Microsoft discovers Windows/Linux botnet used in DDoS attacks
Microsoft discovers Windows/Linux botnet used in DDoS attacks
Zoom
Aurich Lawson/Ars Technica
Microsoft researchers have discovered a hybrid Windows-Linux botnet that uses a highly effective technique to shut down Minecraft servers and perform distributed denial-of-service attacks on others platforms.
Dubbed MCCrash, the botnet infects Windows machines and devices running various Linux distributions for use in DDoS attacks. Among the commands accepted by the botnet software is one called ATTACK_MCCRASH. This command populates the username in a Minecraft server login page with ${env:random payload of specific size:-a}. The chain drains server resources and crashes it.
Enlarge / A packet capture showing the TCP payload for downed Minecraft servers.
Microsoft
"The use of the env variable triggers the use of the Log4j 2 library, which causes an abnormal consumption of system resources (not related to the Log4Shell vulnerability), demonstrating a specific and very effective," the Microsoft researchers wrote. . "A wide range of Minecraft server versions may be affected."
Currently, MCCrash is hard-coded to only target Minecraft server software version 1.12.2. The attack technique, however, will take down servers running versions 1.7.2 through 1.18.2, which run about half of the world's Minecraft servers. If the malware is updated to target all vulnerable versions, its reach could be much wider. A change in version 1.19 of the Minecraft server prevents the attack from working.
Enlarge
"The wide array of at-risk Minecraft servers highlights the impact this malware could have had had it been specifically coded to affect versions beyond 1.12.2," the Microsoft researchers wrote. "This threat's unique ability to use IoT devices that often go unmonitored as part of the botnet greatly increases its impact and reduces its chances of detection."
The initial point of infection for MCCrash are Windows machines that have installed software claiming to give pirated licenses for the Microsoft operating system. The code hidden in the downloaded software surreptitiously infects the device with malware that eventually installs malware.py, a python script that provides the main logic for the botnet. Infected Windows devices then scan the Internet for Debian, Ubuntu, CentOS, and IoT devices that accept SSH connections.
Microsoft researchers have discovered a hybrid Windows-Linux botnet that uses a highly effective technique to shut down Minecraft servers and perform distributed denial-of-service attacks on others platforms.
Dubbed MCCrash, the botnet infects Windows machines and devices running various Linux distributions for use in DDoS attacks. Among the commands accepted by the botnet software is one called ATTACK_MCCRASH. This command populates the username in a Minecraft server login page with ${env:random payload of specific size:-a}. The chain drains server resources and crashes it.
Enlarge / A packet capture showing the TCP payload for downed Minecraft servers.
Microsoft
"The use of the env variable triggers the use of the Log4j 2 library, which causes an abnormal consumption of system resources (not related to the Log4Shell vulnerability), demonstrating a specific and very effective," the Microsoft researchers wrote. . "A wide range of Minecraft server versions may be affected."
Currently, MCCrash is hard-coded to only target Minecraft server software version 1.12.2. The attack technique, however, will take down servers running versions 1.7.2 through 1.18.2, which run about half of the world's Minecraft servers. If the malware is updated to target all vulnerable versions, its reach could be much wider. A change in version 1.19 of the Minecraft server prevents the attack from working.
Enlarge
"The wide array of at-risk Minecraft servers highlights the impact this malware could have had had it been specifically coded to affect versions beyond 1.12.2," the Microsoft researchers wrote. "This threat's unique ability to use IoT devices that often go unmonitored as part of the botnet greatly increases its impact and reduces its chances of detection."
The initial point of infection for MCCrash are Windows machines that have installed software claiming to give pirated licenses for the Microsoft operating system. The code hidden in the downloaded software surreptitiously infects the device with malware that eventually installs malware.py, a python script that provides the main logic for the botnet. Infected Windows devices then scan the Internet for Debian, Ubuntu, CentOS, and IoT devices that accept SSH connections.
Zoom
Aurich Lawson/Ars Technica
Enlarge / A packet capture showing the TCP payload for downed Minecraft servers.
Microsoft
Enlarge
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
