• Visit Rebornbuddy
  • Visit Panda Profiles
  • Visit LLamamMagic
  • DONT UPDATE AMDex3.msi Bound To Honorbuddy.exe

    Discussion in 'Honorbuddy Support' started by amdex3, Jul 16, 2013.

    Thread Status:
    Not open for further replies.
    1. amdex3

      amdex3 New Member

      Joined:
      Jul 16, 2013
      Messages:
      3
      Likes Received:
      0
      Trophy Points:
      0
      AMDex3.msi trojan

      its my guess honorbuddys update server has been hacked and a trojan has been binded to the honorbuddy.exe dont update


      i just downloaded the update zip from this url

      http://updates.buddyauth.com/GetNewest?filter=Honorbuddy

      when i opened up the 232 KB Honorbuddy.exe a 16 KB file was put into the following directory

      C:\Windows\Installer

      this file is called AMDEx3.msi and it is a trojan my av caught it

      after this had happened the Honorbuddy.exe was changed to the file size of 6.37 MB

      you can reproduce this over and over by deleting the AMDex.msi and unzipping a fresh copy of the honor buddy and running the honorbuddy exe, each time the honorbuddy will change file size from 232 KB to 6.37 MB so it will only happen once each time you unzip the update

      this file is comming from the honorbuddy team for what reason i have no idea but you your self can watch it happen

      1: dl honorbuddy zip from http://updates.buddyauth.com/GetNewest?filter=Honorbuddy

      2: open the following directory C:\Windows\Installer it is hidden so you can copy paste "C:\Windows\Installer" into the top of the window to see it

      3: run the honorbuddy exe in the freshly extracted zip and watch the file show up

      going to format now thankyou hb
       
    2. Tony

      Tony "The Bee" Staff Member Moderator

      Joined:
      Jan 15, 2010
      Messages:
      128,834
      Likes Received:
      571
      Trophy Points:
      113
      for those who updated to 639 (which is the problematic build) delete it and scan your machine
       
    3. handnavi

      handnavi Well-Known Member Buddy Store Developer

      Joined:
      Jan 15, 2010
      Messages:
      2,489
      Likes Received:
      59
      Trophy Points:
      48
      Really? Again? :D
      Dont know if its funny or sad. ...
       
    4. Tony

      Tony "The Bee" Staff Member Moderator

      Joined:
      Jan 15, 2010
      Messages:
      128,834
      Likes Received:
      571
      Trophy Points:
      113

      well you know how it goes,its like cat and mouse

      i am not laughing at all tho :(
       
    5. Wizper

      Wizper Member

      Joined:
      Mar 1, 2013
      Messages:
      100
      Likes Received:
      0
      Trophy Points:
      16
      Tony
      is 638 build safe? as i have not updated this morning. I don't use antivirus program, i did not find the trojan exe tho so i think im safe.
       
    6. Rhainland

      Rhainland New Member

      Joined:
      Nov 17, 2010
      Messages:
      75
      Likes Received:
      0
      Trophy Points:
      0
      A game of cat an mouse? The fact that your build server has been compromised what, 4 times now? Is just absolutely ridiculous. It's not at all acceptable, how can anyone trust you guys with all of this crap?
       
    7. Tony

      Tony "The Bee" Staff Member Moderator

      Joined:
      Jan 15, 2010
      Messages:
      128,834
      Likes Received:
      571
      Trophy Points:
      113
      its not the build server,so its better to stay low if you dont know what we are talking about :)
       
    8. Tony

      Tony "The Bee" Staff Member Moderator

      Joined:
      Jan 15, 2010
      Messages:
      128,834
      Likes Received:
      571
      Trophy Points:
      113

      yes,you are safe :)
       
    9. chinajade

      chinajade Well-Known Member Moderator Buddy Core Dev

      Joined:
      Jul 20, 2010
      Messages:
      17,540
      Likes Received:
      172
      Trophy Points:
      63
      Hi, Wizper,

      You should always answer this question for yourself. You can upload any questionable file to VirusTotal to make an informed decision from its report.


      Imho, not running some form of virus protection on a Windoze box is very dangerous. There are a number of free and effective AV packages available. Here is a good place to start conducting your research if you decide you're in the market for AV:



      cheers,
      chinajade
       
    10. Rhainland

      Rhainland New Member

      Joined:
      Nov 17, 2010
      Messages:
      75
      Likes Received:
      0
      Trophy Points:
      0
      No, no it's not. I cannot believe how you guys behave toward your customers. You have infected them several times, the fact you guys even call your releases "safe" is hilarious. Each and every time, a community member needs to come here to tell YOU that your software is infected, and at times it even takes several attempts because threads are just closed with "nah we safe"

      Seriously, you were compromised, a compromised build was delivered through your update server, this is not just a "simple" task, the fact you guys can continue to get compromised is just so damn sad.
       
    11. Tony

      Tony "The Bee" Staff Member Moderator

      Joined:
      Jan 15, 2010
      Messages:
      128,834
      Likes Received:
      571
      Trophy Points:
      113

      if you think you have the knowledge to keep us safe,i am waiting your suggestions at tony@honorbuddy.com

      words are easy...

      no one is happy when something like that happens


      so waiting your suggestions as a developer
       
    12. xeroes

      xeroes New Member

      Joined:
      May 4, 2011
      Messages:
      16
      Likes Received:
      0
      Trophy Points:
      0
      /agree
       
    13. Tony

      Tony "The Bee" Staff Member Moderator

      Joined:
      Jan 15, 2010
      Messages:
      128,834
      Likes Received:
      571
      Trophy Points:
      113

      waiting your suggestions as well then
       
    14. bloodmarks

      bloodmarks New Member

      Joined:
      Jan 31, 2013
      Messages:
      268
      Likes Received:
      0
      Trophy Points:
      0
      Tony its not a job for developer to do vulnerability testing and prevention, it is a job for professional
      company i work for employs i believe 4 or 5 people that test our servers all the time and follow security exploits, make sure server software and routers are updated ...

      It can be hard for small company to have resources for something like that so I guess you could rent managed server with some company offering protection from things like this instead of doing your own vulnerability testing
       
    15. Rhainland

      Rhainland New Member

      Joined:
      Nov 17, 2010
      Messages:
      75
      Likes Received:
      0
      Trophy Points:
      0
      Normally i would not have a problem attempting to help you guys, in fact, i have tried in the past.

      Remember when you guys did ryftomate? I was so kind to show your developers how easy it was to detect when you were blatantly injecting .net into the process, i even wrote code simulating how to detect it and spoke with hawker how to prevent it.

      What happened? Nothing, you guys gave no craps, you rewrote the hook without changing the most OBVIOUS thing. Which makes me reach the conclusion, that you guys don't really care. The communication between the team and the customers has gotten so bad its insane.

      Last time you guys were infected, it took me almost 2 hours convincing you in a thread that you WERE in fact infected. It took nearly 24 hours for the "team" to realise it fully and actually make a thread about it. It's been infected times before then, and no word from the team, other then you telling people to scan their PCs. On top of that, we see the team outright lying to the community with the last updates to Blizzards detection system.

      What happened? I've been here for over 2 years, and the team is not at all as i remember it, you guys don't seem engaged whatsoever.
       
    16. bloodmarks

      bloodmarks New Member

      Joined:
      Jan 31, 2013
      Messages:
      268
      Likes Received:
      0
      Trophy Points:
      0
      actually there is something that can help a little atleast for automatic update:
      - sign your EXE with private key and embed bublic key in EXE itself
      - when EXE checks update after downloading update it checks is public key it has matching exe2 it just downloaded or not and warns user/HB company if its not matching signature

      you can also have multiple signatures "accepted" for each developer so if you see that one of private keys leaked you know who needs security training
       
    17. deusx

      deusx Member

      Joined:
      Feb 1, 2010
      Messages:
      206
      Likes Received:
      5
      Trophy Points:
      18
      Tony u are getting us all wrong.
      Fact is the product is infected. How it came to be and why is not user's concern. I for one saw my Panda AV going nuts and went straight to HB forums to see what is going on. Found like 7-8 threads of people asking about it and no official statement/release
      Then you come here and enter immature arguments with users:
      This was FIRST OFFICIAL POST i could find on the subject. No announcement of what is going on, not even warning to other people not to update (other than warnings from random people that i would ignore if it didn't happen to myself aswell)...
      Not professional at all. I for one don't have problem with whatever happened that led to the issue. I am having problem how you are handling it. If users (including me) are being dicks on forums it is because they are users, it is not their JOB to be professional and helpful. Yours on the other hand, is
       
    18. crimsonrogue

      crimsonrogue New Member

      Joined:
      Nov 10, 2012
      Messages:
      5
      Likes Received:
      0
      Trophy Points:
      0
      Microsoft has gotten hacked several times.. even their update. The US Government has also been hacked several times, including the IRS. Furthermore, financial institutions and mainstream corporations have been compromised. All this and yet we bicker about a 'mishap' compromise from a program built to 'cheat' in online games. Not much of a comparison to the previous. I find most of the comments here ill-mannered.
       
    19. ginuwine12

      ginuwine12 New Member

      Joined:
      Feb 12, 2013
      Messages:
      621
      Likes Received:
      6
      Trophy Points:
      0
      from now i will never ever update throw the autoupdatepop till this get good fixed like bloodmarks said
       
    20. Cisem

      Cisem Member

      Joined:
      Dec 31, 2012
      Messages:
      252
      Likes Received:
      1
      Trophy Points:
      18
      I was about to making a thread and ask if this "news" shoulnt be on the first page so everyone can see it..
       
    Thread Status:
    Not open for further replies.

    Share This Page