.

  • "This has no backdoors/hacks/viruses" in the description. Ideally this would give the end user a sense of relief upon reading, but more often than not language like this is meant to lower your guard so you’ll install the malicious plugin.

  • Over 1,100 Favorites yet zero likes or dislikes on the plugin itself. This is a huge indication that the plugin was botted to show up in the “Recommended” pane. Reputable plugins will never have any indication that they were botted what-so-ever.

Red Flags: The plugin creator

Here we will be analyzing the profile of the user who uploaded this plugin

  • This user joined 1 week ago and has no apparent connections to anyone else in the community. Knowing what we know about the plugin itself from above, this should give us even more suspicion that this is a bad actor and nothing more than a disposable account used to spread malicious code.

  • We see that this user only creates models and plugins. Normally users such as this attempt to become pillars of the community by selflessly helping others through their creations, however just as many users if not more do this in an attempt to spread malicious code throughout as many games as possible.

Red Flags: Under the hood

Normally by this point you should deem the plugin as unsafe to use, but for this specific example we will give this plugin the benefit of the doubt and ignore all surface-level discrepancies. At this point we are going to be checking the code for the plugin itself, to ensure nothing malicious is hiding in its code.

To access the source code of the free plugin, we will open up a blank place in Roblox Studio and insert the code for the plugin with the following code via the game::GetObjects method in the Command Bar, after getting the asset ID of the plugin itself:

image

game:GetObjects('rbxassetid://6865418453')[1].Parent=workspace

What this does is insert all code which the plugin runs upon startup in Studio into the Workspace. From here we will observe the provided code for the plugin.

image

First, lets examine the first Script object which is named “SmoothCam”

image

Already we can see that whoever uploaded this plugin is not it’s original creator nor was it created recently. Not only is Crazyman32 a long-time popular creator on Roblox - someone who has no need for disposable accounts to upload models and plugins on, but the code itself was written nearly 3 years ago. For most intermediate-to-advanced scripters this will be a major red flag, but let us keep moving forward with our analysis.

In order to find out if this code is attempting to do anything malicious to our game, our best bet will be to search for the following keywords which are used to drop in malicious code from external resources:

  • require
  • getfenv
  • loadstring

image
image1303×171 18.2 KB

In this code file we do not find the latter 2 keywords, and “require” only shows up when including dependencies that we have immediate access to. This is a green flag for this specific piece of code meaning that it’s most likely safe.

From here we can move onto the next Script object which is named “FixCamera”

image
image1328×315 19.2 KB

There are some big red flags here:

  • This code is creating a new Script somewhere random within Workspace
  • The width of the code file extends outwards leaving a lot of whitespace within the file itself. This is an obfuscation tactic (albeit a poor one)

What is code obfuscation?

Code obfuscation is re-arranging your code in ways which make it hard for humans to read and understand at a glance.

Now that we know what code obfuscation is, lets try to find what this Script is trying to hide from us. Thankfully the virus creator was either inept and/or lazy in doing this, so all we have to do is scroll horizontally to the right.

image
image1334×315 8.78 KB

Bingo. We now know that this Plugin is creating a Script that runs code from an external dependency. To find it on the website you copy the asset ID and search it as so:
https://www.roblox.com/library/6864953338/

Concluding

At this point we know that this Plugin was created by a bad actor with the intent to grant themselves server-sided access to your game, and there is no real need to move further. You can attempt to inspect the external module however you will likely get nowhere doing so, these external modules usually contain profanities such as swear words, racial slurs, and links to harmful Discord servers. You are better off discarding the Plugin and reporting it + the creator on the Roblox website, along with reporting the external module if you got that far.

image

Thank you very much for reading! If this tutorial can help even just one person avoid getting a virus then I can rest easy. Let me know what you think and let me know if there’s anything I should add to this tutorial and/or improve upon.

45 Likes
#2

This a very informative and helpful tutorial. I’ve seen lots of posts recently in #development-discussion asking how to find malicious plugins in their game, how to prevent adding them and how to fix it.

Thanks mew!

1 Like
#3

A couple things you could add to the tutorial:

1 - Many people who make malicious plugins have usernames like these. I put them in a hide details thing so it doesn’t take up a lot of the reply.

Images

Screenshot_394
Screenshot_3941179×178 21.8 KB

Screenshot_395
Screenshot_3951101×655 288 KB

Screenshot_396
Screenshot_3961180×180 31.4 KB

Screenshot_397
Screenshot_3971122×669 223 KB

2 - Many malicious plugins copy other popular plugins to pretend that it’s theirs and get people to download them. Here are some examples.

Real plugin:

Screenshot_399
Screenshot_3991114×670 134 KB

Fake plugin:

Screenshot_398
Screenshot_3981118×541 126 KB

3 Likes
#4

I can identify malicious plugins by looking at the code before I even install them. I simply use BTR’s button that lets you view the contents of an asset.
image

image
image1148×487 47.6 KB

1 Like
#5

If youre really scared of malicious plugins then you DEFINITELY need the btroblox plugin.
Here’s the extension link on the chrome web store:BTRoblox - Making Roblox Better - Chrome Web Store

#6

Our trust issues with models and plugins increase as people bot and code backdoors.

3 Likes