I have found Malicious code in my scripts... How?

I clearly understand that fact. ROBLOX should take responsibility into this situation because, developers ESPECIALLY SMALL DEVS LIKE ME have little to no capacity spreading about the issue. Although, ROBLOX is most likely working on it HOPEFULLY.

This happened to a group I was in before, Someone else had a plugin causing this. Idk what plugin, but one was inserting the same line of code as the one you’ve shown here.

1 Like

So many topics were made about this already. There are only 3 possibilities, and only 3:

  1. Someone put it in manually
  2. It came from free model
  3. It was inserted by a plugin

This should be nothing to worry about if you delete the script, because it won’t magically crash your studio or do anything to your computer or the game.

2 Likes

Maybe Script.Source.
Basically,
workspace.DescendantAdded:Connect(thing)
if thing:IsA(“Script”) then
thing.Source = “Virus xdd getfenv()[string.reverse(“viruseslol”)]”
end

1 Like

Do you use models from toolbox, if so some of these could have a couple lines of code in let’s say a “Click to turn On/Off Light Script” (Example) and maybe there could be a require script that inserts something like this??

1 Like

Malicious plugins, most likely.
I had this happen to me 2-3 months ago with a malicious copy of BrushTools, the formatting looks exactly the same to yours.

Later in the post you explain how you have a team of people working on the same project as you, and that you checked their plugins with everything seeming fine: the key word here is “seeming”. Malicious plugins are very, VERY hard to notice if you don’t know which plugin it is, so here are some crucial steps to take if you want to recognise one:

  1. Check the author and upload date of the plugin in question, if there is another plugin that has been made before this or the author of the plugin isn’t the original, you’ve found your virus!
  2. Check the description, sometimes the description is mostly tags to push it into the first results of the search.
  3. Plugins cannot act if not started, so i recommend creating a new studio save file with 2-4 scripts and manually start up each plugin with each time checking the script, once you notice the RoSync virus appearing, you can safely assume the last plugin you opened is the malicious one.

If you could also edit the original post with the name of the plugins and the creator that you and your employees use, it would help us narrow down the problem a lot!

2 Likes

Hey there Aki,
I found the same RoSync virus in my commission. After a bit of digging, here’s what I found:
:electric_plug: RoSync is a real thing made by NewFissy to backup his games.
Scam Plugins use a fake version of it to make you think your code is backed up. When you scroll sideways past the comment, it will use a GetFenv to require a module. The numbers are ASCII for require.
:chains: The module leads to a module chain, leading to this module. the module
The plugin that caused this issue was this Light Editor (Updated) - Roblox but there may be more.

Do CTRL+Shift+F and search for getfenv in your scripts to remove it.

(RoSync from what I understand steals your scripts, but I may be wrong)

5 Likes

I looked up RoSync and I found this:

This might help

1 Like

If this is a team project, evaluate your team member’s plugins.

1 Like

it seems like something was added that somehow injected it in.

1 Like

What if one of your employees go into studio while you are offline? I suggest looking through your employees and ditching a few ones that aren’t loyal enough.

1 Like

Nope. Never did. IT’s even against my rules to use Free Models

Holy crap I actually used to have that plugin. Thank god I deleted it!

1 Like

I actually may have found the problem thanks to @TheDarth_Dot so thanks for the research!

I used to have this plugin (I don’t anymore) so it is a really big piece of information. Therefore, I am reporting this plugin.

2 Likes

I have already answered this.Yes, I checked their plugins and also checked their creators. Most of them where AlreadyPro’s Plugins and Moon Animatior, etc.

1 Like

Alright, so this may sound weird. But, I have made a system so basically, when i’m going offline, I will remove all of their permissions. Then I’ll re-add there permissions in-game. (Via Studio). That’s how over-protective I am.

That isn’t really overprotective, it’s actually quite a good idea.

3 Likes

Only PluginSecurity can Source, so that’s not really possible.

1 Like

Well some scripts actually somehow duplicate after you put it in, seems like it gets put somewhere to be constantly duped. Though it’s not “injection”, a similar concept.

1 Like

RoSync is a backdoor virus that comes from a plugin. Example; If you are in team create with friends and when they create a script and RoSync appears outta nowhere, that would mean that one of your devs has a fake/suspicious plugin or a plugin that has a backdoor. If you want to get rid of it, you would have to tell your friends to uninstall each plugin, and make sure it’s made by the original owner and not made by a new account or by an alt.

You could either remove the virus or it’s hiding itself by deleting itself when RunService returns true from the function :IsStudio().

getfenv() returns a table of the functions and variables in the current environment. This can be used to easily attempt to hide a function.

In this case, it indexes string.reverse("\101\114\105\117\113\101\114"). If you see what this ascii code corresponds to “eriuqer”, which when put through the reverse function gives you “require”.

When the script uses getfenv() and escapes ascii code to hide the require index in that table that is returned. It calls the require function with the asset id. Upon further inspection this is a quote on quote “require chain”, which basically hooks up module scripts in a chain to require each other in an attempt to hide the final script in the chain.

The script uses require to get a chain of module scripts, which will eventually lead to a server-sided backdoor.

2 Likes