Known Malicious Plugins for HISR detection Megathread

This is a megathread for posting any malicious plugins you find (ones that inject malicious code or infections into the user’s games) which I will regularly check, verify the plugin is malicious, and add to the HISR plugin’s known malicious plugin list. This will allow any user who uses HISR V2.1+ with the setting enabled to scan for know malicious plugins to be notified that they own a malicious plugin as well as list the original plugin if known so that they may remove/replace the (copied) malicious plugin.

This is the active list of known malicious plugins that the HISR plugin uses for detection: https://www.roblox.com/library/2732065843/Known-Malicious-Plugins-Table-Hidden-Infection-S
If the plugin ID that you found as being malicious isn’t there then please make a post in the following template so that I may review and add it to the list for the HISR plugin.

Template for listing malicious plugins:

Malicious plugin: 2631801555
Original plugin: 338813970

P.S. As always it’s a good idea to “Report Abuse” on copied and/or malicious plugins so that ROBLOX may CD them. This is just to notify users about the malicious plugin in the mean time.

82 Likes

Hope this contribution helps!

Camera Light

Malicious: 2715008764
Original: 163874890

Brick Draw

Malicious: 2661950443
Original: 802969927

Model Mirror

Malicious: 2644964458
Original: 1162948697

Sprint

Malicious: 2644964457
Original: 852963967

Tree Generator

Malicious: 2644964454
Original: 1256428022

Class Converter

Malicious: 2644964449
Original: 833851216

Landscape Plugin

Malicious: 2672245855
Original: 242938331

Global Replace Utility

Malicious: 2672245883
Original: 1053075232

Player / Group Tags

Malicious: 2672245890
Original: CAN’T FIND ORIGINAL

Block To Room

Malicious: 2661950467
Original: 875926724

Catalog Import Tool

Malicious: 2661950445
Original: 965352286

Minimap Generation Plugin

Malicious: 2661950461
Original: 1873722908

Quick Paint Tool (For Single/Multi Bricks)

Malicious: 2623611354
Original: 160236414

Catalog Loader

Malicious: 2623611352
Original: 997404854

3D Text

Malicious: 2623611348
Original: 2273628561

18 Likes

The fact that the malicious version of my plugin has 11k installs just baffles me.

20 Likes

They bot the sales a lot so people see them.

9 Likes

Gapfill (The malicious one was made January 3rd of 2019, soo…

Malicious: 2613864560
Original:165687726

I also dragged the model from the installed plugins folder on my computer into the game, and they made a server script in there.

6 Likes

All reported plugins so far have been reviewed and added. Thank you @duke_tylerjone and @MrLonely1221!

4 Likes

Couldn’t Roblox implement algorithms to detect plugins or models that had rapid and unexpected plugin growth? Because all of these are seen due to bots boosting the sales. Additionally, put a 2 or so month long minimium on uploading public plugins. That can atleast rat out the bots that make accounts and immediatly upload stuff. Maybe even flag plugins with the same thumbnail and name or things like that?

12 Likes

Ultimate Model Stretch / Extend (1 dimensional)

Malicious: 2634252959
Original: 1032987767

6 Likes

This is marking my custom made scripts viruses. I used the “Store” feature and I deleted the “Infections” folder not knowing what I was doing. Is there a way to reverse this?

3 Likes

This should be on the topic for the plugin but you can either try undo (ctrl+z) or go to your place page on the roblox website, click the … at the top right, then configure place, then locate the versions and click the link to the version before the top-most one. This will revert your game to right before the last publish. (Assuming that you published the changes already by accident. Otherwise just close studio without saving or publishing and reopen it.) After that just click “Whitelist” if you want to select some scripts to not be marked as viruses. (Also if you want to use the script whitelist then make sure to turn it on in the settings.)

6 Likes

Even though Roblox probably should implement some detection system, it must be also considered the higher end and more noticed developers who release a new plugin will also get a massive amount of sales. For example, if a YouTuber with 1 million subs releases a completely safe plugin and their community is absolutely hyped for its release, you can probably expect a solid 10k-50k (random guesstimates) sales just on the first day of its release.

p.s. this is probably more off topic than should be :sweat_smile:

1 Like

Block Terrain Plugin

Malicious: 2760053105
Original: 250511443

2 Likes

Just as an FYI, these have all been sent to moderation to be deleted.

59 Likes

Malicious plugin: 2760053108
Original plugin: 637905041

3 Likes

I am still confused as to why the users creating these backdoors get their accounts deleted, but the actual malicious assets remain. Everything should be gone. Additionally, I feel like IP bans and machine bans would be a more viable solution then just deleting the account because spoofing the machine hardware ID is much more time consuming and we all know these backdoors are coming from a select few exploit developers that are trying to sell products with “server sided script execution”, after FE was mandated.

7 Likes

Malicious plugin: 2787024683
Original: 171505690

Module being required: 2674688515

Who needs to deobsfucate when you can just change the environment
getfenv()["require"] = function(...) warn(...) end

5 Likes

Malicious plugin: 2787024663
Original: 519874479

Requires same module: 2674688515

3 Likes

Said module 2655056793 requires another module. 2686631266 (wow thanks roblox for indirectly helping by telling me that you are removing private modules required from others)


Ro-Defender™ Plugin v8.7

Malicious: 2655565054
Original: 142273772

1 Like

AeroGameFramework

Original: 1882232354
Malicious: 2435556035

1 Like