Fake Minecraft updates leave thousands of PCs infected

Microsoft researchers have discovered a Windows-Linux botnet taking down Minecraft servers in "very effective" DDoS attacks.

As reported by ArsTechnica(Opens in a new tab), the MCCrash botnet sends a command that completes the username input dialog on a Minecraft server's login page that crashes the server and depletes your resources.

"The use of the env variable triggers the use of the Log4j 2 library, leading to abnormal consumption of system resources (not related to [the] Log4Shell vulnerability), demonstrating a targeted and highly effective DDoS method," they wrote. Microsoft researchers.

The massive reach of the MCCrash botnet

Microsoft also noted that MCCrash has the ability to crash servers running a wide variety of versions of the game's server software.

This is where it gets a bit tricky: MCCrash itself is only hardcoded to target 1.12.2, but the attack technique is enough to bring down servers running 1.7.2 to 1.18, which ArsTechnica estimates to be about the same. half of all running Minecraft services. This day.

The server software patch to version 1.9 renders the botnet technique ineffective, but even without this, Microsoft appreciates that the botnet's impact is limited.

"The wide range of Minecraft servers at risk highlights the impact this malware could have had if it had been specifically coded to affect versions after 1.12.2," the Microsoft researchers wrote.

"The unique ability of this threat to use Internet of Things (IoT) devices that are often unmonitored as part of the botnet greatly increases its impact and reduces its chances of detection."

The most common initial points of infection for MCCcrash are Windows machines that have software installed that purports to activate the operating system with illicit licenses, but which primarily contains malware that subsequently installs a python script that provides botnet logic.

The infected Windows devices then scan the Internet for devices running Linux distributions, such as Debian, Ubuntu, and CentOS, and use the default login credentials to run the same .py script on these new devices, which are then used to launch DDoS attacks in Minecraft. . servers and other devices.

Microsoft has not disclosed the number of devices infected with MCCrash, but ArsTechnica says a geographic breakdown reveals many are located in Russia, echoing the sentiments of Microsoft's Digital Defense Report 2022, which says the Russian-Ukrainian conflict is , in part, due to cybercrime

Share This