Staff account compromise. What's happened and an apology.
Today we were alerted to a malicious change to SkyUI, one of the most popular files on the Nexus network, at around about 12.30pm GMT. Within 20 minutes the file was removed and we got to work investigating how the file was added and who removed the original SkyUI file and replaced it with a malicious executable (thank you to those people who reported the file and were clever enough not to install it!).
Following on from that we noticed some strange actions coming from one of the staff member accounts here and, while I have not been able to get in contact with the staff member yet, we can conclude that the staff member's account has been compromised and this was how the "hacker" was able to remove files and upload new ones in their place. As part of their job the moderation team need to be able to access and edit the file pages on the site. If an unsavoury miscreant gains access to one of those accounts they can, potentially, do quite a bit of damage. Unfortunately that was the case today.
We were able to quickly identify and remove access to the account, however, a few more files were changed by the "hacker" before we could trace things. These files, on top of SkyUI for Skyrim, were:
ApacheiSkyHair for Skyrim
Fallout 3 Redesigned - Formerly Project Beauty for Fallout 3
Project Nevada for Fallout New Vegas
Oblivion Character Overhaul version 2 for Oblivion
It's clear the "hacker" was going for some of the most popular files for each of the main games the Nexus supports to gain maximum exposure.
It's important to note that staff members do not have access to any personal details (they can't even see your email address) including any Premium Member details and we do not store any credit card information so that's not an issue at all. This was not a traditional "hacking". Our server's themselves weren't compromised (indeed, we think we've got things locked up pretty damn tight right now to the point where you need to be on a specific IP address before you can even gain access to the server terminals and think about user accounts and passwords). Unfortunately the computer's of one of the staff members was compromised and this is the result.
Things have been tidied up and the threat has been removed. If you downloaded one of the compromised files listed above and ran it between the hours of 12pm and 2.30pm today then please run a full virus sweep of your system. If you did not download any of those files in that time then this breach will not have affected you. We've contacted each of the owners of the files listed above. For them, unfortunately, because their main files were removed they will need to be reuploaded and the stats will have been reset for those specific files. It's important to note that deleting an uploaded file does not reset or clear the main file's stats. It's just unfortunate that the stats for those specifically uploaded files will be lost. I'll have a word with the main database admin to see if we can't get the majority of stats for those files restored, with a bit of loss due to having to roll-back a day or two. If you're the owner of one of those files please send me a PM so we can look into that with you.
I apologise personally for what has happened because, at the end of the day, the buck stops with me. I am highly protective of the staff here who have individually volunteered thousands of hours of their time, some of them for many years, to keep this network of sites clean and tidy. Unfortunately these things happen and I will obviously have a word with all the staff here to remind them all of best internet practises to maintain account security.
On an unrelated note I've had a few reports from German users saying that one of the ads on the rotation is sending them to a fake java updater page. This seems to be localised to only German locations, which makes it tough for me to diagnose, but I have been in contact with the advertising supply chain to try and get to the bottom of this and hopefully the issue will be resolved shortly.
226 comments
Comments locked
A moderator has closed this comment topic for the time beingNot just German users, I am also receiving the same redirect from one of the ads to that fake java updater page. I'm a US user and unfortunately I haven't pinpointed the source.
Also for those who download please make sure your virus protection is up to date obviously people have shown they have little regard for others property, but that doesn't mean we can't do our part to protect ourselves.
Good luck to Dark0ne and the staff at nexus on trying to keep the site clean and safe.
best of luck,
No reason to use anti-virus/malware whatsoever. It's for people who can't sustain self-control when faced with the chance to download music.mp3.exe.
Any executable you download simply open it up in Ollydbg and you'll know 99% of the time if it's malware or not if it's pulling some shady system calls (keyboard hooks are a dead giveaway).
As for web attack vectors just disable Javascript in your browser and keep a whitelist of trusted sites you'll allow it to run on. You should do the same for Silverlight and Flash too (Not sure about Shockwave, I don't keep updated with ALL CVEs).
I personally use combofix, SOME malwarebytes (haven't needed it for a while), adblock, noscript, and flash block.
There are some russian sites that will give you some crazy fbi virus... that was a NIGHTMARE.
seriously, though. People actually download music.mp3.exe
I also suggest that if it says "download with manager/accelerator" that you uncheck that EVERY TIME. almost ALWAYS a virus.
plus, if your search engine is something like conduit/gamewrangler (my mother's chromebook's first "virus")/some crazy european site, then combofix is probably a good option. also, check your control panel for things like "search protect"
other than that, don't download things like playpickle (for surveys, game currency, etc.)
don't click the big green flashing low res download button (that even says ilivid on the bottom in small print!)
always look for the crappy ye old internet download button that changes when you put your mouse over it and it grey with small text.
so many things to do to protect yourself,
and yet, people still depend on anti-virus to keep them out of trouble.
waste of space, ram, bandwidth, and money.
(Note on the FBI one, sometimes all you have to do is take your computer off the IP address and reset it to get rid of that one. Happened to me when downloading a ROM, I reset the router to give it a new IP and wam blam kazam all fixed up. Only problem is remember to reset your WAP or other Internet "Sign In" password cause you will lose it.
For those who are not sure, here is the official tutorial on how to use it. http://www.bleepingcomputer.com/combofix/how-to-use-combofix
And that it specifically says
You have been warned, so please do not blame combofix if you do not follow this advice.
as for the suggested virus scans, I prescribe combofix. it's free and it pretty much fixes everything virus-related. (win7 and below only)
I just wonder, with all the people using mod organizer daily, why the hacker didn't make the skyui file a newer version, so that when a person opened up the manager, that it would say that there is an update available for that mod, and when they updated, then they would download the virus, even if they already had skyui before the hack and weren't going to download it unless it were an update?