Warrior Gryphon
site owner
Original Poster
#1 Old 6th Nov 2024 at 12:43 AM Last edited by Tashiketh : 15th Nov 2024 at 10:52 AM.
Default No, MTS is not "compromised" and it's safe to download from here!
Hi All,

Some of you may have seen something like this going around on Discord or Tumblr or wherever:



What has happened was that a malicious actor logged into 2 creators accounts that have been inactive for a long time, and "updated" the files to contain a specific .ts4script which, when run by the game, created a profapi.dll file, which is a trojan. (See https://www.virustotal.com/gui/file...5e8819d716b394e ). This affected only 4 files that we can see, all of which are now removed from the server.

We removed the files approximately 1.5 hours after they where updated

This ONLY affected these 4 specific files ONLY for The Sims 4. IT DID NOT AFFECT ANY OTHER DOWNLOADS.

I repeat, the issue affected only 4 files and MTS is NOT compromised

If you downloaded these mods AFTER 19:53, 5th Nov 2024 (UTC), and BEFORE the 21:53, 5th Nov 2024 (UTC), then please remove the files:

https://modthesims.info/d/533172/no...ity-update.html
https://modthesims.info/d/614263/al...heats-back.html
https://modthesims.info/d/589519/ca...ed-6-26-18.html
https://modthesims.info/d/536556/fu...of-1-25-18.html

The filesizes of the nomosaic are:
- 800 bytes. Non-corrupted version.
- 18031 bytes. moxiemason_nomosaic_toddlerupdate.zip. Corrupted version.

If you downloaded MTS_moxiemason_1667773_moxiemason_nomosaic_toddlerupdate.zip and it's 18031 bytes, delete it. If you have a smaller version, it's fine.

NO OTHER FILES HAVE BEEN AFFECTED. IT IS SAFE TO DOWNLOAD OTHER FILES, FROM OTHER GAMES, AND FROM MTS IN GENERAL

If you have heard from other people that MTS is not safe to download from, that's a knee jerk reaction and not grounded in truth whatsoever!

To combat these issues in future, I've implemented the following changes:

- All new logins on an account (from an IP address different from the last successful login) will now send an email titled "New Login Detected" to the email address on that account. (Similar to how Netflix, etc, do that).
- Accounts that have been inactive for more than 3 months and have a new login on them are now automatically locked and cannot be used for some tasks until an email link is confirmed.

Locked accounts can not:
- Reply to threads or downloads.
- Post new threads or downloads
- Edit existing downloads or posts
- Upload files
- View Private Messages
- Change any profile information, including password or email address.

Hopefully this should provide an extra level of security, but minimise the amount of mail spam for otherwise legitimate purposes.

Regarding attack vectors - this issue ONLY affected .ts4scripts (so, The Sims 4), and thus, I'm going to add some automated checking for, and decompiling of, any python files, to check for any odd behaviour.

Edit 11th November: I've finished work on a first version of a TS4Script upload and checker tool. It can be accessed here: https://packagedb.modthesims.info/ts4scripts.php

I've gone ahead and added all the unique TS4Scripts I found here on MTS (inside the attachments). So far there over 900 results, but you can all add more if you want, including from other sites.

Moving forward, I'll be integrating this TS4Script database directly with the upload process, so that any upload that contains a TS4Script will be checked against the database. If it's not in the database, then it'll automatically add and process it, so that we can check immediately of any issues. (And if found, can send the upload to the queue for further checking).

It's still early days, and I've only added some basic checks. Feel free to let me know any other checks inside python you guys want to see.

Some more details about the malicious actor here - they used a VPN, and attempted to hack into multiple accounts. They where stopped multiple times, but on 2 creator accounts, they logged in (presumably using a password stolen elsewhere), at which point they uploaded these malicious files. To re-iterate, the files where removed after 1.5 hours.



Regards,
Screenshots

Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
53 users say thanks for this. (Who?)
Advertisement
Instructor
#2 Old 6th Nov 2024 at 1:24 AM
Thank you for your quick action and communication on this. It's scary how susceptible Sims 4 mods have become over the years to hidden viruses and telemetry. EA really needs to start cracking down on the game's security when it comes to community content, especially as they continue to become more and more mod-friendly (like affiliating with CurseForge).
Field Researcher
#3 Old 6th Nov 2024 at 1:43 AM
You were incredibly fast, thank you for that. I recently removed one of the files because I forgot there were 4 in total that were downloaded.

Kaleb, kaligi, kali, Valdi :)
Field Researcher
#4 Old 6th Nov 2024 at 2:17 AM
Thank you for being so quick. I'm very careful about downloading any ts4script files but it's scary that this can happen.

Iirc the other incident that affected multiple sites months ago was also due to mslicious actors accessing inactive accounts. Maybe it would be good for creators to remember to be extra careful with passwords and maybe delete any accounts they no longer use.
Alchemist
#5 Old 6th Nov 2024 at 2:28 AM
THIS needs to be shared on Tumblr for all the Sims 4 peeps to help stem the wildfire.

I'm an S2 player so I'm not affected, but that doesn't mean I don't care about my fellow Simmers (even if ya playin the wrong game )
Instructor
#6 Old 6th Nov 2024 at 2:47 AM
Quote: Originally posted by noprobllama
Thank you for being so quick. I'm very careful about downloading any ts4script files but it's scary that this can happen.

Iirc the other incident that affected multiple sites months ago was also due to mslicious actors accessing inactive accounts. Maybe it would be good for creators to remember to be extra careful with passwords and maybe delete any accounts they no longer use.


The issue a bit less than a year ago primarily involved newly created accounts on multiple sites (some pretending to be inactive creators who hadn't uploaded mods to those sites before) including MTS. The existing creator account that was compromised on TSR happened specifically because that creator was also a member of the team that checked new uploads to decide whether to approve them -- she downloaded the malware mod herself, after it was submitted by a new account there, in order to do exactly that, and her TSR login credentials were among the info stolen as a result of her running the game with it installed.
Mad Poster
#7 Old 6th Nov 2024 at 8:00 AM
Quote: Originally posted by thesammy58
Thank you for your quick action and communication on this. It's scary how susceptible Sims 4 mods have become over the years to hidden viruses and telemetry. EA really needs to start cracking down on the game's security when it comes to community content, especially as they continue to become more and more mod-friendly (like affiliating with CurseForge).


Yeah, when I read the discussion in the MTS Discord I was thinking just why the hell is a game mod able to do this?

I'm secretly a Bulbasaur. | Formerly known as ihatemandatoryregister

Looking for SimWardrobe's mods? | Or Dizzy's? | Faiuwle/rufio's too! | Simlogical Archives | smorbie1's Chris Hatch archives
Virtual gardener
staff: administrator
#8 Old 6th Nov 2024 at 1:24 PM
I posted this on my Tumblr as well, but I figured it's probably good to share some information on how to stay safe when downloading CC. So here are some CC shopping tips from good 'ol Lyralei :p

How to stay safe downloading anything CC related in the future:

Know that this issue is seemingly a big issue in The sims 4 community! While the other communities are certainly not ruled out to be able to have malware in them, it seems this group of hackers are really focused on The Sims 4 community as a whole.

What files are the issue?

1. ts4script files. Because it's raw python AND TS4 doesn't have great restrictions for script mods in place, these people can modify the python file to create a .dll file on running the game. That's how they get information if they're lucky.

2. .exe files or files that look like another file type but are an .exe file. (or some executable file like a bash script, etc). MTS does check these things before approving, but do be careful when downloading these things from tumblr or github. Make sure to check the comments there instead.

What files CANNOT ever get malware in them?

Simply said: .Package files.

Exception for maybe the .package files that are actually ts4script files, but that's really from the ancient TS4 days.

With other words, your: CasParts, Lots, Cosmetics, Hair, Sims, Recolours, Objects CANNOT have malware in them

The only "kind of" malware we saw back in the days in Package files was the infamous TS3 Doll corruption bug. But that didn't collect your personal information, just corrupted your save/game 😉

What ways can I detect if something is malware at first sight?

1. 99% of script modders, when updating their mods, WILL add WHY they updated their mod in the first place. If you do NOT see any update reasons in the description, it's probably malware.

2. Check the comments! If you're not sure, always check if someone left a comment (or in Tumblr's case, a Reblog).

3. Trust your gut feeling! Does something seem strange? A bit out of place from the usual? Give it a few days before you download the mod.

4. Package files SHOULD NEVER have a way of "installing your content" through an .exe file "For simplicity", because 99% of the cases, it's malware to trick you. Unless there is a excellent reason for it (and I mean REALLY good reason).

5. More or less a download site related thing: If a download site has a billion buttons saying "Download". Please don't press these. They are most likely Malware too, but definitely shady ads. For those pages, it would be best to leave the item alone, unless you really know what you're doing!
Conclusion

While these discord server announcements mean well, it frustrates me to see that they mention that EVERYTHING is compromised. Whereas in reality, it's only TS4Scripts and .exe files that can do harm.

I know they mean well! And wanting to protect people! But at the same time, it also spreads a sense of misinformation that can harm creators, websites, you name it.

So, instead, I would love to advise them to educate their members instead on what files can be the problem! And how to detect them. The more we get this into the world, the better we will be able to protect one another from downloading bad things!

And of course, websites that share CC, should make an effort to prevent this in the future. I'm happy MTS is doing this at the moment.

Stay safe and happy CC shopping!
Theorist
#9 Old 6th Nov 2024 at 2:57 PM
I actually saw this warning today on Reddit. Is a full PC scan what we have to do?

"If there are no dogs in Heaven, then when I die I want to go where they went." Will Rogers
Warrior Gryphon
site owner
Original Poster
#10 Old 6th Nov 2024 at 4:30 PM
Quote: Originally posted by HCAC
I actually saw this warning today on Reddit. Is a full PC scan what we have to do?


Did you download any of the specific mods listed in the first post? During the times also outlined in the first post? If no, then you're fine.

Obviously it's good to do a PC scan from time to time, but Windows Defender *does* catch this specific trojan .DLL and will quarantine it.

Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
Theorist
#11 Old 6th Nov 2024 at 4:37 PM
Quote: Originally posted by Tashiketh
Did you download any of the specific mods listed in the first post? During the times also outlined in the first post? If no, then you're fine.

Obviously it's good to do a PC scan from time to time, but Windows Defender *does* catch this specific trojan .DLL and will quarantine it.


According to the download history I might have...I deleted the file once I put on my computer and I'm doing a scan. Thanks very much.

"If there are no dogs in Heaven, then when I die I want to go where they went." Will Rogers
Mad Poster
#12 Old 6th Nov 2024 at 8:07 PM
Quote: Originally posted by HCAC
According to the download history I might have...I deleted the file once I put on my computer and I'm doing a scan. Thanks very much.


Unless I'm mistaken, the script itself should harmless until you run it - it's only then that it creates the malicious DLL file. Still, bad idea to leave it lying around.

I'm secretly a Bulbasaur. | Formerly known as ihatemandatoryregister

Looking for SimWardrobe's mods? | Or Dizzy's? | Faiuwle/rufio's too! | Simlogical Archives | smorbie1's Chris Hatch archives
Test Subject
#13 Old 6th Nov 2024 at 9:10 PM
Glad to see this issue got fixed pretty quickly.
That being said, is it safe to download these mods, or should we wait?
Field Researcher
#14 Old 6th Nov 2024 at 9:42 PM
Which mod was this link regarding:https://modthesims.info/d/533172/no...ity-update.html When I click to see if I did download it, I receive an error that I do not have permission. I was able to view the other links and luckily I had not downloaded them.
Test Subject
#15 Old 6th Nov 2024 at 10:41 PM
The full URL has the text "no-mosaic-censor-mod-for-the-sims-4-toddler-compatibility-update" so that's probably at least a little bit of helpful information...
Mad Poster
#16 Old 7th Nov 2024 at 1:26 AM Last edited by M.M.A.A. : 7th Nov 2024 at 2:02 AM.
Quote: Originally posted by Lyralei
While these discord server announcements mean well, it frustrates me to see that they mention that EVERYTHING is compromised. Whereas in reality, it's only TS4Scripts and .exe files that can do harm.

I know they mean well! And wanting to protect people! But at the same time, it also spreads a sense of misinformation that can harm creators, websites, you name it.


I knew something was off when they said:

"MTS has not been a valid place to download my mods for over 5 years now,..."

The audacity!

Nonetheless, thank you @Tashiketh for your prompt action and response!
Forum Resident
#17 Old 7th Nov 2024 at 3:02 AM
Quote: Originally posted by Lyralei
While these discord server announcements mean well, it frustrates me to see that they mention that EVERYTHING is compromised. Whereas in reality, it's only TS4Scripts and .exe files that can do harm.

I know they mean well! And wanting to protect people! But at the same time, it also spreads a sense of misinformation that can harm creators, websites, you name it.


It definitely disappointed me to see a trusted creator issue a warning with such a blanket statement, without taking any care to mention if they had reported the issue and were waiting back for a response or anything. It's not often a site's owner is around to directly check in with- yet that's what we're lucky to have here! Feels like the TS4 community looks at MTS like it's a total wild west just because they aren't as personally localised here as the older games communities.

Especially as there is a huge demographic for the game who are not tech-confident, virus scares do a huge amount of harm to the community if a rumour starts skittering around. Tumblr posts remaining in the state they were when reblogged, even if the original post gets updated, certainly doesn't help letting these things circulate in smaller communities who miss when these concerns are resolved or misinformed.

Cardinal has been taken by a fey mood!
Mad Poster
#18 Old 7th Nov 2024 at 6:30 AM
Quote: Originally posted by CardinalSims
Especially as there is a huge demographic for the game who are not tech-confident, virus scares do a huge amount of harm to the community if a rumour starts skittering around. Tumblr posts remaining in the state they were when reblogged, even if the original post gets updated, certainly doesn't help letting these things circulate in smaller communities who miss when these concerns are resolved or misinformed.


There's a lot of misinformation about computer security that I've seen, from well-intentioned but not-very-informed people — I once saw a pretty hilarious one about a specific MP4 file being malware because it crashed Discord. No, it was because it was encoded in a way that caused the renderer to choke up and die.

I'm secretly a Bulbasaur. | Formerly known as ihatemandatoryregister

Looking for SimWardrobe's mods? | Or Dizzy's? | Faiuwle/rufio's too! | Simlogical Archives | smorbie1's Chris Hatch archives
Test Subject
#19 Old 7th Nov 2024 at 9:44 AM
Quote: Originally posted by CardinalSims
Feels like the TS4 community looks at MTS like it's a total wild west just because they aren't as personally localised here as the older games communities.


I'm not TS4 (quite the opposite actually--Sims 1!) but I could see that being the reason because it's a similar feeling to the feeling I always got looking at MTS until this year (yes, despite having an account since 2013), except in my case it felt like aliens on the moon and I was no astronaut.

(If I hadn't been into all the Sims 1 beta type info that was getting discussed here, who knows? Maybe I would STILL view this place with trepidation.)
Test Subject
#20 Old 7th Nov 2024 at 11:03 AM
If you downloaded these mods AFTER 19:53, 5th Nov 2024 (UTC), and BEFORE the date of this post, then please remove the files:


So I think I might have sownloaded the no mosaic mod in that timespan. Around 21.30 (UTC) I think, i wasn't logged in so dont know exactly. I have deleted them now, done several full scans with zero threats detected. Problem is I did run the game before I knew. Is there a chance it could be "hiding" somewhere? Any other measures I should take? When I search for profapi.dll I have 16 files with that name, scanning those files shows no threats. I am just a bit confused and anxious. What harm can this do to my computer?
Instructor
#21 Old 7th Nov 2024 at 12:55 PM
Interesting. Amusing thought: Modern EA games (not sims, yet) are adding kernel-level anti-cheats. These anti-cheats run put in simple terms at the very highest privilege level of your computer. It could well hide its activities and prevent your knowledge of anything it does, now imagine a bad mod/hack for a game that has that level of access.

Thankfully if you play on Linux such things are not a threat, and a game mod creating DLL files will likely only affect that game and not your whole computer.

Shabado... sha..ba..doo..badooo
Mad Poster
#22 Old 7th Nov 2024 at 1:21 PM
Quote: Originally posted by purplewowies
I'm not TS4 (quite the opposite actually--Sims 1!) but I could see that being the reason because it's a similar feeling to the feeling I always got looking at MTS until this year (yes, despite having an account since 2013), except in my case it felt like aliens on the moon and I was no astronaut.

(If I hadn't been into all the Sims 1 beta type info that was getting discussed here, who knows? Maybe I would STILL view this place with trepidation.)


Why did you consider MTS scary?

Quote: Originally posted by iforgot
Interesting. Amusing thought: Modern EA games (not sims, yet) are adding kernel-level anti-cheats. These anti-cheats run put in simple terms at the very highest privilege level of your computer. It could well hide its activities and prevent your knowledge of anything it does, now imagine a bad mod/hack for a game that has that level of access.

Thankfully if you play on Linux such things are not a threat, and a game mod creating DLL files will likely only affect that game and not your whole computer.


I can only see an anti cheat being useful for an online game. Otherwise, who cares if you're cheating your ass off.
Warrior Gryphon
site owner
Original Poster
#23 Old 7th Nov 2024 at 2:15 PM
Quote: Originally posted by Linnsane
If you downloaded these mods AFTER 19:53, 5th Nov 2024 (UTC), and BEFORE the date of this post, then please remove the files:


So I think I might have sownloaded the no mosaic mod in that timespan. Around 21.30 (UTC) I think, i wasn't logged in so dont know exactly. I have deleted them now, done several full scans with zero threats detected. Problem is I did run the game before I knew. Is there a chance it could be "hiding" somewhere? Any other measures I should take? When I search for profapi.dll I have 16 files with that name, scanning those files shows no threats. I am just a bit confused and anxious. What harm can this do to my computer?


The correct filesize of the zip was around 800 bytes and was called . The larger size was 18031 bytes (for the zip) and was called moxiemason_nomosaic_toddlerupdate.zip. This should help determine which version you got.

Story books are full of fairy tales, of Kings and Queens, and the bluest skies.
Test Subject
#24 Old 7th Nov 2024 at 2:44 PM
Quote: Originally posted by Tashiketh
The correct filesize of the zip was around 800 bytes and was called . The larger size was 18031 bytes (for the zip) and was called moxiemason_nomosaic_toddlerupdate.zip. This should help determine which version you got.


I already deleted everything, but I do think there was something about toddlers in there 😢
Test Subject
#25 Old 7th Nov 2024 at 4:30 PM
I just don't think it was appropriate or responsible of them to scare everyone into thinking all of MTS was compromised.
Page 1 of 5
Back to top