Important Update Regarding Network Addon Mod 48 on ModDB | Potential Security Issue

[Panda 209]

It's so frustrating and stressful that this happened. Although I try to be safe online, this would be so easy to miss. I know I downloaded a copy of NAM 48 back in August which was before the ModDB file was infected. I know I downloaded a copy of NAM Lite in November, but fortunately that file wasn't impacted. I'm pretty sure I did not download an infected copy (but the uncertainty is frustrating.) My virus scan came up clean, so I think I'm in the clear. Still, it is very frightening and I feel for any who were unfortunate enough to be impacted by this attack.

I'm glad that this was discovered and applaud all those who are involved in the investigation of this issue.

[TheMurderousCricket 5,055]

I hope that the c**t who did this gets what is coming to them and suffers the fate they rightfully deserve.

I think there is some kind of a coordinated assault in the cyber domain that's been ongoing for weeks now. For example, I notice spam numbers calling on my phone on a daily basis. This was never the case before.

[smf_16 1,835]

That's what really frustrating indeed. The number one rule to avoid viruses is to only run stuff from sources that you trust. If you're downloading pirated software and get a virus instead, well you pretty much had that coming, but trusted sources no longer being able to be trusted because they might have been compromised, that requires a whole new mindset.

[Nite Owl 79]

The rule of thumb is to never run, open, or use ANYTHING you have Downloaded until you have run it through a Virus Scanner. Even if the Download is from the most trusted of sites, scan it first. Any decent Antivirus Software these days comes with the ability to add a scanning option to the right click menu when that Antivirus Software is installed. Download a file, right click on it, run a scan. If the scan comes back as clean then, and only then, can you safely execute and/or use the file. Update your Virus Definitions at least once a day if not several times a day. All files should be Downloaded to a central location such as a "Download" folder. Scan files from there as previously described or via a script. Take no chances. Stay safe out there.

<Steps down off the soapbox> 

[Propfam 2,288]

11 hours ago, Nite Owl said:

until you have run it through a Virus Scanner.

Do modern AVs have realtime protection so malware shouldn't be able to escape and infect the whole system? Even Windows Defender will alert and quarantine you even if you have an instance of some infected files. Not to mention virtually any modern AV (except lightweight ones) have some sort of browser scanning capabilities, like Defender is integrated to every browser, especially Chromium-based, including Edge.

I tried to extract version.cpl in my bros laptop and oh boy, it's quickly removed by Defender. And after thorough scanning, Defender says there's no malware and I checked Task Manager and nothing's fishy going on. Tho to be noted that the system and definitions are updated. So there's that.

[TheMurderousCricket 5,055]

3 minutes ago, Jidan said:

Do modern AVs have realtime protection so malware shouldn't be able to escape and infect the whole system?

Not sure about all AVs out there, but you are certainly right about some. My AV does have real-time protection and it saved my skin once in a while by aborting or instantly deleting downloads.

[Nite Owl 79]

Yes, Real Time Protection is a thing and a very good thing at that. However, it is not 100% fool proof in the same way that a Virus Scan on a specific file is. Even with Real Time Protection turned on you should still do a Virus Scan on any file you download. Better safe than sorry. Have been using this policy for as long as there has been such a thing as an Internet and have never been infected, not even once.

[Handyman 765]

Found 2 older downloads of NAM48 on my backup drive. Scanned them with clamtk, both came up clean. Deleted them anyway, to be safe.

[MstrFox1982 9]

Will be getting a clean full version of NAM soon? if so, when? thanks

[Ulisse Wolf 4,412]

7 minutes ago, MstrFox1982 said:

Will be getting a clean full version of NAM soon? if so, when? thanks

https://www.sc4evermore.com/index.php/downloads/download/6-network-addon-mod-NAM/2-network-addon-mod

[ZynYoka 0]

So I've been affected by this trojan directly, but I have not heard any news for several weeks, is there any updates with the malware analysis? Is it the same one from Cities skylines or not, or does it take more than just crypto, because I'd rather find out my identity is at risk now than in 3 years. 

[Propfam 2,288]

1 hour ago, ZynYoka said:

So I've been affected by this trojan directly, but I have not heard any news for several weeks, is there any updates with the malware analysis? Is it the same one from Cities skylines or not, or does it take more than just crypto, because I'd rather find out my identity is at risk now than in 3 years. 

Nope, I tried to inform Eric Parker, a cybersecurity youtuber, about this. And nope, he doesn't reply to my email despite being detailed. I haven't got to his Discord, but I'm afraid there won't be any answers.

Suffice to say, there's no further info about this thing. @Kurzov22 hasn't given any new info.

[Kurzov22 18]

I have no further updates to give either - I am not knowledgeable when it comes to deep investigation of this sort of thing, sorry.

[Leo -- 186]

Well stuff happened while I was gone…

On 11/27/2024 at 1:17 AM, Ulisse Wolf said:

The mode of attack is very similar to the security incident that occurred in Cities Skylines 2 and so we are thinking that the affected users may be those who have cryptocurrency but we cannot confirm this until fully investigated.

WTF? Cities Skylines 2 is not really a mainline game but it did get some buzz so I can kind of see why you might want to attack that community.  But the SC4 cryptocurrency community? Does that even exist?! That makes no sense.

Does anyone still have the modified .bat? I am really curious on what line was dropped in there. I assume it's one for a few lines so maybe someone can DM me a quote of that code? Thanks in advance.

Also while I am still here and this wouldn't have fixed anything I do want to ask the NAM team, why do you still use .bat? It doesn't really matter for this usecase but .cmd is technically newer, faster and more advanced than .bat. From my understanding the only reason you want to use .bat over .cmd is for non-NT based Windows systems and I don't think anyone here is using Windows ME or older (can you even use NAM on 9X based Windows systems? I don't think so…).

Also a Powershell script would be nice but I can see how you might not want that due to support issues with execution policies. However I am willing possibly write one if you guys want one, it looks simple enough.

[CorinaMarie 29,605]

24 minutes ago, Leo -- said:

I do want to ask the NAM team, why do you still use .bat?

I might be able to give a wee bit of insight into this.

@Tarkus created the original .bat which did a basic automation for the 4 GB patch application. Then I wrote a bunch more steps which added verifications. It's .bat since that's how it started and my weird background is I learned dos programming long after it was already out of style.

(Btw, I'm not a NAM team member, but I have contributed a tiny bit to the project.)

So the main purpose of the file was to install the 4 GB patch and then check that it was actually applied. If there's a better way to accomplish that, I imagine it would be well received.

[Leo -- 186]

49 minutes ago, CorinaMarie said:

So the main purpose of the file was to install the 4 GB patch and then check that it was actually applied. If there's a better way to accomplish that, I imagine it would be well received.

Well, I am not too familiar with scripting as a whole but I just renaming the file extension from .bat to .cmd would make things a picosecond faster. The main difference between .bat and .cmd is that .cmd has better error handling. You can read more about that here. I don't think renaming the .bat to .cmd will break anything. 

Even though I am not too familiar with scripting as a whole rewriting the script in PowerShell would be a good exercise for me 

Also it's good to see you back on fourms 
  

[LordKane 2]

so I am getting in contact with locknessko who help investigate the malware that hit CS2 a bit before we got hit, who can I put him in contact with here to help out?

[spacemancraig 0]

How do you check what version is currently installed? I tend to delete setup files and folders, so I'm not sure what version I'm currently using.

I'm fairly sure it's version 47 (which I presume is safe?) but I want to be certain.

[Lucario Boricua 7,028]

 @spacemancraig If you do have your Network Addon Mod installation in place, you'll go to the end of the Highways Menu. Go to the NAM icon that appears there, hover with your cursor to make the LTEXT / tooltip bubble appear. There it says which version and core parameters you chose. If you have NAM 47 or earlier, we encourage you to get NAM 48 and add some of the latest goodies, very worthwhile!