NMM bug fix release and download hacking problems fixed

[EnaiSiaion]

Every minute the Nexus keeps serving files is potentially another downloader who gets their computer boned. The ethical thing to do is to shut down all downloading right this instant until the security hole is fixed. Of course this will drive some people to the Steam Workshop, but it is not the downloader's problem that the Nexus has gotten pwned and the downloader should not suffer because the Nexus doesn't want to lose traffic. Who knows, WOT et al may blacklist the Nexus altogether if enough reports come in.

 

I'm typing this on my work laptop. I read about the infection after I logged in. I hope I haven't been had already. Because if the Nexus lets its downloads get compromised that easily, how about their banners? The Workshop may not care about copyrights but at least they don't serve viruses.

[davidluyendyk]

In response to post #7640461. #7640524, #7640600 are all replies on the same post.

I have had it happen a couple times, Mcafee stops the redirect so not sure where it ends up going.

[davidluyendyk]

San Jose servers are still offering this little gem to the unwary as of 2:30 am pst

[berlinsmiles]

@Dark0ne : thank you for your post and the efforts to get the virus destroyed, HOWEVER you should maybe change the title of your post "download hacking problens fixed" ASAP as the problem is still in existence. people may not read the comments section and have their system infected otherwise. and yes, I know its night at your place and thats why I mean as soon as possible. Edited March 22, 2013 by berlinsmiles

[Dark0ne]

In response to post #7640888.

Contrary to popular belief we do actually sleep, just like the rest of you.

Now we're awake and aware of the facts the San Jose server (the only compromised server) is offline while we fully explore how access is being gained to the server despite fully locking it down from the original attack vector. Obviously, now, we know s/he's left a backdoor to gain access again, which we couldn't find yesterday.

[bitcndragon]

Does this only affect manual downloads? What would happen if you downloaded the same mod via the NMM download button? Just curious what kind of precautions i need to take.

[berlinsmiles]

In response to post #7640888. #7641098 is also a reply to the same post.

*thumbs up*

[Roach75]

In response to post #7640461. #7640524, #7640600, #7640904 are all replies on the same post.

This is something similar to what was happening to me with mediafire over Christmas, if I tried a 3rd d/l within 10 minutes I'd be redirected to another webpage which didn't look like it belong to mediafire, but wanting the d/l I did eventually click the link, I had my computer locked by the same type of virus as Dark0ne describes. I believe this type of virus is called ransomware, google it for plenty of information.

I spent a very long time with my AV company discussing the virus and they've said there is very little they can do about them unless they've come across a similar piece of code before that will flag suspicion. They are all playing a constant catch up game with the criminals. This type of malware exploits Java and flash which are well known to be extremely vulnerable to attack, always keep them up to date. Make sure to have your java settings to not allow any temp files to be stored. I'd suggest you clean your computer with a deep clean AV, make sure it checks all files, rootkit and hidden. Clean out all your temp files before running the scan and delete all internet history and cookies. If it still does this redirection, get the AV company/professional to remotely clean your PC.

In my case both my laptop and desktop were clean, but the problem persisted, and mediafire found nothing after sweeping their servers. I learnt to be more careful than I thought I was, at least I was savvy enough to know it was a virus in the first place and not pay the ransom, I won't be clicking links like that at 2am under the influence of alcohol again.

Good luck.

[Werne]

I got Nexus_Downloader.exe it right now while downloading one of my mods, from Salt Lake 2, tried selecting the same server again but it started a normal download. I shut down ClamAV just to see what that thing does, when ran it sends you to some FBI page saying you need to pay 300$ to get your computer unlocked. It is designed to keep opening the FBI page each time you close the browser, adds itself to auto-start programs and you can't access any other web page except the FBI one.

 

However, since I ran it through WineHD on an account that isn't root, it couldn't function right due to not having root privileges so it didn't make any changes what so ever to my PC. And when I got directed to the FBI page, Linux closed all external ports and blocked the page scripts from being executed which means it tried to establish connection to my PC.

 

Anyway, started ClamAV, removed it, scanned the registry, everything is intact. If any Windows user has executed it, the only cure would be running Malwarebytes and scanning the PC, if you're able to get Malwarebytes.

 

And the bogus FBI page looks nice, I might use it as my desktop background :)

[Dark0ne]

In response to post #7641419.

Are you sure it was the Salt Lake 2 server? We can't find anything. Can you try and reproduce it? Thanks.