Hybrid PhysX Mod Package Contained Trojan

Discussion in 'HardForum Tech News' started by HardOCP News, Apr 29, 2010.

Thread Status:
Not open for further replies.
  1. HardOCP News

    HardOCP News [H] News

    Messages:
    0
    Joined:
    Dec 31, 1969
    It has come to our attention that the Hybrid PhysX Mod from NGOHQ.com posted earlier this month contained the Infostealer.Gampass trojan. According to Symantec, Infostealer.Gampass specifically targets video game credentials, log-ins and passwords. I would recommend uninstalling this and doing a full scan on your computer. I would also recommend that you avoid downloading anything from sites that do not scan files before offering them to the general public. We apologize to anyone that may have downloaded the Hybrid PhysX Mod after we posted that link. Thanks to Theron E. for the heads up.
     
  2. martinmsj

    martinmsj [H]ard|Gawd

    Messages:
    1,542
    Joined:
    Mar 3, 2005
    That really sucks.

    While I'm not affected (went GTX 470 instead of 5850) I still can't help but really feel for the people that downloaded the patch.

    I wonder if there is any word on the origin of the trojan or the patch.
     
  3. NoxTek

    NoxTek The Geek Redneck

    Messages:
    9,266
    Joined:
    May 27, 2002
    Again I say, NGOHQ is not to be trusted. They went from warez site to hacking site to 'custom video drivers' site in the space of a few years. No one remembers anymore but they are/were not as clean cut as they would have everyone believe these days. So seeing this news item doesn't surprise me one little bit.
     
  4. necrosis

    necrosis Gawd

    Messages:
    758
    Joined:
    Oct 21, 2004
    Outa morbid curiosity what does this mod do? :confused:
     
  5. Lancer

    Lancer Limp Gawd

    Messages:
    324
    Joined:
    Aug 2, 2005
    Guys I have to say, while NGOHQ should have scanned it, the same could be said for Hardocp. A lot of users here trust what you post to be safe. NGOHQ might have hosted it but you were the ones to bring it to the HardOCP populace. The blame is not entirely on them, luckily I had not downloaded this yet but had planned on it. Users that downloaded it without scanning are just as much at fault as well, just saying all the blame for the HardOCP users being infected does not lie entirely on the other site.
     
  6. Derangel

    Derangel [H]ard as it Gets

    Messages:
    17,095
    Joined:
    Jan 31, 2008
    Enables PhysX on a Nvidia GPU when an ATI card is the primary.
     
  7. Lancer

    Lancer Limp Gawd

    Messages:
    324
    Joined:
    Aug 2, 2005
    Original post was edited, thank you for the appology, and everyone, please scan whatever you download
     
  8. tesfaye

    tesfaye 2[H]4U

    Messages:
    3,419
    Joined:
    Apr 17, 2003
    Stealz all ur infoz apparently.

    Lets you run an ATI card for video while using an nVidia card for PhysX. Nvidia locks the drivers normally so you can only experience PhysX with Nvidia video cards. It came in handy while playing Batman AA allowing me to use my ATI 5870 for video and my GTX 380 for PhysX. Without the patch the experience was still nice albeit a little "flat".
     
  9. sirmonkey1985

    sirmonkey1985 [H]ard|DCer of the Month - July 2010

    Messages:
    21,098
    Joined:
    Sep 13, 2008
    out of curiosity has anyone bothered to scan the file that downloaded it just to make sure this trojan is actually there and not some scheme from nvidia to get people not to use it?
     
  10. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,772
    Joined:
    Nov 22, 2008
    Is this a joke? All the physx mods have been flagged as gamerpass trojans? Afaik and have read by GenL, that's just how the mod is flagged and the mod is not actually a virus? Did something change?
     
  11. Derangel

    Derangel [H]ard as it Gets

    Messages:
    17,095
    Joined:
    Jan 31, 2008
    Seriously?
     
  12. necrosis

    necrosis Gawd

    Messages:
    758
    Joined:
    Oct 21, 2004
    o_O

    If you want PhysX get a nVidia card as your primary? I mean, OK, make hacked drivers for it but really.

    You want a fast car go get a fast car, don't put a v10 in a golfcart.
     
  13. Derangel

    Derangel [H]ard as it Gets

    Messages:
    17,095
    Joined:
    Jan 31, 2008
    Why? Pairing a good ATI card like say the 5870 with a cheap Nvidia card like the 9800GT works just as well us pairing a good Nvidia card with a 9800GT. You're going to need the second card to fully utilize PhysX no matter what. Only thing is Nvidia's drivers prevent this from happening.
     
  14. FrgMstr

    FrgMstr Just Plain Mean Staff Member

    Messages:
    47,992
    Joined:
    May 18, 1997
    We do take responsibility for posting it. We have notified our readers, apologized, and removed previous links. Suggesting otherwise is simply being uninformed and not reading our post.

    NGOHQ will never again see a link on HardOCP and within a few days, the name will be banned from being typed here at all. The only reason it is not right now is so that it can be discussed easily.
     
  15. HardOCP News

    HardOCP News [H] News

    Messages:
    0
    Joined:
    Dec 31, 1969
    Not sure why you felt the need to say that, I accept full responsibility for posting the link and I apologized for that and will continue to do so.

    I post hundreds and hundreds of links each week and I do my best to make sure that I click every single link, check every file and read every single story I post here. Unfortunately the package I downloaded and scanned did NOT contain the trojan so the infected package was probably uploaded/switched at a later time. Nobody feels like a bigger moron than I do for posting a link to a site that pulls a stunt like this. So, again...I apologize.


    Having said that:

    The blame for the trojan is 110% the fault of the site hosting it.
     
  16. RADEoN

    RADEoN [H]ardness Supreme

    Messages:
    6,534
    Joined:
    Dec 30, 2005
    Necrosis that made literally 0 sense.

    Sirmonkey1985, I wondered the same thing. How many people did we see crying that their gamer credentials were stolen?
    Posted via [H] Mobile Device
     
  17. RADEoN

    RADEoN [H]ardness Supreme

    Messages:
    6,534
    Joined:
    Dec 30, 2005
    Who gives a shit what that kid thinks? If you hook me up with your girlfriends sister, for example, and I bang her and get herpes, its not your fault for her giving me herpes, its hers for being dirty. Hypothetically speaking, of course.
    Posted via [H] Mobile Device
     
  18. darksonic

    darksonic Gawd

    Messages:
    677
    Joined:
    Feb 11, 2009
    I'd more sooner believe Nvidia paid Symantec a hefty amount of money before believing there is a trojan in the package.
     
  19. chaos4u

    chaos4u Limp Gawd

    Messages:
    341
    Joined:
    Dec 1, 2004
    has anyone installed it and then run wireshark to see the rouge server it connect to ?

    i mean there is a lot of freeware and other utilities that are now flagged as malicious software .
    would nor be to hard to setup a virtual machine and see if this true .
     
  20. Psychor

    Psychor Limp Gawd

    Messages:
    388
    Joined:
    Dec 22, 2007
    Exactly. People seem to be jumping the gun. I can't count how many times Symantec "thinks" they have found a virous.
     
  21. Lancer

    Lancer Limp Gawd

    Messages:
    324
    Joined:
    Aug 2, 2005
    Yes I am a kid, I must be since I did not include anything offensive like your post.... :rolleyes:

    The original version of the front page post did not include the appology. I went back and added another post to retract my statement after that since you cannot edit a post from topics on the front page. That is all. Have a nice day and I think they have some cream that can help you.
     
  22. Gorankar

    Gorankar [H]ardForum Junkie

    Messages:
    10,128
    Joined:
    Jul 19, 2000
    Has anyone that used this mod had an account jacked?
     
  23. caveman-jim

    caveman-jim n00b

    Messages:
    62
    Joined:
    Jan 11, 2007
    version 1.0.2 was detected as containing the trojan (see comments here, where it is 'dismissed' as a false positive)
     
  24. Riftsaw

    Riftsaw 2[H]4U

    Messages:
    2,239
    Joined:
    Feb 26, 2008
    I've been using it without probs(as in losing my steam or EA accounts). I haven't updated to the latest version though. Didn't really feel the need to update since I only have one game, Batman: AA, that makes use of it.

    I'm not as paranoid as I used to be so I'll let it mill around and alert you all of any shenanigans.
     
  25. Maximuss

    Maximuss Gawd

    Messages:
    740
    Joined:
    Mar 12, 2010
    Here is a good site for peeps to use when DLing files:
    http://www.virustotal.com

    And here is the Results for the said file.

     
  26. Riftsaw

    Riftsaw 2[H]4U

    Messages:
    2,239
    Joined:
    Feb 26, 2008
    Well crap...

    That certainly made my paranoia flare up.
     
  27. Maximuss

    Maximuss Gawd

    Messages:
    740
    Joined:
    Mar 12, 2010
    Interesting; As I went to their site and DLd the 1.0.3 mod and got the results I posted.

    Now why would they use a packer that comes up as a F.P when they could use something that doesn't raise alarm?

    Also; "Infostealer.Gampass" is very suspicious considering the nature of the file IMO.
     
  28. caveman-jim

    caveman-jim n00b

    Messages:
    62
    Joined:
    Jan 11, 2007
    Yes.

    Extracting the rar to get the executable gives an extra hit (18/40)
     
  29. RADEoN

    RADEoN [H]ardness Supreme

    Messages:
    6,534
    Joined:
    Dec 30, 2005
    How is anything I said globally considered offensive? A great analogy that's directly comparable, yes. Offensive, no.
    Posted via [H] Mobile Device
     
  30. caveman-jim

    caveman-jim n00b

    Messages:
    62
    Joined:
    Jan 11, 2007
  31. Elios

    Elios [H]ardness Supreme

    Messages:
    7,207
    Joined:
    Aug 12, 2004
    im going to call source code or didnt happen on that "its just a hook" post
     
  32. chaos4u

    chaos4u Limp Gawd

    Messages:
    341
    Joined:
    Dec 1, 2004
    its very quite initial tests in virtual box show no communication to an external server when the exe is run. of course the program has not fully installed yet due to the missing hardware but hopefully i can work around it . regardless for this to be malware you would think it would install the trojan upon launch not after .
     
  33. Roman79

    Roman79 [H]ard|Gawd

    Messages:
    1,393
    Joined:
    Oct 2, 2000
    I dunno guys, I downloaded that file from from the link posted a few days ago.

    - Scanned with Avast before installing: clean
    - Full system scan finished 2mins ago: clean

    I realize a virus scan is not bullet proof, but I'd like to hear from someone that actually got infected from this file...
     
  34. Domingo

    Domingo Skip My Posts

    Messages:
    16,858
    Joined:
    Jul 30, 2004
    AVG and MS Security Essentials didn't give me any warnings with the mod and I haven't had any issues with any previous versions. I've been using that mod pretty much since day 1.
    Can anyone verify if this is a false positive?
     
  35. sirmonkey1985

    sirmonkey1985 [H]ard|DCer of the Month - July 2010

    Messages:
    21,098
    Joined:
    Sep 13, 2008

    its pretty much like a crack file.. most shitty virus scanners detect them as a virus because its made to modify an exe file.. thus its technically a virus since its modifying a file even though its not actually doing any harm to the system..
     
  36. chaos4u

    chaos4u Limp Gawd

    Messages:
    341
    Joined:
    Dec 1, 2004
    Well to be sure it needs to be run on a real computer with two graphic cards it requires .
    then monitored through wire shark ideally through a third computer . but with that being said
    less this is a ruthless trojan and very sneaky/stealthy (they do exist ) i would say this file is harmless .

    most likely the reason why it is being detected as a trojan is because as previously stated it uses a hook to manipulate files.

    second its installer is very "scene" inspired or is from a demo scene or cracker scene code base.

    and third anti-virus vendors are bombarded with all kinds off code samples it amazing more programs are not detected and flagged removed .

    so basically with any program use at your own risk and if you dont trust it . but want to use it .. clean install a machine and monitor its internet communication .
     
  37. Ualdayan

    Ualdayan [H]ard|Gawd

    Messages:
    1,793
    Joined:
    Jun 20, 2004
    I think he's using Norton since it's a Symantec link. Norton is top of the line antivirus! ;)
     
  38. thesmokingman

    thesmokingman [H]ardness Supreme

    Messages:
    4,772
    Joined:
    Nov 22, 2008
    Finally some common non-knee jerking sense prevails. This mod is very Hard if you think about, lol.
     
  39. ljbade

    ljbade Limp Gawd

    Messages:
    261
    Joined:
    Feb 17, 2010
    Interesting...

    According to virus total it uses this EXE packer/compressor:
    http://www.farbrausch.de/~fg/kkrunchy/

    And in case you don't know farbrausch make award winning demos such as the recent "rove" which was 2nd at Breakpoint 2010.

    So it is possible this is a false positive as all the virus scanners other than symantec only report it as 'suspicious' or a 'heuristic' result. The 'supicious'-ness is because they use a packer, and almost any software that uses a packer will be marked as suspicious even if it isn't (I know because I have used packers before only to realise the crappy AV results deter users from your program outweighing any filesize benefits (which are often tiny).

    It is possible the packer is designed to make it harder for NVIDIA to pull apart the hack and block it.

    But if NGOHQ really want to save grace they should release a packer free version and/or submit it to symantec or some other company for proper report on whether they put a virus in it.

    Plus Symantec is a PoS anyways and I would never trust them to start with...
     
  40. OCgamer666

    OCgamer666 Limp Gawd

    Messages:
    460
    Joined:
    Jun 16, 2004
    ^This, I have not always been active but have always come back to the site for this reason.
     
Thread Status:
Not open for further replies.