Microsoft researchers have discovered a hybrid Windows-Linux bonnetnet that uses a very efficient method for downloading. Minecraft servers and perform distributed denial-of-service attacks on other platforms.

Dubbed MCCrash, the botnet targets Windows machines and devices running various Linux distributions for DDoS attacks. It is called one of the commands that the botnet software receives ATTACK_MCCRASH. This command uses the user name in a Minecraft Server login page ${env:random payload of specific size:-a}. The string drains the server’s resources and causes it to crash.

of<em>Minecraft</em> Packet capture showing TCP payload to crash servers.” src=”×50.png” width=”640″ height=” 50″ srcset=” 2x”/><figcaption class=
Expand / A packet capture showing the TCP payload for the crash Minecraft Servants.


” of env It prompts the use of the dynamic Log4j 2 library, which shows unusual consumption of system resources (unrelated to the vulnerability of Log4Shell), a different and very efficient DDoS method,” Microsoft researchers wrote. “Many Minecraft server versions can be affected.”

Currently, MCCrash is hardcoded to target only version 1.12.2 Minecraft Server software. The attack technique, however, takes down half of the world’s servers running versions 1.7.2 through 1.18.2. Minecraft Servants. If the malware is updated to target all vulnerable versions, its reach can be much wider. Improvement in Minecraft Server version 1.19 prevents the attack from running.

“A wide range of risks Minecraft Servers highlight the potential impact this malware could have if it was coded to affect versions older than 1.12.2, Microsoft researchers wrote. “This threat’s unique ability to exploit often unmonitored IoT devices as part of a botnet greatly increases its impact and reduces the likelihood of detection.”

MCCrash’s primary point of infection is Windows machines that have installed software that purports to grant stolen licenses to Microsoft’s OS. Code hidden in the downloaded software secretly infects the device with malware, which ultimately loads, a Python script that provides the botnet’s core logic. Infected Windows devices scan the Internet for Debian, Ubuntu, CentOS, and IoT devices that accept SSH connections.

Trojanized cracking tools that install MCCrash.
Expand / Trojanized cracking tools that install MCCrash.


When detected, MCCrash attempts to run the same script on a Linux device using normal default login credentials. Both Windows and Linux devices are part of the botnet Minecraft Attack as well as other types of DDoSes. The graphic below shows the attack flow.


A breakdown of devices infected by MCCrash shows that most of them are located in Russia. Microsoft did not say how many devices were infected. The company’s researchers believe that botnet operators use DDoS services to sell through criminal platforms.

ودجت أحدث المقالات للصفحة الرئيسية تظهر على الصفحة الرئيسية فقط


Leave a Reply

Your email address will not be published. Required fields are marked *