DONT UPDATE AMDex3.msi Bound To Honorbuddy.exe

[amdex3]

AMDex3.msi trojan

its my guess honorbuddys update server has been hacked and a trojan has been binded to the honorbuddy.exe dont update


i just downloaded the update zip from this url

http://updates.buddyauth.com/GetNewest?filter=Honorbuddy

when i opened up the 232 KB Honorbuddy.exe a 16 KB file was put into the following directory

C:\Windows\Installer

this file is called AMDEx3.msi and it is a trojan my av caught it

after this had happened the Honorbuddy.exe was changed to the file size of 6.37 MB

you can reproduce this over and over by deleting the AMDex.msi and unzipping a fresh copy of the honor buddy and running the honorbuddy exe, each time the honorbuddy will change file size from 232 KB to 6.37 MB so it will only happen once each time you unzip the update

this file is comming from the honorbuddy team for what reason i have no idea but you your self can watch it happen

1: dl honorbuddy zip from http://updates.buddyauth.com/GetNewest?filter=Honorbuddy

2: open the following directory C:\Windows\Installer it is hidden so you can copy paste "C:\Windows\Installer" into the top of the window to see it

3: run the honorbuddy exe in the freshly extracted zip and watch the file show up

going to format now thankyou hb

 

[Tony]

for those who updated to 639 (which is the problematic build) delete it and scan your machine

 

[handnavi]

Really? Again?
Dont know if its funny or sad. ...

 

[Tony]

Really? Again?
Dont know if its funny or sad. ...

well you know how it goes,its like cat and mouse

i am not laughing at all tho

 

[Wizper]

Tony
is 638 build safe? as i have not updated this morning. I don't use antivirus program, i did not find the trojan exe tho so i think im safe.

 

[Rhainland]

well you know how it goes,its like cat and mouse

i am not laughing at all tho

A game of cat an mouse? The fact that your build server has been compromised what, 4 times now? Is just absolutely ridiculous. It's not at all acceptable, how can anyone trust you guys with all of this crap?

 

[Tony]

A game of cat an mouse? The fact that your build server has been compromised what, 4 times now? Is just absolutely ridiculous. It's not at all acceptable, how can anyone trust you guys with all of this crap?

its not the build server,so its better to stay low if you dont know what we are talking about

 

[Tony]

Tony
is 638 build safe? as i have not updated this morning. I don't use antivirus program, i did not find the trojan exe tho so i think im safe.

yes,you are safe

 

[chinajade]

Tony
is 638 build safe? as i have not updated this morning. I don't use antivirus program, i did not find the trojan exe tho so i think im safe.

Hi, Wizper,

You should always answer this question for yourself. You can upload any questionable file to VirusTotal to make an informed decision from its report.


Imho, not running some form of virus protection on a Windoze box is very dangerous. There are a number of free and effective AV packages available. Here is a good place to start conducting your research if you decide you're in the market for AV:

AV-TEST - The Independent IT-Security Institute: Home User​

cheers,
chinajade

 

[Rhainland]

its not the build server,so its better to stay low if you dont know what we are talking about

No, no it's not. I cannot believe how you guys behave toward your customers. You have infected them several times, the fact you guys even call your releases "safe" is hilarious. Each and every time, a community member needs to come here to tell YOU that your software is infected, and at times it even takes several attempts because threads are just closed with "nah we safe"

Seriously, you were compromised, a compromised build was delivered through your update server, this is not just a "simple" task, the fact you guys can continue to get compromised is just so damn sad.

 

[Tony]

No, no it's not. I cannot believe how you guys behave toward your customers. You have infected them several times, the fact you guys even call your releases "safe" is hilarious. Each and every time, a community member needs to come here to tell YOU that your software is infected, and at times it even takes several attempts because threads are just closed with "nah we safe"

Seriously, you were compromised, a compromised build was delivered through your update server, this is not just a "simple" task, the fact you guys can continue to get compromised is just so damn sad.

if you think you have the knowledge to keep us safe,i am waiting your suggestions at [email protected]

words are easy...

no one is happy when something like that happens


so waiting your suggestions as a developer

 

[xeroes]

No, no it's not. I cannot believe how you guys behave toward your customers. You have infected them several times, the fact you guys even call your releases "safe" is hilarious. Each and every time, a community member needs to come here to tell YOU that your software is infected, and at times it even takes several attempts because threads are just closed with "nah we safe"

Seriously, you were compromised, a compromised build was delivered through your update server, this is not just a "simple" task, the fact you guys can continue to get compromised is just so damn sad.

/agree

 

[Tony]

/agree

waiting your suggestions as well then

 

[bloodmarks]

so waiting your suggestions as a developer

Tony its not a job for developer to do vulnerability testing and prevention, it is a job for professional
company i work for employs i believe 4 or 5 people that test our servers all the time and follow security exploits, make sure server software and routers are updated ...

It can be hard for small company to have resources for something like that so I guess you could rent managed server with some company offering protection from things like this instead of doing your own vulnerability testing

 

[Rhainland]

if you think you have the knowledge to keep us safe,i am waiting your suggestions at [email protected]

words are easy...

no one is happy when something like that happens


so waiting your suggestions as a developer

Normally i would not have a problem attempting to help you guys, in fact, i have tried in the past.

Remember when you guys did ryftomate? I was so kind to show your developers how easy it was to detect when you were blatantly injecting .net into the process, i even wrote code simulating how to detect it and spoke with hawker how to prevent it.

What happened? Nothing, you guys gave no craps, you rewrote the hook without changing the most OBVIOUS thing. Which makes me reach the conclusion, that you guys don't really care. The communication between the team and the customers has gotten so bad its insane.

Last time you guys were infected, it took me almost 2 hours convincing you in a thread that you WERE in fact infected. It took nearly 24 hours for the "team" to realise it fully and actually make a thread about it. It's been infected times before then, and no word from the team, other then you telling people to scan their PCs. On top of that, we see the team outright lying to the community with the last updates to Blizzards detection system.

What happened? I've been here for over 2 years, and the team is not at all as i remember it, you guys don't seem engaged whatsoever.

 

[bloodmarks]

its not a job for developer

actually there is something that can help a little atleast for automatic update:
- sign your EXE with private key and embed bublic key in EXE itself
- when EXE checks update after downloading update it checks is public key it has matching exe2 it just downloaded or not and warns user/HB company if its not matching signature

you can also have multiple signatures "accepted" for each developer so if you see that one of private keys leaked you know who needs security training

 

[deusx]

Tony u are getting us all wrong.
Fact is the product is infected. How it came to be and why is not user's concern. I for one saw my Panda AV going nuts and went straight to HB forums to see what is going on. Found like 7-8 threads of people asking about it and no official statement/release
Then you come here and enter immature arguments with users:

so waiting your suggestions as a developer

This was FIRST OFFICIAL POST i could find on the subject. No announcement of what is going on, not even warning to other people not to update (other than warnings from random people that i would ignore if it didn't happen to myself aswell)...
Not professional at all. I for one don't have problem with whatever happened that led to the issue. I am having problem how you are handling it. If users (including me) are being dicks on forums it is because they are users, it is not their JOB to be professional and helpful. Yours on the other hand, is

 

[crimsonrogue]

Microsoft has gotten hacked several times.. even their update. The US Government has also been hacked several times, including the IRS. Furthermore, financial institutions and mainstream corporations have been compromised. All this and yet we bicker about a 'mishap' compromise from a program built to 'cheat' in online games. Not much of a comparison to the previous. I find most of the comments here ill-mannered.

 

[ginuwine12]

from now i will never ever update throw the autoupdatepop till this get good fixed like bloodmarks said

 

[Cisem]

Tony u are getting us all wrong.
Fact is the product is infected. How it came to be and why is not user's concern. I for one saw my Panda AV going nuts and went straight to HB forums to see what is going on. Found like 7-8 threads of people asking about it and no official statement/release
Then you come here and enter immature arguments with users:

This was FIRST OFFICIAL POST i could find on the subject. No announcement of what is going on, not even warning to other people not to update (other than warnings from random people that i would ignore if it didn't happen to myself aswell)...
Not professional at all. I for one don't have problem with whatever happened that led to the issue. I am having problem how you are handling it. If users (including me) are being dicks on forums it is because they are users, it is not their JOB to be professional and helpful. Yours on the other hand, is

I was about to making a thread and ask if this "news" shoulnt be on the first page so everyone can see it..