Got a question-

I was using Poser 8 (with SR-3 installed) when all of a sudden it bombed out to Windows with an error saying-

Fatal Error in Runtime
Poser will exit now, cannot find file ./Runtime/ui/roomTabs.xml

So I go about rooting around the Poser 8 install to try and find said file when I find that most of the system files in Poser 8 have simply disappeared.  The executable itself and some files in the Poser 8 folder are still there, but everything else (including stuff in the P8 libraries) are gone. 

Anyone else ever experience this?

That's never happened to me or anyone I've heard of - sounds a bit like you just had a hard drive hardware fault.

Well... I'm in the middle of doing a chkdsk on the drive in question, so I hope that isn't the case.  

Got a status report-

It turned out that it wasn't a hard drive giving me trouble but rather a problematic Poser item I had installed in my Runtimes.  More specifically, something called "V4WetCreator" is the item in question- it's a texture package that uses Python code to initialize changes to textures.  This would be fine, except for that what it actually does is go through and delete all files and folders in your Poser Runtime until you're left with the "Fatal Runtime Error" pop-up.  

And I know it's the problem because I got curious and tried it again after reinstalling Poser.  

So please- be very weary of "V4WetCreator". 

Holy crap, where did you obtain that?

Not sure, as it was a little while ago.  I'm fairly sure I didn't get it here, though. 

The only thing I DO know is it'll definitely ruin your day.  Like I said, I ended up doing the Matlock thing and tried for a second attempt at using it after a reinstall- it totally went through and borked my Poser 8 install.

The GOOD news is that-

• it won't go after any other Runtime libraries you might have connected to Poser 8
• it won't go after any UI preferences you may have set up
• and it won't tinker with your registry and screw with any registration codes you may have present there. 

But that's all small potatoes compared to what it DOES do, which isn't pretty.  

I found a file called "V4WET.ZIP" and looking at the script in that, it has the hallmarks one of Herman's little bombs.

As the download date is nearly a couple years ago, I have no idea where it was came from, but it's certainly not legitimate.

Herman the guy who regularly defaced Renderotica until they got rid of him permanently?

Quote - Herman the guy who regularly defaced Renderotica until they got rid of him permanently?

Yes, him.

The "bad" code in this case was hidden away in someone else's script, so somewhat less obvious than the other attempts.

Huh.  What a peon.

So V4WET.ZIP is the file, is it?  I'll go through my archive of stuff and see if I can find it. 

And yeah- that Hermann dude was causing some major trouble and trolling a couple of sites.  He had also been banned from RaunchyMinds (where I Moderate) for assaulting other members as well.  I kind of figured he had something to do with the spreading of that malicious code.

Thanks for the heads up with that ZIP file, nruddock.  

 Herman's little bombs? Sounds like it's something commonly known, yet I've never heard about that before? What is that? Just so I can be sure to steer clear of it.

BB did a demo a few months ago of a prop that incorporated a python script-you loaded the prop and it ran a script.  His was benign, but I do worry that someone could incorporate one that wasn't...... 

@Trekkie-

"V4WetCreator" was a kind of MAT pose thing that put a "wet" sheen on V4, like what would happen if you went out swimming or something similar.  It was supposed to go over whatever normal textures you already had over your figure and was even had differing levels of wetness including a setting called "Drenched".  The original author of the MAT pose was someone going by the name "Mackie Messer" and it (according to the readme file I found) was copyrighted in 2008.  

If that ZIP file is still out there in the wild, then it should be avoided at all costs. 

Attached Link: http://www.renderosity.com/mod/forumpro/showthread.php?thread_id=2749924

The others got zapped fairly quickly here and at Rotica.

Best advice is if a freebie contains a script, it needs checking unless you're really sure you trust the author.

 Gah! I know that things can contain scripts (PhilC used it a few years ago for one of his easter eggs where he embedded the script inside the OBJ) but I hadn't heard of anyone actually using it maliciously. Brr.. And for said person.. I knew he was a jerk but not that he was an all-out criminal. Writing virus and other malicious code to deliberately destroy someone's computer IS a crime in most countries. In Germany, too.

What an arse. Thankfully I don't think I have the V4Wet. Good thing now I rarely use those wimmen ;)

Well.., I raised the alarm some months ago, but they didn't like me so I shut up my mouth...

Oi, that is nasty! Must check if I have it among all the freebies I've yet to install. I did pick up a few from Rotica and something to make Vicky/Mike look like they've been swimming without tons of postwork would certainly have tempted me.Good thing I didn't use/need it right away.

Is it only Poser 8 this thing's been nuking? If so, good thing I also haven't upgraded yet.

Good grief, I wish these people would get a life and leave others alone!

Funny I was thinking a few days ago wondering if you can do such a nasty trick with python scripts.  Thankfully I didn't grab this "V4 Wet" script, but again I don't hardly use Poser (I'm a DS user but have Poser for comparing and making DS mats for characters and such).

Say, can you look at these pythons in a script editor (such as Notepad++)?  I'd like to find how you can find such bad calls like this.  Would be good for others to learn this as well for their safety.

...wolfie

You might be able to read it - if it's a plain old .py file. But I demonstrated how easy it is to hide the script in anything - JPG files, PNG thumbnails, readme.txt files. Anything can be a Python script. In the demo I did, I mildly encrypted the script so that even if you looked at it, you'd have no idea what it says.

Damn, that's not good, baggins!  I wonder if antiviruses can catch that?  Or if these companies are even aware of python scripts.  I think I've heard something about jpg images, but thought that was a bunch of bull lol.  Now I know.

BTW good to finally meet you, have heard about you quite a few times.

...wolfie

Technically, antivirus programs don't look for nasty stuff in general, but specifically for viruses and worms. A virus is a program that spreads itself to other programs, usually through some action involving the user. A worm spreads itself to other computers without any help from humans. The business of hiding destructive scripts in add-on products for Poser is not a virus or worm. It doesn't spread itself. You volunteer to install it yourself, as part of something you think you want. The only copy you end up with is what you explicitly installed. Technically it's a Trojan Horse. While most viruses are presented as Trojan Horses, not all Trojan Horses are viruses or worms.

Meanwhile, it is malware. And there are plenty of anti-malware programs, but this particular one would not rise to the level of awareness that would cause the malware authors to handle it.

That explains, guess I'm throwing words together (virus, trojans, malware) carelessly lol.  Actually I thought malwares install itself on your computer to force advertisements or something, but I guess it just "takes a malware" to do that.

Would be nice if we can somehow tell our malware programs to look for something particular in python scripts, sorta like the K9 cop showing his dog... "See this?  Take a smell, good boy, now search!" hehe :D

Sorta sounds stupid probably, just wish there was a way to keep people from getting this garbage.

...wolfie

The only real way to protect against this sort of thing would be to radically change the way Poser Python is setup, a sandbox coupled with the notion of trusted scripts like Jasc did for PaintShopPro, but the weak link is always going to be the end user.

Any script that is able to read, modify and write a file can create a virus that can reproduce, multiply and spread, just modify a system or user file.
If a script is able to call and execute another program it also can modify the Windows registry, just issue a procedure call to regedit.exe with parameter the keys data and Windows will do this task.

Quote - Oi, that is nasty! Must check if I have it among all the freebies I've yet to install. I did pick up a few from Rotica and something to make Vicky/Mike look like they've been swimming without tons of postwork would certainly have tempted me.Good thing I didn't use/need it right away.

Is it only Poser 8 this thing's been nuking? If so, good thing I also haven't upgraded yet.

It would appear that the malicious script will attack whatever is the dominant version of Poser you're using.  In my case, I just happened to P8 installed, which essentially put it on the proverbial chopping block as far as that script was concerned.  Since Poser 7 also makes use of Python code, it'd be quite logical to think that it could be a target as well.  

And yes- Smith Micro needs to change how it works with Python code so that it operates in a shell or "sandbox".  Either that, or they should adopt a whole other language all-together... one that doesn't make direct access to memory and -as such- results in decreased security. 

The ability of Poser to read and write files allows scripts that modify existing files which can be very useful for removing morphs, adding erc and that sort of thing. The downside is obviously that it enables a malicious script to delete files.

If files o missing the first place to check is the trash bin of windows, to see if they are there and recoverable.

The deleted files totally bypassed the Recycle Bin, making them pretty much unrecoverable, short of using file-searching recovery software (and even THAT was a crapshoot as I found out).  

Quote - The deleted files totally bypassed the Recycle Bin, making them pretty much unrecoverable, short of using file-searching recovery software (and even THAT was a crapshoot as I found out).  

Well, you have my word, I'll never download a python from anyone unknown, only from trusted people like Netherworks and D3D.  That crap's scary lol.

...wolfie

Just to be clear, the point of my demonstration is that if your attitude (rightly so) is to distrust scripts, then you must distrust EVERY freebie. It is trivial to hide a script in a hat, or a character, or a chair.

True to that, and that went through my mind.  I don't download much freebies anyways, just simply too busy and already getting lots of stuff for the work I do (by trusted friends of course LOL!) anyways.

I would say "I'm glad I use only DS" (which don't read pythons), but I do have to use Poser for the projects I do, and I use the pythons I already have quite often.

...wolfie

Quote - I would say "I'm glad I use only DS" (which don't read pythons) ...

Well the situation w.r.t. D|S is potentially even worse than for Poser because all the presets are scripts and can be supplied in a binary format or encrypted (which pretty much prevents something subtle being detected).

hi there,
i have just noticed this thread and this is something that kind of shocks me. worse enough that something like this accidently could happen because of a programming bug (which would be a total nightmare), but doing it on purpose....

speaking of it... how can one make sure (as a python script creator) that the scripts one ships are actually 100% harmless? i regularly scan my scripts for functions I suspect to be dangerous in general, e.g. like any kind of 'write', 'delete' etc.?. if someone out here on rendo has an idea which other functions could be harmful, please drop me a sitemail, I would love to find out I am not using those at all >_<

should one digitally sign all files one ships? but I wonder if there is a standard way for "trusted" products, e.g. here on rendo? I think I never downloaded a product that required a public key of the author to be usable >_<

cheers,
col

Reputation, mainly, just like regular software.  Digital signage is only as trustworthy as who it came from, I don't think it's a real solution, it just gives users a false sense of complacency.  Basically if you don't trust it totally, then maybe you shouldn't run it.

repitation I agree. I would not look at stuff by ockham , Philc, nruddock, cage and several others.

I do look at stuff using sys and shutil libraries in python because those are the system and high level file handling stuff.

you can look for code like walk, dir and so on that list folder contents.

.pyc files make me nervous, those are the compiled python that you cant read.

yes. but pyc still contains the used symbols as plain strings, so I think you should find "shutil" in a .pyc just like in a .py

What if you wrote a little function in to do poor man's decryption on the commands before executing them ;)

i'd rather die ;)

You could do a text search for 'python' to see if a script is called where one shouldn't be, but beyond that, it's "Be Careful Out There"...