Hybrid PhysX Mod Package Contained Trojan

Status
Not open for further replies.
H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
It has come to our attention that the Hybrid PhysX Mod from NGOHQ.com posted earlier this month contained the Infostealer.Gampass trojan. According to Symantec, Infostealer.Gampass specifically targets video game credentials, log-ins and passwords. I would recommend uninstalling this and doing a full scan on your computer. I would also recommend that you avoid downloading anything from sites that do not scan files before offering them to the general public. We apologize to anyone that may have downloaded the Hybrid PhysX Mod after we posted that link. Thanks to Theron E. for the heads up.
 
That really sucks.

While I'm not affected (went GTX 470 instead of 5850) I still can't help but really feel for the people that downloaded the patch.

I wonder if there is any word on the origin of the trojan or the patch.
 
Again I say, NGOHQ is not to be trusted. They went from warez site to hacking site to 'custom video drivers' site in the space of a few years. No one remembers anymore but they are/were not as clean cut as they would have everyone believe these days. So seeing this news item doesn't surprise me one little bit.
 
Guys I have to say, while NGOHQ should have scanned it, the same could be said for Hardocp. A lot of users here trust what you post to be safe. NGOHQ might have hosted it but you were the ones to bring it to the HardOCP populace. The blame is not entirely on them, luckily I had not downloaded this yet but had planned on it. Users that downloaded it without scanning are just as much at fault as well, just saying all the blame for the HardOCP users being infected does not lie entirely on the other site.
 
Original post was edited, thank you for the appology, and everyone, please scan whatever you download
 
necrosis said:
Outa morbid curiosity what does this mod do? :confused:
Click to expand...
Stealz all ur infoz apparently.

Lets you run an ATI card for video while using an nVidia card for PhysX. Nvidia locks the drivers normally so you can only experience PhysX with Nvidia video cards. It came in handy while playing Batman AA allowing me to use my ATI 5870 for video and my GTX 380 for PhysX. Without the patch the experience was still nice albeit a little "flat".
 
out of curiosity has anyone bothered to scan the file that downloaded it just to make sure this trojan is actually there and not some scheme from nvidia to get people not to use it?
 
Is this a joke? All the physx mods have been flagged as gamerpass trojans? Afaik and have read by GenL, that's just how the mod is flagged and the mod is not actually a virus? Did something change?
 
Derangel said:
Enables PhysX on a Nvidia GPU when an ATI card is the primary.
Click to expand...
o_O

If you want PhysX get a nVidia card as your primary? I mean, OK, make hacked drivers for it but really.

You want a fast car go get a fast car, don't put a v10 in a golfcart.
 
necrosis said:
o_O

If you want PhysX get a nVidia card as your primary? I mean, OK, make hacked drivers for it but really.

You want a fast car go get a fast car, don't put a v10 in a golfcart.
Click to expand...

Why? Pairing a good ATI card like say the 5870 with a cheap Nvidia card like the 9800GT works just as well us pairing a good Nvidia card with a 9800GT. You're going to need the second card to fully utilize PhysX no matter what. Only thing is Nvidia's drivers prevent this from happening.
 
Lancer said:
Guys I have to say, while NGOHQ should have scanned it, the same could be said for Hardocp. A lot of users here trust what you post to be safe. NGOHQ might have hosted it but you were the ones to bring it to the HardOCP populace. The blame is not entirely on them, luckily I had not downloaded this yet but had planned on it. Users that downloaded it without scanning are just as much at fault as well, just saying all the blame for the HardOCP users being infected does not lie entirely on the other site.
Click to expand...

We do take responsibility for posting it. We have notified our readers, apologized, and removed previous links. Suggesting otherwise is simply being uninformed and not reading our post.

NGOHQ will never again see a link on HardOCP and within a few days, the name will be banned from being typed here at all. The only reason it is not right now is so that it can be discussed easily.
 
Lancer said:
NGOHQ might have hosted it but you were the ones to bring it to the HardOCP populace. The blame is not entirely on them....
Click to expand...

Not sure why you felt the need to say that, I accept full responsibility for posting the link and I apologized for that and will continue to do so.

I post hundreds and hundreds of links each week and I do my best to make sure that I click every single link, check every file and read every single story I post here. Unfortunately the package I downloaded and scanned did NOT contain the trojan so the infected package was probably uploaded/switched at a later time. Nobody feels like a bigger moron than I do for posting a link to a site that pulls a stunt like this. So, again...I apologize.


Having said that:

The blame for the trojan is 110% the fault of the site hosting it.
 
Necrosis that made literally 0 sense.

Sirmonkey1985, I wondered the same thing. How many people did we see crying that their gamer credentials were stolen?
Posted via [H] Mobile Device
 
Steve said:
Not sure why you felt the need to say that, I accept full responsibility for posting the link and I apologized for that and will continue to do so.

I post hundreds and hundreds of links each week and I do my best to make sure that I click every single link, check every file and read every single story I post here. Unfortunately the package I downloaded and scanned did NOT contain the trojan so the infected package was probably uploaded/switched at a later time. Nobody feels like a bigger moron than I do for posting a link to a site that pulls a stunt like this. So, again...I apologize.


Having said that:

The blame for the trojan is 110% the fault of the site hosting it.
Click to expand...

Who gives a shit what that kid thinks? If you hook me up with your girlfriends sister, for example, and I bang her and get herpes, its not your fault for her giving me herpes, its hers for being dirty. Hypothetically speaking, of course.
Posted via [H] Mobile Device
 
I'd more sooner believe Nvidia paid Symantec a hefty amount of money before believing there is a trojan in the package.
 
has anyone installed it and then run wireshark to see the rouge server it connect to ?

i mean there is a lot of freeware and other utilities that are now flagged as malicious software .
would nor be to hard to setup a virtual machine and see if this true .
 
thesmokingman said:
That's pretty harsh when you consider that ALL the previous versions of the mod have been flagged by as gamer.pass. Whether it really is a trojan well in the case of the latest mod, I'm not sure. However all the past versions have not been actually infected. I haven't read of any actual viral behavior yet or seen any on my modded system.
Click to expand...

Exactly. People seem to be jumping the gun. I can't count how many times Symantec "thinks" they have found a virous.
 
RADEoN said:
Who gives a shit what that kid thinks? If you hook me up with your girlfriends sister, for example, and I bang her and get herpes, its not your fault for her giving me herpes, its hers for being dirty. Hypothetically speaking, of course.
Posted via [H] Mobile Device
Click to expand...

Yes I am a kid, I must be since I did not include anything offensive like your post.... :rolleyes:

The original version of the front page post did not include the appology. I went back and added another post to retract my statement after that since you cannot edit a post from topics on the front page. That is all. Have a nice day and I think they have some cream that can help you.
 
I've been using it without probs(as in losing my steam or EA accounts). I haven't updated to the latest version though. Didn't really feel the need to update since I only have one game, Batman: AA, that makes use of it.

I'm not as paranoid as I used to be so I'll let it mill around and alert you all of any shenanigans.
 
caveman-jim said:
version 1.0.2 was detected as containing the trojan (see comments here, where it is 'dismissed' as a false positive)
Click to expand...

Interesting; As I went to their site and DLd the 1.0.3 mod and got the results I posted.

Now why would they use a packer that comes up as a F.P when they could use something that doesn't raise alarm?

Also; "Infostealer.Gampass" is very suspicious considering the nature of the file IMO.
 
Maximuss said:
Interesting; As I went to their site and DLd the 1.0.3 mod and got the results I posted.

Now why would they use a packer that comes up as a F.P when they could use something that doesn't raise alarm?

Also; "Infostealer.Gampass" is very suspicious considering the nature of the file IMO.
Click to expand...

Yes.

Extracting the rar to get the executable gives an extra hit (18/40)
 
Lancer said:
Yes I am a kid, I must be since I did not include anything offensive like your post.... :rolleyes:

The original version of the front page post did not include the appology. I went back and added another post to retract my statement after that since you cannot edit a post from topics on the front page. That is all. Have a nice day and I think they have some cream that can help you.
Click to expand...

How is anything I said globally considered offensive? A great analogy that's directly comparable, yes. Offensive, no.
Posted via [H] Mobile Device
 
im going to call source code or didnt happen on that "its just a hook" post
 
its very quite initial tests in virtual box show no communication to an external server when the exe is run. of course the program has not fully installed yet due to the missing hardware but hopefully i can work around it . regardless for this to be malware you would think it would install the trojan upon launch not after .
 
I dunno guys, I downloaded that file from from the link posted a few days ago.

- Scanned with Avast before installing: clean
- Full system scan finished 2mins ago: clean

I realize a virus scan is not bullet proof, but I'd like to hear from someone that actually got infected from this file...
 
AVG and MS Security Essentials didn't give me any warnings with the mod and I haven't had any issues with any previous versions. I've been using that mod pretty much since day 1.
Can anyone verify if this is a false positive?
 
Ualdayan said:
It doesn't actually have the virus though. It just gets detected as such because it's modifying files. Something required for it to work after all since it has to replace some nVidia files with modified ones.

Kind of like how McAfee accidentally marked crucial Windows files as a virus just 4 or so days ago and disabled a bunch of computers over a false positive.
Click to expand...


its pretty much like a crack file.. most shitty virus scanners detect them as a virus because its made to modify an exe file.. thus its technically a virus since its modifying a file even though its not actually doing any harm to the system..
 
Well to be sure it needs to be run on a real computer with two graphic cards it requires .
then monitored through wire shark ideally through a third computer . but with that being said
less this is a ruthless trojan and very sneaky/stealthy (they do exist ) i would say this file is harmless .

most likely the reason why it is being detected as a trojan is because as previously stated it uses a hook to manipulate files.

second its installer is very "scene" inspired or is from a demo scene or cracker scene code base.

and third anti-virus vendors are bombarded with all kinds off code samples it amazing more programs are not detected and flagged removed .

so basically with any program use at your own risk and if you dont trust it . but want to use it .. clean install a machine and monitor its internet communication .
 
sirmonkey1985 said:
its pretty much like a crack file.. most shitty virus scanners detect them as a virus because its made to modify an exe file.. thus its technically a virus since its modifying a file even though its not actually doing any harm to the system..
Click to expand...

I think he's using Norton since it's a Symantec link. Norton is top of the line antivirus! ;)
 
Finally some common non-knee jerking sense prevails. This mod is very Hard if you think about, lol.
 
Interesting...

According to virus total it uses this EXE packer/compressor:
http://www.farbrausch.de/~fg/kkrunchy/

And in case you don't know farbrausch make award winning demos such as the recent "rove" which was 2nd at Breakpoint 2010.

So it is possible this is a false positive as all the virus scanners other than symantec only report it as 'suspicious' or a 'heuristic' result. The 'supicious'-ness is because they use a packer, and almost any software that uses a packer will be marked as suspicious even if it isn't (I know because I have used packers before only to realise the crappy AV results deter users from your program outweighing any filesize benefits (which are often tiny).

It is possible the packer is designed to make it harder for NVIDIA to pull apart the hack and block it.

But if NGOHQ really want to save grace they should release a packer free version and/or submit it to symantec or some other company for proper report on whether they put a virus in it.

Plus Symantec is a PoS anyways and I would never trust them to start with...
 
cliche said:
Hey Kyle - u can be an ass sometimes (you say so yrself), but you and your site has integrity so I am always reading
Likewise Steve, mistakes happen, kudos for apology (even though I don't think it was necessary)
Click to expand...

^This, I have not always been active but have always come back to the site for this reason.
 
Status
Not open for further replies.
Back
Top