What is RoSync?

OMG This rabbit hole goes deep!

I sorted through them, I’ve found over 50 so far and all of their linking accounts.
Some of the accounts are banned, some are not, all look very suspicious.
Sadly, some of these link back to very old accounts too.

I’ve done so much work chasing down these accounts and where they go.
I really hope there’s a way to get someone at Roblox to help do something about this.

3 Likes

After finding this in my game which highly ticked me off, I decided to do some looking into it.

That plugin:
https://www.roblox.com/library/5722705373/Light-Editor-Updated

Comes from this group:
https://www.roblox.com/groups/7840914/Creator-Studi#!/about

By gregg3 who has apparently been deleted, but did not necessarily use that account to upload the real plugin
(I actually doubt they did).

It loads this plugin:
https://www.roblox.com/library/5722703997/MeshLoader

Which is uploaded by this alt
https://www.roblox.com/users/1888346787/profile/

Which loads this plugin:
https://www.roblox.com/library/5700633205/Asset

Which is uploaded by this alt
https://www.roblox.com/users/1719844019/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633462/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633735/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633977/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634215/Asset

Which loads this plugin:
https://www.roblox.com/library/5700633230/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719845707/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633488/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633762/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634001/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634242/Asset

Which loads this plugin:
https://www.roblox.com/library/5700633265/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719847055/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633515/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633787/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634024/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634267/Asset

Which loads this plugin:
https://www.roblox.com/library/5700633289/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719848182/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633544/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633811/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634047/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634293/Asset

Which loads this plugin:
https://www.roblox.com/library/5700633311/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719849465/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633582/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633839/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634077/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634318/Asset

Which loads this plugin:
https://www.roblox.com/library/5700633330/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719850548/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633608/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633865/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634102/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634338/Asset

Which loads this plugin:
https://www.roblox.com/library/5700633362/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719851574/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633362/Asset

… So this keeps going but I’m tired and need some sleep. Any help locating the source of this, and all the linked accounts so they can be turned in, would be greatly appreciated!

14 Likes

Okay, I finished my search.
If you ask me, ALL of these plugins need to be removed and all of these accounts should be banned.
As well as I think this thief needs to be IP/HWID banned.

So continuing my first list…

Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin:

Which is uploaded by this alt
https://www.roblox.com/users/1719852440/profile/
Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin:

Which is uploaded by this alt

Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin: (by the same alt)

Which loads this plugin:

Which is uploaded by this alt
https://www.roblox.com/users/1719856666/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633711/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633958/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634194/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634436/Asset

Which loads this plugin: (Looks like source!)

Which looks like it is the real source of the backdoor…
It is using a very obfuscated plugin.

Which is uploaded by this alt (More recent activity)
https://www.roblox.com/users/1722897238/profile/
(More recent activity and older alt account)

28 Likes

The dedication you have by doing all this research to discover how all this thing works is impressive. REAL impressive! Thumbs up from me for doing all of this extensive investigation! :clap:

8 Likes

Hey, you guys can use this script I made, I know its not efficient but it does the work (sometimes).
(this code was made in a rush)

for i,v in pairs(game:GetDescendants()) do
	pcall(function()
		if v:IsA("Script") then
			if string.find(v.Source, "RoSync Loader") then
				local code = ""
				local splitted  = string.split(v.Source, "\n")
				for lineNum, line in pairs(splitted) do
					if not string.find(line, "Last synced") then 
						code = code.."\n"..line
					end
				end
				v.Source = code
			end
		end
	end)
end

basically, what it does is that:

  1. go through all scripts and find a “RoSync Loader”.
  2. if it finds the string in the script source, it would
  3. run through all the lines in the script and find “Last synced” (or just "RoSync Loader could work too)
  4. if it finds that string in that specific line, it will not include the line, otherwise then the line would be included.
  5. then after all the lines has been searched and rewritten, it’ll change the source of the script.

for those who wishes to correct my code, please go ahead. make it efficient.

11 Likes

Here’s my version of a RoSync remover. To use this save it into the local plugins folder.

local button = plugin:CreateToolbar("oreoollie"):CreateButton("rm rosync", "Removes RoSync virus.", "rbxassetid://4826065214")

button.Click:Connect(function()
	game:GetService("ChangeHistoryService"):SetWaypoint("remove RoSync")
	button:SetActive(false)

	local totalFixed = 0
	for _, v in ipairs(game:GetDescendants()) do
		local s, e = pcall(game.IsA, v, "BaseScript")
		if not (s and e) then continue end

		local occurrences		
		v.Source, occurrences = string.gsub(v.Source, "%s%-%-%[%[ Last synced.+", "")
		totalFixed += math.clamp(occurrences, 0, 1)
	end

	warn("Fixed", totalFixed, "RoSync infected scripts")
end)

RoSyncRemover.lua (642 Bytes)

11 Likes

Heres another rosync remover that you can just run in command barRosyncremover.txt (683 Bytes)

2 Likes

yeah it’s just a virus and it can just be from plugins or models, I had that on my game and I was confused on what it was.

I also get that script with the Intro Creator plugin

1 Like

it gives you a message saying to turn on http requests so it can teleport you and stuff

1 Like

I made that, its an older version of the script i posted hahaha

All of these malicious scripts come from scam plugins.

If it keeps inserting “getfenv()” or some other suspicious thing into your game, then it can’t be anything but a plugin doing that. All you have to do is to find that plugin and get rid of it. Then make sure that the suspicious line of code doesn’t get inserted anymore. Finally, use the Find tool in script editor to search through all your scripts for that malicious line of code and make sure there are no such left.

Simply put: stop installing stupid random scam plugins with [NEW] [UPDATED] tags and everything is going to be okay.

The idea that scam plugins have tags like [NEW] and [UPDATED] is pretty far fetched most scam plugins steal a big plugins code and then re upload it, it tricks people into thinking it’s the same plugin. Yeah a few scam plugins have tags like that but you don’t see many with that anymore.

3 Likes

True. Sorry. Although, there’s still a plenty of plugins with mentioned tags. Most of stolen plugins are on the bestselling page of library. Make sure to always look for scams. Those are usually uploaded mutliple times by fake devs, so if you see same plugin multiple times - that’s most likely a scam. Another trait of scam plugins is that they are uploaded by people/groups with similar names all the time; some examples would be: “Plugin Developers”, “Plugin Makers”, “TrustedPlugins”, “[DeveloperX]”, “FrontPlugins”, “Creator Studio”, etc.

So, I think it’s really easy to find a scam plugin. I never really had issues with downloading such. I have no idea why people keep getting “catfished”. Why do they??

I heard of rosync before I want to look up for the company that provides backdoors to be honest

1 Like

Here are the GitHubs that are the source of the malicous code :wink:

Also someone told me this was an important part of the script http://45.79.27.137:8080/roblox DO NOT CLICK

Why what if I click it? Is it an ip grabber?

1 Like

This isn’t malicious code. It’s a Lua bytecode interpreter.

2 Likes

I believe it is a webhook for the malicous Discord sever but I am not really sure. I would not click just to be safe :slight_smile: