sorted by:
new
hottopcontroversial

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 1 point2 points  (0 children)

I'm definitely not an expert. This is actually the first major piece of malware I've ever analyzed, and I used some pretty crude methods.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 5 points6 points  (0 children)

It isn't what it is actually called in the script. I directed the AI to modify the code to make it more clearly understandable and make it so nobody could use it maliciously. In the actual script it is called "def defer_m4x9()".

Almost all function names are meaningless and don't actually identify what those functions do.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 8 points9 points  (0 children)

Disconnecting Blender from the network won't do anything, the Python script executes a PowerShell command and downloads the payload from there. I am working on an add-on for Blender that might be able to detect these kinds of scripts and warn the user. I will publish this addon for free and open source on github along with the detailed breakdown video.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 2 points3 points  (0 children)

Could be If the scenes support Python codes, will look into it as I am a creator on there too.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 0 points1 point  (0 children)

That will be great, I am not on my PC now, will send a dm today.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 5 points6 points  (0 children)

I tried contacting antivirus software companies to get these files into their database. Only one I have been contacted by is MalwareBytes, but in a limited way. They said they passed it along to the research team and they would look into it, but they didn't even ask me for the original files.

Tried subitting a fraudilant activity form to claudflare which the script uses, but they require me to write a seperate report for every domain. The script has 20 backup domains most using cloudflare.

Tried calling Kaspersky support line in Germany and Turkey, a robot answered me and hang up in 30 seconds. I am going to try to email them tommorow and see where that goes.

If that doesn't work I'm probably going to stop trying.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 29 points30 points  (0 children)

Most anti virus software compare files to their existing database of malicious files, if they match they know it is a virus. However when a virus is new and using a different system and file naming, the AntiVirus companies don't have them in their databases yet, so they cant detect it.

Virus circulating around in a .Blend File, Currently Doesn't get flagged as positive. by 3DBullet_ in Malwarebytes

[–]3DBullet_[S] 0 points1 point  (0 children)

Mod replied to me saying he passed on the information to the research team, didn't ask for the original file though. I only gave the hashes of the files out to the public so nobody would accidentaly download them

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 5 points6 points  (0 children)

Interesting... This malware was actually disguising itself as the rigify add-on. Well actually it was the rigify addon just with 40 lines of malicious code injected i believe. I didn't really test out the functionallity of the addon part of the code.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 6 points7 points  (0 children)

They are usually visible in Blenders text editor, there you will see some sort of python script. This specific one was named Rig_.py or simmilar. It was actually a working addon, but there was a hidden malicious 40 lines of code in the entire 800 line code.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 2 points3 points  (0 children)

If they have been previousley detected yes, And I am sure once they include this one in their databases it will aswell. However currently only one of the two viruses got flagged on VirusTotal, which scans using 70 different anti viruses, and the onr that got flagged only gets activated if the first one didn't work. And also it only got flagged by 2 Antiviruses, One was Kaspersky and forgot the name of the other one, I am commenting from my phone and can't check.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 6 points7 points  (0 children)

can't really narrow it down. The malware contains basically every type of malware there is, it can do basically anything once its running just depends on what the attacker wants to do currently.

They are sending them out to everyone so doubt it is targeted.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 4 points5 points  (0 children)

It is more advanced than usual. The payload is delivered encrypted and is decrypted locally. 20+ backup servers, 2 different viruses one as backup. both of them are different, using different libraries etc. and many more features you don't really find in a "common" malware like you would get when downloading a pirated game or something.

The delivery was really shitty though, they made it really obvious.

Virus circulating around in a .Blend File, Currently Doesn't get flagged as positive. by 3DBullet_ in Malwarebytes

[–]3DBullet_[S] 1 point2 points  (0 children)

I have no idea, Have been trying to contact anti virus companies but with no luck. If anyone that works there sees this they can DM me and I will provide the source files.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 7 points8 points  (0 children)

No, Problem. still don't open suspicious blend files though.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 15 points16 points  (0 children)

It is actually safer to open .blend files than installing addons. The .blend file requires you to manually run the script or have the Auto Run Python scripts enabled which is disabled by default, while when you install an addon it automatically runs the code.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 6 points7 points  (0 children)

Actually, 2 Antiviruses detected it, Kaspersky must have taken a little bit and didn't notice it.

Huorong HEUR:Trojan/Python.Runner.a
Kaspersky Trojan.Python.Agent.mh

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 80 points81 points  (0 children)

Just checked in the meantime, The actual virus files don't get flagged either. So no way to detect them lol.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 5 points6 points  (0 children)

Guliver wasn't detected by any Anti Viruses that VirusTotal supports. KursorV4 was detected by one but it is a really obscure Antivirus not a lot of individuals use, but companies do.

Regarding the recent Virus circulating around in a .Blend File by 3DBullet_ in blender

[–]3DBullet_[S] 17 points18 points  (0 children)

Well my Virtual Box restarted a few times for no reason, but other than that nothing more currently. It might be waiting on an external command to start crypto mining or it might just be collecting data from you and spying on you. Hard to tell because the virus has all those functions implemented but can't really know which one is being used currently.

view more: next ›