0

Which Roblox/LUAU classes can have malware/scripts hidden inside? Which classes will still be executed as a script? Which classes cannot contain a malicious script? Audio?

Since the complaint has been made that it's not clear what I'm asking, I've added emphasis above and put the title in there, too.

Ok, so I'm trying to learn how to detect and remove malware from things in the Roblox Studio Toolbox. That is a tall order, since I'm still learning LUAU and there are many ways to conceal malware, including obfuscation techniques (spacing, reversed strings, reversed ascii strings, getfenv(), hidden teleports, nested scripts, scripts that were reclassified to something else, like a weld, etc.).

Reclassified malware is the thing I have the most trouble with, although long scripts and scripts split into different files can be a pain, too. I do things by trial and error, like in the case of the Sakura Tree model by TreelingDeveloper (rbxassetid://6787294322). I stripped it of everything except the Trunk and Mesh, Falling Leaves and Particle Emitter, and Leaves and Mesh, and it is still similar, despite removing a couple dozen pieces, including two scripts that were nested inside several welds and claimed to weld the bark on.

Edit: I rechecked the Sakura tree after posting. Deleting all those parts reduced its visual appeal, although not completely. There were a lot of "Bark," "Other" and "Welds" that I deleted, and even the ThumbnailCamera. As it turns out, keeping all of the "Bark" and "Others" adds additional details to the trunk. I can't see a use for the ThumbnailCamera or the welds and "auto-weld" scripts.

It's not terribly hard to use CTRL-SHIFT-F to search for words like "getfenv," "string.reverse," "require," "eriuqer," and "teleport" but it is beyond my level of ability to find everything.

If you have any suggestions or tips on the question or the larger issues of malware in Roblox assets, I'd love to hear about it. Thanks!

Antimalware Plug-ins

Thus far, I have reviewed several (~10) plug-ins for detecting malware. None of them have seem to have behavioral or real-time detection. They all seem to use simplistic heuristic detection, often relying on common words and phrases associated with known malware, as well as certain LUAU commands and obfuscation techniques. Those that I thought were worth using, as inadequate as they were, are GameGuard, Guardian Angel Defender, Mirror Egg and Ro-Protect. Unfortunately, they get a fair number of false positives (Mirror Egg, for example, suggests that anything with the name "Fire," including fire effects I added, may be malware). GAD has the best UI and seems to find more than anything else, but it also finds a lot of "empty objects" that I'm not sure what to make of. None of them are real-time, and none are good enough on their own.

Explanation

I'm not artistic, so it really isn't possible for me to develop my own models, meshes and such, and I think people who say those who use the toolbox are lazy and get what they deserve are apparently unaware that not everyone is a master craftsman when it comes to CG.

Roblox Studio's Toolbox is jam-packed with assets, which is great, except many of them contain malware.

Beyond this point is mostly a rant. Feel free to ignore, unless you're going to tell me to contact Roblox Customer Service or go to the Roblox DevForum.

You may ask why I don't post this on the DevForum. I've been there since April and, despite 7 hours of reading and over 1k likes, I still have not become a "regular". I asked customer service about this, but they gave me the run-around, referring me back to the rules to become a regular (which are deliberately vague) and generally being eager to get rid of me as fast as possible without actually helping.

You may ask why I didn't ask Roblox for help. Having asked both the Appeals team (which had given me a 3-day IP ban and permanently suspended my unlisted, >private< game that is still in development because, they stated, I'd added an "inappropriate model" from the toolbox - a model that I didn't modify, and then rejected my appeal without any valid reason) and Customer Service, which gave me the run-around and did their very best not to help me, and to get rid of me as rapidly as possible, I'm trying to learn how to protect myself. In short, Roblox apparently refuses to take any real steps to deal with the plethora of malware, and help pages DO NOTHING to teach developers how to find malware. I've learned more on my own - which isn't nearly enough.

If I sound irritated, it's because I am. They have some of the worst customer support I've ever encountered in the 36 years of my adult life, and I've got many years of experience in that field, including tech support.

The Roblox tutorial pages have this to say when it introduces the toolbox:

> Anyone can upload an item to the Toolbox, so make sure your game still works after adding an item before settling on it. To learn how to inspect a model before inserting it, see [Item Inspection][1].

The linked page is woefully inadequate, and the page that Customer Support referred me to is, too. [What Is This Infected Model On My Place? help article.][2]

[1]: https://developer.roblox.com/en-us/resources/studio/Toolbox#item-inspection [2]: https://en.help.roblox.com/hc/articles/203312920

GAM II
  • 45
  • 8
  • your post basically violates every single content guideline of this community. please read [ask] and take the [tour]. even after having trudged through all of your text I still don't know what you're actually asking for. I'm also not sure why you think it necessary to rant about the Roblox Customer Service and DevForum. This community is all about programming problems and their best solutions. No offense, but your personal issues with third parties are of no interest. If you have such bad experience with their support why not simply play/program something else? – Piglet Oct 07 '21 at 06:48
  • 1
    `help pages DO NOTHING to teach developers how to find malware` Because you can't. If you execute code, there isn't really anything to do to prevent malicious code. Even the best antimalware would fail at some point. I'm not 100% familiar with Roblox but if you just avoid scripts in general and manually check the few you actually need you are always on the safe side. Raw meshes for example can not be infected. – Luke100000 Oct 07 '21 at 07:10
  • 1
    GAM II, I would recommend [Venom](https://devforum.roblox.com/t/venom-intercept-malicious-scripts/375845) as a model sanitizer when working with Toolbox. It was written by a former Roblox employee and screens all assets and it provides a list of Scripts that come with any asset. – Kylaaa Oct 07 '21 at 07:36
  • Piglet, thank you for your input. With respect, my question was stated in the title, with follow-up questions being the first part of my post, so I'm not really sure how you didn't know. To make it easier, I have added the title into the body and emphasized the whole lot. And, I've hidden the stuff about Roblox with >!. – GAM II Oct 07 '21 at 13:10
  • 1
    Luke100000 Thank you. Actually, you can find malware. I have. I taught myself basic malware detection many years ago and, although I cannot detect sophisticated malware, basic stuff is easy. I know that antimalware is not 100%. However, my problem is that some malware-makers change the class of the object to hide that there's a malware script. Some models come with dozens of scripts embedded in them, not including the reclassed ones. Other than meshes, what else is safe from reclassing malware? – GAM II Oct 07 '21 at 13:13
  • Kylaaa thank you. Actually, Venom was one of the first ones I looked at. Does it have the ability to identify scripts that have been reclassed? Given that Venom does not sanitize, nor does it identify malware, I only rarely use it. Complex models can contain a huge number of scripts. Can you answer the questions I stated at the start of my post, please? – GAM II Oct 07 '21 at 13:17
  • Luke10000 To explain, I could not have evaluated any of those plug-ins if I didn't have the ability to detect most, if not all, of the malware manually. I looked for tips on DevForum and learned about common tricks used in malware, such as obfuscation, teleport, getfenv(), spread, etc. I looked at scripts in models I got off the toolbox and used CTRL-SHIFT-F so I'd have a fair idea of what would be detected. I'm not sure if they still offer it, but BleepingComputer.com used to teach malware detection, if you're interested. – GAM II Oct 07 '21 at 13:45
  • @Luke10000 Please see the responses I left above. I forgot to preface your name with @ then. – GAM II Oct 07 '21 at 22:40
  • @Piglet Please see the responses I left above. I forgot to preface your name with @ then. – GAM II Oct 07 '21 at 22:40

1 Answers1

2

When it comes to things that can execute code, the answer is Scripts and LocalScripts.

Some things to know, Scripts are only active in a few locations. According to the docs :

The instant that the following conditions are met, a Script’s Lua code is run in a new thread:

Similarly for LocalScripts :

A LocalScript will only run Lua code if it is a descendant of one of the following objects:

This doesn't apply for Edit Mode, just when you are testing it in Play Mode.

The thing is, a Script instance can be inserted into the hierarchy of anything. Audio, Meshes, Decals, etc. none of these things execute code on their own, but they are often Trojan Horses for delivering Scripts into the Workspace. And because the Toolbox inserts things into the Workspace by default, it creates the avenue for exploits that you're describing in your question.

This is why I recommended the Venom plugin by pa00, because it allows you to strip out any and all Scripts that might come with an asset. It is an easy counter measure for when you are only looking for simple things. This suggestion falls apart once you start looking for more complicated assets like vehicles, Tools, and guns, where interactions have to be scripted, but it's a starting point.

Kylaaa
  • 6,349
  • 2
  • 16
  • 27
  • What you've explained is my basic understanding, although there are other places that scripts can run, such as the CoreGUI, and I think there are others. I assume by "backpack" you mean the StarterPack folder? – GAM II Oct 07 '21 at 22:38
  • What I'm asking about are two things. 1) The (possible?) ability to reclass something in order to hide the fact that there's a script in it. Perhaps Elttob's "[Reclass](https://web.roblox.com/library/2867765019/Reclass-free-intelligent-class-conversion)" does this (no matter what Elttob's intent was in making the plugin)? If it does, does Venom detect such reclassified scripts? If not, how can I? Not enough space...(cont'd) – GAM II Oct 07 '21 at 22:51
  • (cont'd) 2) There are 3 types of scripts: Scripts, LocalScripts and ModuleScripts, right? There is also the parent class of all scripts:LuaSourceContainer. According to Sub_zeeroz's [article](https://devforum.roblox.com/t/clearing-your-game-of-malicious-scripts-plugins-and-backdoors/511830), it is important to search for that parent. Does Venom only search for the 3 types of scripts, or does it search for the parent type, too? – GAM II Oct 07 '21 at 22:51
  • 2
    Scripts and LocalScripts that you create do not run in CoreScripts unless you have manually overridden the setting in Studio settings. From my tests, the Reclass plugin only allows you to swap instances that have similar properties. So you cannot convert a Script or LocalScript to an Audio instance or anything else. A player's Backpack is the actual container for Tools in-game. StarterPack is a bucket you can place Tools so that they are copied to a Player's Backpack when they spawn. And the Venom plugin catches all 3 LuaSourceContainer classes and disables them until manually approved. – Kylaaa Oct 07 '21 at 23:28
  • 1
    Thank you, it seems like you've answered my questions. If, in the future, you discover anything different, I hope you'll tell me. It's a great relief to know this, since I saw mention of infected welds and such, and I saw things that had a "BodyColor" icon, but were named something like "tree joint" but, when I deleted them, nothing changed AFAIK. This has been a great source of frustration for me. I agree - Venom isn't appropriate for complex models with many scripts. – GAM II Oct 08 '21 at 00:25
  • 2
    @GAMII, someone on the DevForums has written up a list of different viruses they have come across : https://devforum.roblox.com/t/angels-studio-virus-masterlist-protect-your-games/1492632 – Kylaaa Oct 19 '21 at 21:40