Microsoft researchers have discovered a Windows-Linux botnet taking down Minecraftin “highly efficient” attacks.
As reported by (opens in new tab), the MCCrash botnet sends a command that populates the user name input dialog box in a Minecraft server’s login page that crashes the server by exhausting its resources.
“The usage of the env variable triggers the use of2 library, which causes abnormal consumption of system resources (not related to [the] ), demonstrating a specific and highly efficient DDoS method,” Microsoft researchers wrote.
MCCrash botnet’s massive reach
Microsoft also noted that MCCrash has the ability to crash servers running a wide variety of versions of the game’s server software.
This is where it gets a bit complicated: MCCrash itself is only hardcoded to target version 1.12.2, but the attack technique is enough to take down servers running versions 1.7.2 through 1.18.2, which ArsTechnicato be about half of all Minecraft services running today.
the server software to version 1.9 renders the botnet’s technique ineffective, but even without that, Microsoft is thankful that the impact of the botnet is limited.
“The wide range of at-risk Minecraft servers highlights the impact thiscould have had if it was specifically coded to affect versions beyond 1.12.2,” Microsoft researchers wrote.
“The unique ability of this threat to utilize Internet of Things (IoT) devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected.”
The most common initial infection points for MCCcrash aremachines that have installed software that purports to activate the operating system with illicit licenses, but chiefly contains the malware that, on a delay, installs a python script that provides the botnet’s logic.
Infected Windows devices then scan the internet in search of devices runningsuch as Debian, Ubuntu, and CentOS, and use default login credentials to run the same .py script on these new devices, which are then used to launch DDoS attacks on Minecraft servers and other devices.
Microsoft didn’t reveal the number of devices infected by MCCrash, but ArsTechnica claims a geographical breakdown reveals that many are located in Russia, echoing the sentiments of the, which claims that the Russia-Ukraine conflict is being, in part, driven by cybercrime.