How to: Identify malicious Plugins

Greetings Devforum, newbies and oldies alike, today I stumbled upon this plugin which is what prompted me to create this quick tutorial. I’m going to try to make this as short yet informative as I can, while using the linked plugin as a prime example of what not to install.

What is a malicious plugin?

A malicious plugin is one that allows external parties (i.e. hackers) server-sided access to your game.

Why is that a bad thing?

Hackers who have server-sided access to your game can:

  • Gives themselves/others admin commands in-game
  • Create, modify, and delete DataStore information in your game
  • Insert inappropriate assets in your game which can ruin gameplay experience & put your account at risk of moderation
  • Teleport users to other games and/or send and fetch data to/from external web servers depending on your game’s security settings

First Line of Defense

Before you even consider installing a plugin, try searching for topics about it here on the Devforum. Normally the creators of reputable plugins will create threads for them where users can ask questions and the creator can provide them with information.

Now let us enter our scenario:

You:

You’re a new-to-intermediate game developer who just found a plugin on the Roblox marketplace that catches your eye. You’re considering installing the plugin but you do not want to get burned by a malicious plugin which drops backdoor scripts into your game.

The Plugin:

The Plugin creator:

Red Flags: On the surface

Here we will be analyzing the description and statistics provided on the page for the plugin itself.

  • "This has no backdoors/hacks/viruses" in the description. Ideally this would give the end user a sense of relief upon reading, but more often than not language like this is meant to lower your guard so you’ll install the malicious plugin.

  • Over 1,100 Favorites yet zero likes or dislikes on the plugin itself. This is a huge indication that the plugin was botted to show up in the “Recommended” pane. Reputable plugins will never have any indication that they were botted what-so-ever.

Red Flags: The plugin creator

Here we will be analyzing the profile of the user who uploaded this plugin

  • This user joined 1 week ago and has no apparent connections to anyone else in the community. Knowing what we know about the plugin itself from above, this should give us even more suspicion that this is a bad actor and nothing more than a disposable account used to spread malicious code.

  • We see that this user only creates models and plugins. Normally users such as this attempt to become pillars of the community by selflessly helping others through their creations, however just as many users if not more do this in an attempt to spread malicious code throughout as many games as possible.

Red Flags: Under the hood

Normally by this point you should deem the plugin as unsafe to use, but for this specific example we will give this plugin the benefit of the doubt and ignore all surface-level discrepancies. At this point we are going to be checking the code for the plugin itself, to ensure nothing malicious is hiding in its code.

To access the source code of the free plugin, we will open up a blank place in Roblox Studio and insert the code for the plugin with the following code via the game::GetObjects method in the Command Bar, after getting the asset ID of the plugin itself:

image

game:GetObjects('rbxassetid://6865418453')[1].Parent=workspace

What this does is insert all code which the plugin runs upon startup in Studio into the Workspace. From here we will observe the provided code for the plugin.

image

First, lets examine the first Script object which is named “SmoothCam”

image

Already we can see that whoever uploaded this plugin is not it’s original creator nor was it created recently. Not only is Crazyman32 a long-time popular creator on Roblox - someone who has no need for disposable accounts to upload models and plugins on, but the code itself was written nearly 3 years ago. For most intermediate-to-advanced scripters this will be a major red flag, but let us keep moving forward with our analysis.

In order to find out if this code is attempting to do anything malicious to our game, our best bet will be to search for the following keywords which are used to drop in malicious code from external resources:

  • require
  • getfenv
  • loadstring

In this code file we do not find the latter 2 keywords, and “require” only shows up when including dependencies that we have immediate access to. This is a green flag for this specific piece of code meaning that it’s most likely safe.

From here we can move onto the next Script object which is named “FixCamera”

There are some big red flags here:

  • This code is creating a new Script somewhere random within Workspace
  • The width of the code file extends outwards leaving a lot of whitespace within the file itself. This is an obfuscation tactic (albeit a poor one)

What is code obfuscation?

Code obfuscation is re-arranging your code in ways which make it hard for humans to read and understand at a glance.

Now that we know what code obfuscation is, lets try to find what this Script is trying to hide from us. Thankfully the virus creator was either inept and/or lazy in doing this, so all we have to do is scroll horizontally to the right.

Bingo. We now know that this Plugin is creating a Script that runs code from an external dependency. To find it on the website you copy the asset ID and search it as so:
https://www.roblox.com/library/6864953338/

Concluding

At this point we know that this Plugin was created by a bad actor with the intent to grant themselves server-sided access to your game, and there is no real need to move further. You can attempt to inspect the external module however you will likely get nowhere doing so, these external modules usually contain profanities such as swear words, racial slurs, and links to harmful Discord servers. You are better off discarding the Plugin and reporting it + the creator on the Roblox website, along with reporting the external module if you got that far.

image


Thank you very much for reading! If this tutorial can help even just one person avoid getting a virus then I can rest easy. Let me know what you think and let me know if there’s anything I should add to this tutorial and/or improve upon.

41 Likes

This a very informative and helpful tutorial. I’ve seen lots of posts recently in #development-discussion asking how to find malicious plugins in their game, how to prevent adding them and how to fix it.

Thanks mew!

1 Like

A couple things you could add to the tutorial:

1 - Many people who make malicious plugins have usernames like these. I put them in a hide details thing so it doesn’t take up a lot of the reply.

Images

2 - Many malicious plugins copy other popular plugins to pretend that it’s theirs and get people to download them. Here are some examples.

Real plugin:

Fake plugin:

2 Likes

I can identify malicious plugins by looking at the code before I even install them. I simply use BTR’s button that lets you view the contents of an asset.
image

2 Likes

If youre really scared of malicious plugins then you DEFINITELY need the btroblox plugin.
Here’s the extension link on the chrome web store:BTRoblox - Making Roblox Better - Chrome Web Store

Our trust issues with models and plugins increase as people bot and code backdoors.

3 Likes