Jibberish Virus

Mine was in InsertService.

game:GetService’InsertService’["?"].Parent = workspace (if it’s there, obviously)

When I had this kind of issue, everything was installed within the DebrisService and TweenService. The module script doing damage was found under InsertService

The scripts calling the hidden module was all scattered through workspace. They were easy to find, but it was annoying. It was definitely and a plugin, and if I remember correctly it was a fake camera light plugin. There’s probably several doing it, but yeah. After getting everyone to remove their plugins it stopped appearing.

What you should do is use this code that @IdiomicLanguage gave me in your command bar, and it will print the full name of every single script in your place, even the core scripts and hidden services.

local function scripts(instances, i)
	for i = (i or 0) + 1, #instances do
		local instance = instances[i]
		local success, result = pcall(instance.IsA, instance, 'LuaSourceContainer')
		if success and result then
			return i, instance
		end
	end
end

for i, source in scripts, game:GetDescendants() do
	print(source:GetFullName())
end

You can then read through the list to see if there is anything that should obviously not be there.

2 Likes

Nice one!

For anyone that wants the code in this specific obfuscated “?” module, its too large to put in here so here is the .txt file of it.
Code.txt (84.5 KB)

1 Like

Yeah. The module requires this 2655056793 if anyone else wants to check it out. (or report it)

At least these backdoors will no longer be a problem by February, where private modules cannot be used by other people.

1 Like

Yeah I suppose. I use private modules for certain things, and it sucks to not be able to keep them private, but oh well.

I’ve seen this attack using public modules. Also, you may need to reinstall Roblox to remove this backdoor. If you run my script above in a fresh, new place and still see the backdoor, then you must uninstall BOTH Roblox Player and Roblox Studio so that all of your installation files are removed. This has become a pretty common backdoor.

I was hoping to get it up today, but it’s beginning to look like my third party service, RBXMod.com isn’t going to be ready until Monday. If this service gets big enough, it will provide a greater assurance that the modules you are using are safe because someone experienced has read through and approved it before it was released to the public. Hopefully the places for these back doors to hide will get smaller and smaller as more and more modules become certified.

I highly doubt you need to reinstall roblox. After deleting the fake plugin, it did not come back either way, so I’m not 100% sure though I just highly doubt it. Actually, I feel almost certain roblox player would not need to be uninstalled. There is no way for a plugin to modify the user’s files. (And if there is, that’s probably not the best idea)

I personally rarely use any plugins or free models so in most cases I don’t have to worry about backdoors either way. It was another developer in the game I help on that had the plugin. Not 100% sure which plugin it was because he deleted them before I got online, but he had Camera light and I’ve heard about fakes of that.

Script found nothing in my disinfected game, and nothing in a brand new place.
Hopefully, this virus only contains those 2 parts; the random-name embedded scripts, and a “?” Module hidden inside of a service.

The ? module is the main one, there may be any number of the other ones.

Is there any way to remove it from the game; Besides going into each script and deleting it?

2 Likes

RoDefender can only remove the ones that are scripts on their own. From my experience, it looks more like only one script actually have that one-line virus injected straight into it, which I call ‘patient zero’.
But to be sure, yes, you have to scan every single script manually. Just look for lines of code that are extremely long, its a dead giveaway.

Yes. There was a public thread released some time ago discussing script injections. Besides going in-game, you can view the XML data of your place and see if anything looks out-of-place. Change the extension of a place file from .rbxl to .rbxlx.

See:

I’ve seen that exact script in a game I developed for a while ago. Strange.

Like @fireboltofdeath mentioned in an earlier message, reinstalling studio will have absolutely no effect on the backdoors whatsoever. Once a plugin gains access to your studio, it will most likely immediately (or upon first running) inject the scripts into your game. Once you hit the publish game button, the backdoor will be there forever until you remove it.

I will recommend to everyone to use Christbru01’s Backdoor/Infection Detector when trying to hunt down backdoors, as plugins have a higher security clearance on studio than users actually do. Doing a simple scan can probably reveal some backdoors you never knew existed in the services that are hidden from the explorer.

1 Like

That was the first plugin I tried when disinfecting the game. It never went through with the scan and just froze whenever initiated. RoDefender worked flawlessly (only after restarting studio) and found 6 or 7 Backpack containers for the hidden virus scripts that thankfully were already inert due to Roblox’s recent patch.

I was surprised too when it persisted after removing the plugins and checking out a new place. Hopefully Roblox has patched what allowed them to do that, but I’m not crazy when I say that you had to uninstall Roblox and reinstall it to prevent it from coming back. Simply removing the plugin and scripts it wouldn’t do.

1 Like