Hello, I've made a post in my itch.io blog almost a year ago now about a game that consists malware and also sent a mail to support@itch.io but no one has responded... to this day.
Game link: https://lapma.itch.io/detectivenari
Original post: https://itch.io/blog/668415/game-with-malware-detective-nari
https://www.virustotal.com/gui/file/5b489c671f8d52d5a33e95e27b8dc4b3de0690589756...
Look at this report. As a hint, it is not malware, but it triggers 59/72 scanners. It is an interpreter for old adventure games.
What both reports have in common, the scanners do not agree what it is and alert a lot of generic things. Look for the keywords gen and heu. If one of those files would be a clear cut known virus, I would assume the trigger messages would be more specific and would agree more. That is actually quite a strong hint, that it might not be malware after all. Think about it. Malware spreaders can use scanners too. If your average scanner would flag it, why bother spreading it.
I saw about a thousand malware and other bad projects on Itch. And that number is not an overstatement. The project in question does not fit the usual patterns. I feel like I have seen just about everything. Including malware that does not trigger at all and malware that was signed. The usual malware triggers a dozen or so, or less. Obvious malware would have been cought by Itch's scanners. They do scan files.
Now, to be clear, that is not proof for anything. Could still be malware. What I am saying, positive triggers or lack thereof are not enough. Consider the circumstances and context. There are some game engines and compiling methods that will trigger. Godot is notorious for that and renpy, but also some rpg versions and other engines. Which is a very bad situation for indie game developers. Asking the developer if something is a virus is of little use. A criminal will lie and give the same answer as an honest dev. And there is always the possibility of an infected developer computer uploading an infected version unknowingly.
You can try to verify the developer, instead of the file. If the developer is on several socials and they link to each other, that is usually a good indicator, that the account owner is not an impostor. I seen such impostors, complete with link to socials of the original. I've even seen original and fake side by side on Itch.
tl;dr if you sent a report and nothing happened, support did not agree with your finding. Either because they were busy and have not worked on your report yet or because they have reasons to not agree.
Yes but, I have ran this game and it downloaded malware on my pc so I have to reinstall windows. What did I need to do so you would believe me? Not to mention executable is disguising itself as a "Ashampoo Snap", look at my original post. But apparently that's not enough... FYI Rpg maker games usually don't trigger any virus detection: see let's say https://www.virustotal.com/gui/file/2d6b0707bff7f7bea6bc5e223c17c45e2795b510623e... results for this game https://brunnhyld.itch.io/thrifted
Dev's twitter is empty: https://x.com/lapma
And I cannot open his site on my pc: https://yeolom.com/lapma
I can also try to run it on VM and then upload a video on yt if that's still not enough...
Virustotal also runs these in virtual machines. That game does connect to a "suspicious" url. Which is a false positive, if you dig around. But even with that connection both the vm that run the game zip they do not report it as a malicous app. Jujubox has 0 findings and Zenbox some minor noise, including those suspicious url. You will find threads about malwarebytes from around 2023 where they removed that. And the file is from 2021 and is not detected by my malwarebytes.
Curiuosly the single exe report look vastly different. It also did not disguise itself as ashampoo snap on my system. It had regular info.
But it will get removed by my windows defender... so there is that. It's finding is a heuristic, but it does do that even if you only upload it to virustotal. I would imagine an actual virus that was out in the wild for 3+ years would not get a heuristic, but a specific positive.
But again, that is not proof for anything. The virustotal vm practically never report the actual malware that I try. And I know it was malware because of context. For example seeing the original zip at a credible source and the fake file on Itch and the fake file is a bit larger with the same version numbering.
And even legit devs with good intentions could unknowingly spread software that damages a system or even is infected. So better be on the safe side.
As for rpg maker and false positives, yes, there are such. I have seen such for practically every common game engine.
If you look about game devs complaining about this, you will find this and similar. No need to try out random rpg maker games. https://forums.malwarebytes.com/topic/282043-game-executable-detected-as-false-p...
Now what does all this leave us at? After reading here https://itch.io/post/5809139 I kinda know why you do not find current socials and the Itch activity is about 3 months old and your found suspicous game is about 4 years old. Anyone actualyl interested in that game should try the browser versions that are on those developer accounts. I would not trust that game developer with exe files. Not as much that I fear an intentional virus, but because of sloppy developer machines, "clever" code obfuscation and whatnot. Not that I even could play it on my system, even if I wanted to, as the defender quarantines it promptly.
To clarify, I mostly talk about the general case. A positive or a negative is not enough to be sure either way.
In this specifc case, I do not think the developer uploaded a virus intentionally, but I am half and half that the file might be compromised anyway. Professional malware uploaders act differently in my experience. They would also promote their virus more and not upload several other games years later. And browser games at that.
The casual windows gamer should be safe from this one. Not only is your virus warning still there, the windows defender's heuristic currently quarantines that game.
When I opened that exe's info it did not say Ashampoo. And a few seconds later the Windows Defender removed the file.
For what's it worth, I shall also report this game. I found the hidden exe file that is the real game. There are two exe files in that folder. One is hidden plus system file - the rpg maker file and a known legit exe https://www.virustotal.com/gui/file/487bd28f3d0b43ed9827ba519d6d113c4f31059bd62b...
It is sad that all those scanners do not agree on what malware exactly it is, since it is several years old.
>Not as much that I fear an intentional virus, but because of sloppy developer machines
Yeah, I though about that but it doesn't change anything: a malware is still a malware. And I don't want anyone else to sumble upon this game randomly and get this.
But must admit it acts a bit different this time - the virus total results for this archive also are not the same as it was previously. Maybe author tried to maintain executable a little to make it not that obvious? Or he tried to get rid of some malicious software from his PC, if it was not intentional.
It also might be removed by Windows defender, but why put anyone at risk at this point? This is getting ridiculous...
I also have an old game that support does not seem to believe it is suspicous. I am half convinced the ddos attacks are from criminal groups trying to divert attention of staff, so they have less time to do good work on reports for suspicous games. That they do not react to reports on obvious malware for over a week is not really helpful to their users.
This case here might actually be an infected developer's machine. Maybe they used an unlegit version of rpg maker that was infected.
I think they might have closed the remote server that this malware was connecting to. The alternative would be, that the malware detected to be running in a vm and behaved orderly because of that. There are vm scanners and tactics to avoid detection in that vm and detection of such avoidance and back and forth.
