Microsoft uncovers DDoS campaign targeting Minecraft servers

Microsoft researchers have discovered a Windows-Linux botnet taking down Minecraft servers in “highly efficient” DDoS attacks.

As reported by ArsTechnica, the MCCrash botnet sends a command that populates the user name input dialog box in a Minecraft server’s login page that crashes the server by exhausting its resources.

“The usage of the env variable triggers the use of Log4j 2 library, which causes abnormal consumption of system resources (not related to [the] Log4Shell vulnerability), demonstrating a specific and highly efficient DDoS method,” Microsoft researchers wrote.

MCCrash botnet’s massive reach

Microsoft also noted that MCCrash has the ability to crash servers running a wide variety of versions of the game’s server software.

This is where it gets a bit complicated: MCCrash itself is only hardcoded to target version 1.12.2, but the attack technique is enough to take down servers running versions 1.7.2 through 1.18.2, which ArsTechnica estimates to be about half of all Minecraft services running today. 

Patching the server software to version 1.9 renders the botnet’s technique ineffective, but even without that, Microsoft is thankful that the impact of the botnet is limited.

“The wide range of at-risk Minecraft servers highlights the impact this malware could have had if it was specifically coded to affect versions beyond 1.12.2,” Microsoft researchers wrote. 

“The unique ability of this threat to utilize Internet of Things (IoT) devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected.”

The most common initial infection points for MCCcrash are Windows machines that have installed software that purports to activate the operating system with illicit licenses, but chiefly contains the malware that, on a delay, installs a python script that provides the botnet’s logic.

Infected Windows devices then scan the internet in search of devices running Linux distros such as Debian, Ubuntu, and CentOS, and use default login credentials to run the same .py script on these new devices, which are then used to launch DDoS attacks on Minecraft servers and other devices.

Microsoft didn’t reveal the number of devices infected by MCCrash, but ArsTechnica claims a geographical breakdown reveals that many are located in Russia, echoing the sentiments of the Microsoft Digital Defence Report for 2022, which claims that the Russia-Ukraine conflict is being, in part, driven by cybercrime.



Comments