Maya .ma used to launch a virus!

Geordie Martinez

unread,

Sep 23, 2020, 6:32:39 PM9/23/20

to Python Programming for Autodesk Maya

Hey all,

I have been haxored.

I recently opened a file from our studio in china and this malicious code (screencap only attached) was in there. it modified my userSetup.py so when I launched the next maya session it ran all this code. I have no idea what this is.

Has anyone seen this crap before?

virus_or_some_shit.jpg

Geordie Martinez

unread,

Sep 23, 2020, 6:34:30 PM9/23/20

to Python Programming for Autodesk Maya

Chad Vernon, why do you teach people to do these things? :)

Geordie Martinez

unread,

Sep 23, 2020, 6:38:31 PM9/23/20

to Python Programming for Autodesk Maya

Looks like there is something on TechArtists.

http://discourse.techart.online/t/another-maya-malware-in-the-wild/12970

Justin Israel

unread,

Sep 23, 2020, 6:45:21 PM9/23/20

to python_in...@googlegroups.com

On Thu, Sep 24, 2020 at 10:38 AM Geordie Martinez <geordie...@gmail.com> wrote:

Looks like there is something on TechArtists.

http://discourse.techart.online/t/another-maya-malware-in-the-wild/12970

You beat me to posting that link. Seems like the actual code itself is not malicious, as it was intended by some other company to try and detect actual virus behaviour. But the whole idea of script jobs running at file import is super dangerous. You would really need to trust the source of your scene files or rely on the file security scanning to detect threads.

On Wednesday, September 23, 2020 at 3:34:30 PM UTC-7 Geordie Martinez wrote:
Chad Vernon, why do you teach people to do these things? :)

On Wednesday, September 23, 2020 at 3:32:39 PM UTC-7 Geordie Martinez wrote:
Hey all,

I have been haxored.

I recently opened a file from our studio in china and this malicious code (screencap only attached) was in there. it modified my userSetup.py so when I launched the next maya session it ran all this code. I have no idea what this is.

Has anyone seen this crap before?

--
You received this message because you are subscribed to the Google Groups "Python Programming for Autodesk Maya" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python_inside_m...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/774e865f-88d1-4b16-8690-0c7bd8ce380en%40googlegroups.com.

Geordie Martinez

unread,

Sep 23, 2020, 6:58:48 PM9/23/20

to Python Programming for Autodesk Maya

Whew! But also, holy crap. Maya files could easily turn into attack vectors.
This bit of code was repeated in the file about 940+ times.

Justin Israel

unread,

Sep 23, 2020, 7:20:12 PM9/23/20

to python_in...@googlegroups.com

On Thu, Sep 24, 2020 at 10:58 AM Geordie Martinez <geordie...@gmail.com> wrote:

Whew! But also, holy crap. Maya files could easily turn into attack vectors.
This bit of code was repeated in the file about 940+ times.

Probably why this exists now:
https://knowledge.autodesk.com/support/maya/troubleshooting/caas/simplecontent/content/maya-security-tool-faq.html

To view this discussion on the web visit https://groups.google.com/d/msgid/python_inside_maya/f2542116-c986-4465-9fcf-831a67d1f3d3n%40googlegroups.com.

vince touache

unread,

Sep 24, 2020, 8:57:01 AM9/24/20

to Python Programming for Autodesk Maya

as a temporary solution, I guess you can still uncheck the "execute script jobs" when you open an untrustworthy file

Geordie Martinez

unread,

Sep 24, 2020, 1:41:01 PM9/24/20

to Python Programming for Autodesk Maya

the security tool is out of date and didn’t work.
I just ran this and it culled the nodes:

import maya.cmds as cmds
unknownNodes=cmds.ls(type = "unknown")
unknownNodes+=cmds.ls(type = "unknownDag")
unknownNodes+=cmds.ls(type = "script")
for item in unknownNodes:
    if cmds.objExists(item):
        print item
        cmds.lockNode(item, lock=False)
        cmds.delete(item)

Reply all

Reply to author

Forward