Homebrew Discussion PSA: SuperLan might be a virus

[LUCKASS]

edit : 10/12/2018 @ 10:50AM (dd/mm/yyyy)
Analyse for the "client-b" (SHA256: 41251978b0f7f49a895725b39a75639fd4e5a55386d64fb9c54ffd965e793da3)
Analyse for the "client" (SHA256: c304b194c4be0a6808e18a159b32faaec0ffd970fce117104633feb8a1ec18cd)
It's a quite bad ratio in my opinion for the "client-b" (too many hits to be a false positive)

presumably - and that's just a wild guess - the "client-b" seems to be compressed, whereas "client" isn't.
And since this is a method viruses use to obfuscate themselves from being identified by a checksum, client-b is caught in the heuristic engines of various Antivirus Software because it simply utilizes similar methods to real viruses.

While I would more assume it's a false positive, i'd still stay clear off the tool and I recommend everyone to do the same.

To be sure, just use the regular SwitchLanPlay, it does the exact same thing.

It's maybe a false-positive, it's maybe a virus
I just wanted to share this to the community


This is not from me, just took the reddit one

https://cdn.discordapp.com/attachments/490143667038715906/516704618617634819/Super_Lan_Play_Exposed_1.html

And here, a chat with community influencer Cubuss, giving us more info

https://i.imgur.com/1ghJnbW.jpg

 

[maxx488]

This is not from me, just took the reddit one.
I would use the original opensource project.

https://cdn.discordapp.com/attachments/490143667038715906/516704618617634819/Super_Lan_Play_Exposed_1.html

And here, a chat with community influencer Cubuss, giving us more info

https://i.imgur.com/1ghJnbW.jpg

Wth? Gtfo

 

[tinkle]

If we could stop the intense worship of projects just for being open source, that would be great.

 

[Deleted User]

Honestly after Cubuss going around saying that there where smash brickers with no proof and just spouting nonsense id take this with a grain of salt for now

--------------------- MERGED ---------------------------

I also find this convient that he is making these accusations shortly after he makes a thread for his own switch lan play website

 

[LUCKASS]

Honestly after Cubuss going around saying that there where smash brickers with no proof and just spouting nonsense id take this with a grain of salt for now

--------------------- MERGED ---------------------------

I also find this convient that he is making these accusations shortly after he makes a thread for his own switch lan play website

It's maybe not a thing, I just wanted to share this to the community.
I checked myself and nothing showing up.

 

[Deleted User]

It's maybe not a thing, I just wanted to share this to the community.
I checked myself and nothing showing up.

Obfuscation would make false positives appear depending on how they do it

I understand the concern but people(not you) should really look at things deeper than just making accusations. Just because something isnt open source doesn't mean it's a virus. If that's the case than the dev of ChoiDajureNX(however you spell it) has infected most of the community

It's good to be wary but it's not good to just aim to shoot people down without looking into things first.

Again this isn't aimed towards you. I just don't understand why the switch community just seems to want to cut each other down and act like children

 

[Demon27248]

The development team is pretty incompetent but I doubt there's actually a virus or anything malicious embedded within it.

 

[The Real Jdbye]

This is not from me, just took the reddit one.
It's maybe not something, I checked myself just now and nothing : https://www.virustotal.com/fr/file/...14c9bb5b57cf070e26288b4e/analysis/1543296895/
I just wanted to share this to the community.


https://cdn.discordapp.com/attachments/490143667038715906/516704618617634819/Super_Lan_Play_Exposed_1.html

And here, a chat with community influencer Cubuss, giving us more info

https://i.imgur.com/1ghJnbW.jpg

Sounds like the guy has a virus on his PC and it infected the download and he didn't realize.

 

[VakiGBATEMP]

no wonder, it's not made by hypixel so it's obviously a virus

 

[Miqote]

False positives are very much a thing. When you obfuscate code, it's common for it to get flagged as virus/malware because viruses and malware also use obfuscation. Just throw it in http://virustotal.com. If you get under 4-5 results, it's likely a false positive. If you get 5+, maybe it could be. If you get 10+, it probably is. Claiming that something is a virus simply because the author won't release the source code is obnoxious, and that person should never be in charge of anything.

If we could stop the intense worship of projects just for being open source, that would be great.

I don't think this post could ever get enough likes to express how much I resonate with it.

 

[linuxares]

I would say this is a false positive. It's very much as @Miqote say that the code is just obfuscated so it's a bit harder to reverse engineer.

Kaspersky however is a big AV software, so I would take notice. But if Eset and Bitdefender also would detect it. Then I would start to worry.

 

[D3fau4]

first you do not know how we have programmed it, second cubus the only thing that does is to say that it is closed code and since it is closed code it is a virus, third The code is closed and is obfuscate so that people do not copy it.
I teach the code without problem but with my conditions and my conditions is that we connect to my pc by TeamViewer or similar.

 

[LightBeam]

Kaspersky put the file in quarantine as soon as I tried to launch or finished to download the file
I dunno if it's a false positive, I'm also not sure about it being a virus, but I made an exception for it, it never ran even with Kaspersky disabled, so I just prefer to trust my AV for now and wait if we can see through this whole mess before doing anything too dangerous

 

[GerbilSoft]

False positives are very much a thing. When you obfuscate code, it's common for it to get flagged as virus/malware because viruses and malware also use obfuscation. Just throw it in http://virustotal.com. If you get under 4-5 results, it's likely a false positive. If you get 5+, maybe it could be. If you get 10+, it probably is. Claiming that something is a virus simply because the author won't release the source code is obnoxious, and that person should never be in charge of anything.

Basically this. HOWEVER, the "developer"'s response is shitty enough that no one should ever trust anything they write ever again.

Specifically, this line:
"Basically I'm so lucky that the md5 of my program matches that of a virus"

That shows that they have no clue what they're doing.

In addition, the fact that they felt the need to obfuscate what's merely a shitty GUI frontend to an open-source tool shows that they're trying to hide something.

 

[Sonnydg]

the version that is to download, I leave a link:
https://github.com/D3fau4/Super-Lan-Play/raw/master/Super-lan-play-client.exe

it is analyzed with virustotal:
https://www.virustotal.com/en/file/...ca1a16af4aa39f7e61770b3b/analysis/1543417057/

And this update is 2.0.7, does not contain obfuscation, this way are all invited to those who want to unpack the .exe, if they want the source code, but we will not release the source code and less with this type of publications.

I also want to thank for making these types of posts, because this way they make SLP more known. Thank you.

 

[GerbilSoft]

I took a quick look at the "new" version, and while it doesn't look like it's malicious, I found the following issues:

• Some image resources are loaded from GitHub instead of being included in the executable. I don't see a reason for this, and it just wastes bandwidth.
• Calling netsh.exe to add firewall rules instead of using NetFwTypeLib.
• Installing npcap by downloading from nmap.org and running it silently without informing the user.
• Using Discord for authentication without telling the user exactly why they're being prompted to authenticate with Discord.
• Using a plaintext HTTP request to some service to "validate" IP addresses. (should be https!) Said service also doesn't have a domain name; the IP address is hardcoded.
• Finally: Your service has a "ban" function based on the user's public IP address (which I assume is what the previous HTTP request is for). This ban function is entirely client-based and does not affect the use of lan-play.exe on your server if run manually.

After all this, it seems all the program does is download lan-play.exe from spacemeox2's GitHub repository and run it with a custom server hostname specified as the relay server.

I highly suggest you rethink what you're doing here, because this seems like a waste of time.

 

[LightBeam]

I also want to thank for making these types of posts, because this way they make SLP more known. Thank you.

Not sure about it being a very good advertisement.

Anyway I've tested this version and Malwarebytes and Kaspersky said it's clean, so I guess it's ok, I don't see why I shouldn't use it

 

[Localhorst86]

seems like something i want to avoid. Not because it might be malicous (which I somewhat doubt, tbh) but because it seems to be bumblingly assembled out of various third party software.

 

[Sonnydg]

I took a quick look at the "new" version, and found the following issues:

• Some image resources are loaded from GitHub instead of being included in the executable. I don't see a reason for this, and it just wastes bandwidth.
• Calling netsh.exe to add firewall rules instead of using NetFwTypeLib.
• Installing npcap by downloading from nmap.org and running it silently without informing the user.
• Using Discord for authentication without telling the user exactly why they're being prompted to authenticate with Discord.
• Using a plaintext HTTP request to some service to "validate" IP addresses. (should be https!) Said service also doesn't have a domain name; the IP address is hardcoded.
• Finally: Your service has a "ban" function based on the user's public IP address. This ban function is entirely client-based and does not affect the use of lan-play.exe on your server if run manually.

After all this, it seems all the program does is download lan-play.exe from spacemeox2's GitHub repository and run it with a custom server hostname specified as the relay server.

I highly suggest you rethink what you're doing here, because this seems like a waste of time.

I will leave an answer to each point, but nobody is obliged to use SLP, simply if they do not like or do not care, do not use it and use the other servers and without problem.

• the only thing that loaded by github is language file.
  
• thanks for the info. But we will take it in future updates, so the user has to do it himself.
  
• npcap can not be installed in silent mode, it is only suitable for Npcap OEM versions. We only do installation with checked options so that the user only in the installation use the install and ready. More information: https://nmap.org/npcap/guide/npcap-users-guide.html
  
• has a login system that is used discord, as well as other services uses the Facebook api to login to applications containing user registration. And this is done to have control of the users who access the server, thus in this way someone uses Cheat can be banned. This is basic, it is not necessary to explain it.
  
• we have no need to do it differently, it was done for other reasons that do not come to the subject. Remind that it is a free service and only develops with Hobies time
  
• the server is the one that has the ip blocking, not the client. Only the client validates that if you did not register your ip, for reasons that have changed, etc. It tells you that you must log in to the lanboard in order to grant access to the server since blocking is done by firewall to block access to anyone who does not sign up for the lanboard. If you use the client Lan-play.exe still to be able to access the server and connect, if you did not register the ip to the server, you must login in through the LanBoard web.

 

[ghjfdtg]

These hits on virustotal seem to be all heuristic. Not saying it is 100% safe but it seems fine to me.