The terrible handling of the American Roads malware situation.

Hello everyone,
I was one of the unfortunate to download the "updated" version of American Roads on 18 of april, however the malware execution was patched as of the 0.35 version of the game. Still im changing all of my passwords as im writing this post.
What I want to talk about in this post is how the situation was conveyed to the community.

This wasn't a mod that was just uploaded and had 10 downloads, it was a mod that has been released in repo since 2017 with 2m+ downloads.
There was no announcement in game, no announcement in discord, nothing.
The only way someone would knew about the malware, is if someone was actively watching the Mod's thread, saw someone talking about it on Discord, seen a post on reddit, watched the video made by Eric Parker (which was released only yesterday as of making this post) , or saw the other post "This is unacceptable" which is basically why I made this post.

You want to know how I discovered that a mod that I had downloaded had malware? Just a gut feeling, literally.
If I hadn't been in a malware incident like that earlier or just simply decided to check the mod discussion on a whim, I would probably still didn't know about the malware.

This isn't how things like that should be handled, you inform us that all mods from repo are manually checked and should be safe. I don't have a problem with that, we all make mistakes.
What I do have problem with is how we are informed, there should be a discord annoucement, a blog post, not people realising that they may have a malware because they got recommended a youtube video.
Not everyone uses reddit or discord, many people just download mods from repo and expect to everything be safe.
A great example how a malware situation was handled was the June 2023 infected mods incident on CurseForge, there was a announcement on discord, there was a blog post, heck they even gave you instructions to check if you were infected.
But with this? We got told that the malware has been fixed on the mod's discussion, and that's that. If you really want to know if you are infected, you need to go to the Lemonyte blog post, and search for the "Indicators of compromise", which let me be clear with you, most of non native speakers wouldn't know what that would mean.

I will say this once more, just because the malware was fixed doesn't justify that we weren't informed.
(Im sorry for my bad english sometimes, it's my second language and im still learning it)

 

Honestly I play daily and am on reddit and whatnot and this is the first I'm hearing of it. It should have AT LEAST been in the change log that it fixed a potential security risk with American Roads

 

To be honest, seeing weird script files in set off an alarm in me too. Turns out that I had upgraded to 0.35 before I updated my mods, so I was technically safe. Only found out about it after a post (which got accidentally deleted) that the map was infected, why would you ban the author of a mod, especially when you notice weird stuff in the files.

They do a check before every update. When it came to my map having a texture related issue, they sent me a screenshot of the problem and told me to reaupload after fixing it. I can confirm, at least from my experience, that they do drive around the maps to spot potential issues.
Don't know about the files though, my theory is that they looked through the files of American roads and just went like: Yup, these scripts and odd .c_css file are 100% normal.

They definitely needn't staying that silent about it since it could cause a lot of damages, the malware was very serious about it's intentions and it got away scott-free for a short while. 0.35 did one of the required steps forward by updating the CEF the game was running so it got accidentally (or maybe intentionally) patched.

This whole incident should teach us that we should probably check every mod we have downloaded, and maybe that patreon banners are kinda evil.

 

There has to be more done in an era like this to make damn sure that safety is a top priority and that there's experts on call to actually deal with these mods being uploaded. THEY NEED TO DO SOMETHING MORE ABOUT THIS TO PERMANENTLY PREVENT THIS SORT OF SITUATION IN THE FUTURE AND PRESENT

 

Ok ... Im PISSED off. I know it's a single case incident but the fact that there is a lack of oversight..
And a lack of security around something that's a growing platform.... It's a recipe for disaster and it cannot be understated that this is dangerous. Yes each individual is responsible for keeping their own system safe BUT THE OFFICIAL mods need every line of code scanned through and a program that will help speed the process up(no ai). Im paranoid about driving on some places now because of this incident.

 

I already explained that they check mods. The problem is that more and more mods come out and having to check five 6000-line files is just not possible, even if AI would be used.

If you really fear updating your map mods or downloading them, unzip them, put them in the 0.35/levels folder and check them yourself. I tend to edit most of my map mods by adding my own props. I would have done the same with AmRo if it wasn't for laziness.

Also, babbling on about this incident won't do anything, everyone needs to learn the lesson that an outdated, glorified web browser is not immune to exploits (Surprising, I know).

 

im just annoyed because the entire world wants to implode politically and im trying to have a SLIVER of my peace of mind intact. help me maintain my innocence and just ... pat me on the back for givin a dang or something. if it wasnt for all the pay to "get away with abuse power" in both discord moderation. irl governments. and even in the communities on here I wouldnt be so upset. fact is less crap would happen if moderators did their job right and no im not saying itd drop off a cliff in terms of exploiters but they would be more tame..... if there are vulnerabilites. those take top priority. quality of life comes third aside from keeping things up to date and then so on and so fourth. I am glad they caught it pretty fast but jeez talk about a horrible year and its what 5 months in!? this year is just insanity above redline at the least. if any staff are seeing this or community leaders. HELP ME TACKLE the pay to win abuse of power in communities you own. dont let people bribe you to get away with crud via patreon or whatever. treat everyone the same and stop making it acceptable to bully and break down other people

 

They did update the CEF in 0.35, the issue is that porting things like the BeamNG.UI to a newer version takes a lot of work, similar reason why GIMP is on GTK 3 now and not on GTK 4, which has been out since 2021.

 

I'm pretty lucky because I was tempted by this mod on several different occasions but decided against downloading it. There hasn't been any mod updates approved to the repository in the past days so I'm guessing their fixing it but it has been handled in the worst way possible from the very start to right now.

 

Agreed on the sentiment here. This is extremely disappointing.

The malicious version released on April 1st, but the 0.35 patch which fixed this exploit released on April 2nd. Its quite possible some users were affected by simply launching the game on April 1st - especially given that mod auto-updates are enabled by default.

Additionally, BeamNG's built-in usage statistics mean that the developer's were aware some users remained on 0.34 after the fact, thus were more likely to have been affected by this incident.

As someone who has ~500 mods, but is also an adult with a busy life - I tend to stay 1 patch behind. It's possible to do this by disabling auto-updates in Steam and launching BeamNG by launching the executable directly.

For example, I'll only update my game to 0.35 (as well as all my mods) when 0.36 shows signs of release (quite often, this is shortly after multiple teasers get posted).

This ensures that all mods have had plenty of time to be updated by their (often equally busy) authors. Meaning I can be confident that my limited gaming time won't be ruined by any incompatible, outdated or broken mods.

This practice is hardly a niche use-case.

That is why I'm shocked that there was no announcement on the website, forums, Discord or Steam community hub. I'm not even concerned that it made it onto the repository.

Even that is a rock bottom expectation. Ideally, an announcement should've been displayed in-game. Usage statistics will reveal how many users launched the game on April 1st - why not push a warning to those users? I really hope the BeamNG team already have or are working on a mechanism that allows this.

The sky-high reputation of the official repository further necessitates an announcement. There are likely users who either don't suspect anything or dismissed anything suspicious because they have always blindly trusted the repository.

Despite the above, the idea that this was deliberately swept under the rug to save face (especially after the Disney situation) could still be described as wild speculation - but was the end result really any different?

Anyways, someone made a brilliant writeup of how the malware worked. I don't think I'm allowed to link it here, but you can search "lemonyte beamng malware".

I only discovered this situation (12 days later!) because Eric Parker made a video about that blog post.

Side note: I did notice a Reddit comment from an official BeamNG dev mentioning that these were "older, unsupported versions or unofficial copies". Regarding this, I just want to preemtively address a potential accusation. The user is not at fault for staying a patch behind for the reasons I described above. A BeamNG version is released every few months. This is hardly irresponsible. The real problem lies in the fact the browser engine embedded into BeamNG was not updated across 6 years of game patches.

 

shame on all the damn staff aware of said issue who kept silent. EVERY STAFF MEMBER COULD BE SUED BECAUSE THERE ARE LAWS AROUND 'SEE SOMETHING. SAY SOMETHING' IN SOME REGIONS OF THE PLANET.
--- Post updated ---

PEOPLE HAVE TO PAY ABOUT 1K FOR A DECENT DEVICE TO RUN THIS GAME... LET THAT SINK IN STAFF. YOUR IN TROUBLE OVER THIS FOR NOT SPEAKING UP. DONT MAKE THAT MISTAKE AGAIN! THATS MANY THOUSANDS OF DOLLARS BLOWN OUT OF PEOPLES POCKETS TO GET THEIR PC REPLACED IF A MOD BREAKS IT AND BEAM STAFF STAY SILENT AND TRY TO SKATE PAST TRANSPARENCY!!!! THE LACK OF PEOPLE TALKING ABOUT IT IS AN OUTRAGE

 

I am interested: who will sue them?

It is absolutely your right to buy or not to buy a 1k device to run beamng, if you want to run the game on old box with windows 7 - do that, you can choose older versions through steam.
Please, remember: if you dont like something, dont use it - it is so god damn simple!

 

this cost thing is just flatout not true btw
decent hardware is about the cheapest its ever been (aside from GPUs)
so a tower that can actually run beam with satisfactory med-high settings performance at >60fps is like not even $700 and being realistic probably more like $400-500 second hand to actually meet stated min requirements

also gonna point out there is nothing it can do from within the modified chromium instance BeamNG uses for its GUI that would actually damage hardware so this is at best fearmongering nonsense by the technically illiterate


i dont think its realistically feasible to expect the <6 people who are currently on repo approval duty to manually comb through file structure of the thousands of mods (and automation cars) that get uploaded every day WITH the knowledge of how lua and malware could work though, so its just nature of shit being on the internet, apply common sense n all that and youll be fine, especially with the automation repo spam that is just auto approved and not even checked due to sheer volume of it lmao

no one (succesfully) cause its basically the users fault for downloading the infected files in the first place, they have no legal foothold whatsoever especially with repo upload rules explicitly forbidding malicious files in writing since it was introduced like 10 years ago nearly

 

Indeed, there's too many Automation cars that bring nothing new to the table. This is why I like considering them more like art pieces, they aren't very useful but still need creativity to be made.

I read the EULA a while ago and §11 is all about user generated content, it is your responsibility for the files you upload and the mods may take it (or you) down or modify it if it goes against the rules. (Also; Yes I am a boring person I read legal documents before accepting them)

 

It's not going to break your pc lol, just reinstall windows

 

Or, even better, install Linux, it makes BeamNG run better.

 

is that actually true? with vulkan? That's nice

 

it makes everything run better lol, Windows is such a bloated mess

 

My iGPU doesn't even support vulkan, but the game runs smooth and drivers are way better because the game won't crash if I crash too hard or have AI, for some reason it did that on Windows.

 

Man, you never know. That malware coulda installed some mission impossible self-destruct device