Garry’s Mod LUA Malware

A new piece of malware that is targeting Garry’s Mod servers and client’s has been identified within the last 3 hours (Around 1:00AM GMT 19th April 2014). This malware runs thougha LUA script that downloads files to clients and uploads the script to the server to allow it to spread to more clients.

Jump to updated information

 

The purpose of the malware is not completely know at this stage. However it has been identified to steal the servers RCon password if it is stored in the servers config file and spam messages though steam to your friends list when joining an infected server. A update to patch this should be made available tomorrow in a update to the game. There could be other underlying functions to this malware that has not be identified as of yet. I will keep this post updated as more news becomes available. You can find the post on FacePunch forums here: http://facepunch.com/showthread.php?t=1386818

 

Garry’s Mod Clients:

You can check if your infected by checking your installation of Garry’s Mod for the following files. These will be located in your SteamApps folder under Common\Garrys Mod  (Please note that some of these files may be hidden):

garrysmod/engine_win32.dll
garrysmod/download/engine_win32.dll
garrysmod/bin/game_shader_generic_engine.dll
garrysmod/materials/cooltexture.vtf

 

These files can be deleted safely – It so far has been confirmed that game_shader_generic_engine.dll and cooltexture.vtf are the main port of infection but the other two are files that should not be there in a standard Garry’s Mod install.

 

Please be aware that joining an infected server will cause you to become infected again

 

For Server Owners:

Your server config should be defined to have the following variable set:

sv_allowdownload 0 // Stop clients downloading files directly from server, FastDL will still be functional
sv_allowupload 0 // Stop files from uploading files directly to the server

rcon_password “” // alternatively, move your rcon password to be defined in your server’s startup command line

 

The following files will be present on an infected server (Please note that some of these files may be hidden):

garrysmod/engine_win32.dll
garrysmod/download/engine_win32.dll
garrysmod/lua/autorun/server/default.lua

 

Update as of 5:30AM 19th April 2014 GMT

It has now been identified that servers with !!! (3 exclamation marks) in the server name / title are likely to be infected with the malware and should be avoided. This is yet to be confirmed officially but so far is the general consensus.

Also deleting the above files may not be an absolute fix for the issue at this stage. If you have been infected beware you may still be infected after following the steps.

Update as of 6:21Am 19th April 2014 GMT

Garry has confirmed the knowledge of the issue and that a fix is in production that should be available within a few hours.

It currently does not appear to be malicious in nature and just spams steam and server chat’s while attempting to play music and render a image on the client’s screen. The attack also does not appear to effect Linux or mac servers. Or servers without the RCon password in the config file.

Update 7:00Am 19th April 2014

An update has now been pushed out to Garry’s Mod to fix the issue. Steam should automatically download this now.

Official post available now at:
http://www.garrysmod.com/2014/04/19/exploit-fix-released/