Potential Malware at Gensokyo.org

[helvetica]

User cr0gon has sent word that Gensokyo.org has recently begun triggering malware warnings as well as receiving a trojan warning from the Ten Desires English patch download. We will try to look further into the issue but until then it is suggested to stay away from Gensokyo.org, especially any patches or other content hosted by them. We are also wordfiltering any links to Gensokyo.org as a precautionary measure.

Another source for English patches for Touhou games can be found at https://thpatch.net/

Source: https://www.shrinemaiden.org/forum/index.php/topic,17555.0.html

[Inadequate]

We are also wordfiltering any links to Gensokyo.org as a precautionary measure.

Will the High Scores sub-board be affected by this? A fair majority of replays are linked via the gensokyo.org uploader, and having all of them suddenly wordfiltered would feel like a major hindrance to the scoreboards. Do you have a fix in mind, in case the replays uploaded via replays.gensokyo.org aren't safe?

[Kilgamayan]

If Gensokyo.org fixes itself and the links all work again at some point, removing the word filter will fix everything. If not, you'll probably have to find a new host for replays.

[helvetica]

Will the High Scores sub-board be affected by this? A fair majority of replays are linked via the gensokyo.org uploader, and having all of them suddenly wordfiltered would feel like a major hindrance to the scoreboards. Do you have a fix in mind, in case the replays uploaded via replays.gensokyo.org aren't safe?

As it stands now until we can get in contact with the Gensokyo.org admins and figure out the situation I would not access anything from the site, especially anything you download and run locally. I unfortunately have no fix available except in in the absolute worst-case scenario of mirroring the content and sanitizing it by hand if the situation is not resolved by the the administrative staff there.

[Tengukami]

Looks like they're working on it. Maybe Nietz can clue us in more here. Hope they get matters resolved soon.

I like their replay system. Worst case scenario would be some incredibly patient person making a similar website, and then everyone can re-upload all their replays there, provided they still have them \o/

[aUsernameIsFineToo]

It looks like they got hacked

Confirmed safe on Android smartphone. Haven't seen any APK droppers. Windows users beware.

You can download replays with your phone and transfer via USB or Bluetooth. For the truly paranoid, use virustotal.

[Nietz]

Well, damn. This is news for me, actually. I've checked and Avast still rates the site as safe, and I've seen no sign of malicious files in the server archive for doujinshi files (which is the only one I have access to).
But I've been trying to contact Halbarad/Yukari-sama (the admin) for over a year now regarding several problems with the site, but he's given no sign of life.
Since I don't have admin privileges myself, there's not much more I can do at the moment, except keep trying to contact him. 

[CyberAngel]

My NOD doesn't say anything. Neither about site, nor about patch exe. You should take Norton's information with a grain whole ton of salt, it's notorious for its false positives.

Actually I'm vaguely aware of how the patch works, and the process CAN be mistaken for how trojans work. The catch is that thpatch works exactly the same, and triggered antiviruses as well.

[Shimatora]

My NOD doesn't say anything. Neither about site, nor about patch exe. You should take Norton's information with a grain whole ton of salt, it's notorious for its false positives.

Actually I'm vaguely aware of how the patch works, and the process CAN be mistaken for how trojans work. The catch is that thpatch works exactly the same, and triggered antiviruses as well.

It's very possible it's a false positive, yes - it probably wouldn't be an issue if the admin wasn't MIA and could deal with it as soon as the positives from Norton came up. But considering we have no way of knowing whether or not it's a false positive, it warrants at least some wariness.

[Tengukami]

I'm wondering if the site itself getting these red flags isn't the result of someone reporting it as malicious to Google or something. I've seen it happen to a couple sites before anyway.

[Romantique Tp]

This sounds like just another case of norton being crap, but the Ten Desires patch has been tagged as possible malware by multiple antivirus programs for a while now. Some of them like Avast have since removed the tag.

[helvetica]

I just tend to take these things rather seriously. I very briefly poked around a bit and I don't see anything malicious but until I can get word with Halbarad that it's ok I'd still be very cautious.

[Inadequate]

Regarding this Yukari-sama person, a group of people I belonged to attempted to contact them in order to get some moderators hired for the replay archive, as to correctly tag cheated replays. (since such a function exists on the site, but it's unused due to lack of staff) However, it's been close to three years since that, and we haven't heard a single word from them.

They've either fallen off the face of Internet, or are very picky on what they read and reply to.

[Necrotek]

I didn't get it. If no one has access to admin panel, who and how did a recovery from backup?

[Serela]

I didn't get it. If no one has access to admin panel, who and how did a recovery from backup?

If they needed to do something like that it was probably a big enough event for the admins to care, but otherwise they don't?

[MaronaPossessed]

Today's analysis at virus total:

https://www.virustotal.com/en/file/9bb666832294ec72d429c3f41712ecf8a0d9469ed9315f1fa774b44ed135bf23/analysis/1414673490/

[cuc]

Regarding this Yukari-sama person, a group of people I belonged to attempted to contact them in order to get some moderators hired for the replay archive, as to correctly tag cheated replays. (since such a function exists on the site, but it's unused due to lack of staff) However, it's been close to three years since that, and we haven't heard a single word from them.

They've either fallen off the face of Internet, or are very picky on what they read and reply to.

FYI, more than one year ago, I had a talk with Yukari-sama simply by speaking to them in the Gensokyo.org IRC channel. It sounded like they have removed themself from much responsibilities of the site.

I'm not even sure if the Gensokyo.org channel still exists now.

[Neodymium]

Their forums have been down for well over a year now. Despite their "we're trying to fix this and will be back real soon" message, it doesn't seem like anyone's taking care of it. With what others are saying, I think it's safe to say the site's been largely abandoned by its administrator at this point...

On the other hand, the site's still up so someone's probably still paying the bills. That, or the site somehow managed to slip between the cracks and is getting a free ride. =)

[MaronaPossessed]

Their forums have been down for well over a year now. Despite their "we're trying to fix this and will be back real soon" message, it doesn't seem like anyone's taking care of it.

I used to go to their forums instead of this place. It was really quiet over there. That's probably why they didn't fix it; what's the point of fixing a quiet forum when there's this place that is crowded and has a ton of resources?

[Maiden Synnae ミ☆]

Worst case scenario would be some incredibly patient person making a similar website, and then everyone can re-upload all their replays there, provided they still have them \o/

That would be the best solution. The only problem is finding the incredibly patient person. :V

I don't upload my replays there (well, I did upload only one or maybe two sometime ago, but they're old and I no longer do this stuff). But I do care and feel sorry about the players who want to upload their stuff there while the site is completely covered with dust and spider webs.

I don't know exactly how things are there, but from what I read here, the admins will probably never bother with fixing/touching the site again. So, perhaps it'd be best to create a new one to serve as a host for replays. (Similar to what happened between touhou wikia/touhou wiki). This may prove as a difficult task, though... 

[Nietz]

Regarding the admin situation: while I understand Hal might not be interested in getting too involved with Gensokyo.org anymore (which he's in no way obliged to do, after all), he still seems to be willing to arrange for the site's hosting, so I assume he still cares about it.
It still would definitely make thinks a lot easier if he contacted me to arrange for at least some limited admin powers to deal with stuff like this.

[MaronaPossessed]

I wouldn't jump to conclusions about this. Who knows: it could be just False Detections by Norton for this website. Now for something like the Ten Desires patch (according to virus total), it is something to look at.

Not all antivirus and antimalware programs are perfect.

(Even Avast went apeshit once on my computer with official windows files with live detection o-o )

[CyberAngel]

Since nobody seems to try drawing any conclusions from the information we already have, I've looked over the reports myself.

First, the file report MaronaPossessed gave. Only a few antiviruses detected something. As I said, I know how the patch works, and it does so by hacking the needed data into the original files. A bit dirty method, but it obviously works. Now, the data it hacks in isn't malicious, or else much more antiviruses would flag it. Looking into more detailed information, I found that Symantec (aka Norton) puts it at the lowest threat level, which means there's nothing outright malicious, but it's just not a well-known program. Which is understandable in this case.

As for the site warning in that Touhou Projects thread, it doesn't have any details, but it's just caution-level, which could be caused by the patch, which triggers only a low-level alarm. (That's why you put packages and not bare executables for download, dammit!) If there's an actual threat from the site, Safe Web system doesn't hesitate to put an actual warning level on it, and it's not the case here.

Bottom line, this looks like a false alarm. I'm not a dedicated IT security specialist, but it's easy to see if a site is hacked with malicious goals. I'll be able to tell if that happens to a site I used, so if anything serious actually happens, you can expect me to come running here screaming about it at once.

That said, the idea about a new replay uploader is still a sound one. This one still works just fine, but it stopped being supported back in TD times (it takes spellcard practice as stage practice runs, and doesn't understand Overdrive difficulty), so if anything happens to database, odds are there won't be anyone to restore a backup either.

[MaronaPossessed]

Since nobody seems to try drawing any conclusions from the information we already have, I've looked over the reports myself.

First, the file report MaronaPossessed gave. Only a few antiviruses detected something. As I said, I know how the patch works, and it does so by hacking the needed data into the original files. A bit dirty method, but it obviously works. Now, the data it hacks in isn't malicious, or else much more antiviruses would flag it. Looking into more detailed information, I found that Symantec (aka Norton) puts it at the lowest threat level, which means there's nothing outright malicious, but it's just not a well-known program. Which is understandable in this case.

As for the site warning in that Touhou Projects thread, it doesn't have any details, but it's just caution-level, which could be caused by the patch, which triggers only a low-level alarm. (That's why you put packages and not bare executables for download, dammit!) If there's an actual threat from the site, Safe Web system doesn't hesitate to put an actual warning level on it, and it's not the case here.

Bottom line, this looks like a false alarm. I'm not a dedicated IT security specialist, but it's easy to see if a site is hacked with malicious goals. I'll be able to tell if that happens to a site I used, so if anything serious actually happens, you can expect me to come running here screaming about it at once.

That said, the idea about a new replay uploader is still a sound one. This one still works just fine, but it stopped being supported back in TD times (it takes spellcard practice as stage practice runs, and doesn't understand Overdrive difficulty), so if anything happens to database, odds are there won't be anyone to restore a backup either.

I totally agree with everything you said right there. Symantec has a thing with reporting low-profile files  too:P

[Necrotek]

Ok, I decided to overcome my laziness and compare files. I found a English patch archive I got about one year ago and compared md5 sums with those which are on gensokyo.org right now.
All 8 patches has the same checksum expect of Th10.5 (because I had an older patch version so can't verify). It means one of these:

• Patches were already reverted to proper ones when I downloaded them from gensokyo.org for testing
• Website was hacked quite long ago (at least, one year)
• Nothing actually happened, just some security/protection system decided that it doesn't want to be friendly to those translation patches anymore

[CyberAngel]

I dug the file report details a bit more, and guess what, it's the same file that was submitted to the system three years ago, back when it was created, so looks like it isn't changed at all. Confirmed to be as safe as when it was new.

[MaronaPossessed]

I dug the file report details a bit more, and guess what, it's the same file that was submitted to the system three years ago, back when it was created, so looks like it isn't changed at all. Confirmed to be as safe as when it was new.

Basically I just downloaded the Ten Desires patch and resubmitted to Virus Total, then let it do another scan. Definitions change over time.

[Lloyd Dunamis]

Would go with what C.Angel has said. =w=
As I personally analyzed the files, I say the patchers do nothing but patch the game it's meant to patch.

I would like to get back to the report of the reporting user though. The ones flagged are only the files/patchers but not the site's webpages & such, fortunately, so there is unlikely "hacking" involved. I'd also like to ask what AV cr0gon is using, and what the specific trojan detections were (screenshots, maybe), since he was the one who reported it & such.
I checked the site itself just to make sure though: no suspicious things or scripts found.

Looking at the names of the detections over VirusTotal...yeah, they sound generic. It's also likely that these detections are aggressive/heuristic by their nature, so it's prone to false positives.

Calling it False Positive over here, too. =w=

/me ish working in a security company, and I am late orz...

[CyberAngel]

Basically I just downloaded the Ten Desires patch and resubmitted to Virus Total, then let it do another scan. Definitions change over time.

VirusTotal defines files by hashsums, not names or anything else (it actually shows a set of names the file was submitted as), so since it gave you a report to the file that was first submitted almost on the exact date the patch was released, it's safe to say it's the exact same file without any changes.

Anyway, nice to have a specialist on board! *salutes Lloyd*

[Lloyd Dunamis]

VirusTotal defines files by hashsums, not names or anything else (it actually shows a set of names the file was submitted as), [...]

Anyway, nice to have a specialist on board! *salutes Lloyd*

I think MaronaPossessed mentioned definitions as the virus definitions. Like, an AV may see the file as normal today, then flag it (or more often portion of the file) as malicious/suspicious the next day.
In the 10D English patcher's case, Symantec seems to have flagged, unflagged, then flagged the file numerous times, most likely because of changes in their generic/heuristic detections:

• 2014-06-24 : WS.Reputation.1
• 2014-08-05 : ---
• 2014-08-31 : WS.Reputation.1
• 2014-09-20 : ---
• 2014-09-28 : Trojan.Gen.2

Source: VirusTotal Intelligence

I'm not too keen on explanations, but aah...I'll try to explain stuff in my best.

I'm holding up on this one statement, because it might either clear everyone of their suspicion to Gensokyo.org's patch (and thus the site itself, hopefully), or cause more panic. :ohdear: