Are Obfuscated VisuStella Plugins Malware?

VisuStella plugins are the most popular examples of obfuscated plugins.

Using obfuscated plugins puts game developers at risk, according to a member of the official RPG Maker forums.

In a thread discussing the encrypted VisuStella plugins, Faherya wrote a post pointing out a big problem with them:

1) If you don’t know what’s there, your data and your machine are at risk.
2) If you ignored the first point, you are exposing the machines of the people to whom you plan to distribute the project. And if there is a problem, the responsibility is yours. From virus infections or data leaks, it will be left to you judicially.
3) It is not feasible to carry out tests to find out if the script is doing what it says to do in the best way. Closed source cannot be audited and, consequently, optimized.

The above was posted on August 22, 2020. Unfortunately, further discussion wasn’t allowed. RPG Maker Web saff member and VisuStella team member Archeia closed the thread without giving anyone the chance to address the concerns raised by Faherya.

Obfuscated plugins hide their source code, which means that game developers using them don’t know exactly what the code does. It could be doing anything, from opening up the doors for more elaborate malware, to mining cryptocurrencies in the background, gathering usage statistics or even searching the computer for personal files or data to send to some server somewhere.

To be fair, the obfuscated plugins aren’t likely to be doing any of that, but if they do, and the players of games that use those plugins find out, they are going to blame whoever made the game, not the authors of plugins used in the game.

Even if the plugin authors themselves don’t put malware into their obfuscated plugins, someone could add obfuscated malicious code to one of these plugins and distribute the edited, evil version — and no one would know, because it’s all obfuscated.

If any problem arises, players are going to blame the author of the game.

Do you think the risk is worth it?

14
New RPG Maker MZ Update is Out: v1.2.0 What is the Best RPG Maker Version? 2003, XP, VX, VX Ace, MV or MZ?

14 Comments

Esthersaurus

Bullshit article.

If things have malware, it being obfuscated or open source doesn’t matter. Your malware detector would be ringing bells the moment it enters the computer.

And cryptomining? Really? FFS Cryptomining requires hours upon hours of a computer being on. Getting people to play RPG Maker games is a challenge by itself. Having them play a session over an hour is an even bigger challenge. Cumulative hours spent doesn’t matter here because that’s not how block chains work.

Want proof that Visustella isn’t putting trojans or stealing data? Download their plugins, put them into your game, test play and press F12 to open up the node js debugger. Go to the network tab and see if anything is even connecting online. If there is, it would be constantly active.

This post is just made by another butthurt user.

Agreed, its a huge stretch to call obfuscated code Malware and is very easily debunked using the network tab in the console.
It is articles like these that make VS seem like a bad group of people when they’re just not, yes the obfuscate their code but that is by no means an evil action, and they’ve mentioned multiple times its to prevent theft, many people have understood this since day 1.

Malware detectors don’t detect all malware, which is one of the reasons why new malware is developed.

People found malicious code in Github repositories, and even the NPM package manager was used by malicious actors to spread malware to NodeJS developers.

Obfuscated plugins can also be used in the same way. No one claimed VisuStella is doing that, but denying that obfuscated plugins could be successfully used to spread malicious code is just denying reality.

Then there’s the problem of third party actors adding obfuscated malware to obfuscated plugins and spreading the malicious version.

These things do happen in the world outside RPG Maker, and obfuscated plugins are a great way for it to happen in the RPG Maker world too.

Malicious npm package opens backdoors on programmers’ computers

The above proves that malicious code (JavaScript in this case) can indeed be distributed undetected by malware detection software. Note that it was a security researcher from Sonatype who discovered and analysed the package, and not automatic detection software.

The npm docs even have a section on reporting malware people find in packages.

Here’s another source for you to read: Malicious NPM packages target Amazon, Slack with new dependency attacks

As for Github, here’s one: Github uncovers malicious ‘Octopus Scanner’ targeting developers

These are just a few real world examples of malicious code not being detected by anti-malware software.

When you close a conversation… it will still happen, just somewhere else.
I see this article as simply reopening the conversation. And thank you for that.

I will not speak on the technicality of malware. (I am not knowledgeable.) Only that… my browser warns me quite often when I download plugins. That it can potentially be harmful to my computer. (And I’ve downloaded thousands.)

If obfuscation becomes a trend, and there is risk of malware. Then perhaps users need to be conscious where they are downloading their plugins from. And often peak at their network tab in console, while initially testing them.

Fishtail

Yeah, and mine warns me every time I download an RPG Maker game. Doesn’t mean it’s right, just that there’s always a possibility of danger when downloading certain extension types.

I think I’ll trust a tried and true group like Visustella over random people who seem to think that they have any knowledge on the subject when they obviously don’t.

TheBananaJob

You make a good point about someone adding to code, which is why getting it from the source, which has a history in the community and has built trust over a decade of providing quality content for people to use, is always best.

Fearmongering is above you, my dude. Seriously. You’d have a point if you were talking about random Joe who released a plugin from who knows where, but with an established group who have a name and reputation, it’s a dumb point to make. It’d be non-beneficial to them to ruin their name in the community over something that all naysayers who poke through their code like the vultures they are (and don’t pretend that there aren’t people who have found ways to unobfuscate the code illegally, looking to ‘borrow’) would have found easily enough.

Rumour and lies aren’t a pretty look for you and your friends, buddy.

What rumors and what lies? What fear mongering? The article raises awareness about a security threat posed by obfuscated code.

No. What your article points out is targeting a single plugin maker based off a very broad and limited understanding on how malware works throwing unfounded accusations and providing zero proof to back them up. If you want your article to be a serious article then try doing it based on the actual problem and not just targeting a single creator.

On top of that, you said she closed it without giving anyone a chance to address it? She clearly stated the reason as to why it was closed and then linked the reason as to why it was closed. Once again, please read the entire post before throwing accusations. Next time, just make your article based on malware in obfuscation and don’t target someone who is clearly not doing it and is clearly just doing their job as a moderator of the website.

If you’re messing with plugins then you should know how to read JavaScript. If it’s obfuscated and you feel uneasy about it, then simply don’t buy it. But anti-malware has false positives all the time same with a browser. Every user that still stands by that and doesn’t understand what a false positive is by now is just ignorant. And the fact you’re messing with plugins without knowing what you’re doing makes you double-y ignorant.

As a dlsclaimer, although I was a member of the team of devs hired to port some of the YEP library to VS, I’m not employed by VisuStella and am not an official employee thereof.

…this is not the smoking gun you seem to think it is, and the flimsiness of the argument becomes apparent once you simplify it and extrapolate to other situations. Take someone who doesn’t know a word of JavaScript: if they download a plugin that contains malware, and their firewall/virus scan picks up something malicious, they’re not going to have any more of a clue where it came from than someone using a hypothetically-infected obfuscated plugin. Obfuscation is not in any way connected to ability for a virus scanner to pick up malware, and to imply that it is is to take advantage of those who don’t realise this and take a problem that can exist in anything regardless of obfuscation and lay it as obfuscation’s door as a way of saying it’s a bad thing.

Who said anything about a smoking gun?

The article raises awareness about a real threat posed by obfuscated code. Malware detection software can’t detect all malware, and obfuscated code makes it much harder for people to detect it.

Do you disagree with the statement “malware detection can’t detect all malware”? Do you disagree with the statement “obfuscated code makes it much harder for people to detect malware”?

Obfuscated code slow down game’s performance, anyone who is not stupid will use Mv instead

Fishtail

No, it doesn’t. If you’re finding game performance issues it’s probably because you’ve added a lot of bad implementation of plugins, not the plugins themselves. Please stop spreading lies.

VaroClaw

Im sorry, but if you want to be taken seriously, PLEASE write an article that talks about malware in obfuscation and not malware in obfuscation on specific plug in developer.

We have known these devs for more than 10 years, we have downloaded their plug ins time and time again and NO ONE (and I can bet on it) NO ONE has ever had a problem.

I don´t know what your beef with VS is and I dont really care. They develop for the community mostly, and mostly, the communty supports them 100%.

So, a quick answer to Are Obfuscated VisuStella Plugins Malware?: Fucking no.

Leave a Reply

Your email address will not be published.