Microsoft detects Windows/Linux botnet used in DDoS attacks

Microsoft researchers have discovered a hybrid Windows-Linux botnet that uses a highly effective technique to remove Minecraft servers and perform distributed denial of service attacks on other platforms.

Named MCCrash, the botnet infects Windows machines and devices running various distributions of Linux for use in DDoS attacks. Among the commands accepted by the botnet software is one called ATTACK_MCCRASH. This command fills in the username in a Minecraft server login page with ${env:random payload of specific size:-a}. The chain drains server resources and crashes it.

A packet capture showing the TCP payload for downgrades <em>Minecraft</em>servers.” src=”×50.png” width=”640″ height=”50″ srcset =” 2x”></figure>
<p>“Use of <code>env</code> triggers the use of the Log4j 2 library, which causes abnormal consumption of system resources (unrelated to the Log4Shell vulnerability), demonstrating a specific and highly effective DDoS method,” the Microsoft researchers wrote.  “A wide variety of Minecraft server versions may be affected.”</p>
<p>Currently, MCCrash is hardcoded to target only <em>Minecraft</em>-server software version 1.12.2. However, the attack technique will take down servers running version 1.7.2 to 1.18.2, which run about half of<em>Minecraft</em>– servers.  If the malware is updated to target all vulnerable versions, its reach could be much wider.  A change in <em>Minecraft</em> server version 1.19 prevents the attack from working.</p>
<div class=

“The wide range of people at risk Minecraft highlights the impact this malware could have had if it had been specifically coded to affect versions beyond 1.12.2,” the Microsoft researchers wrote. “This threat’s unique ability to use IoT devices that often remain unattended as part of the botnet greatly increases its impact and reduces its chances of detection.”

The first point of infection for MCCrash is Windows machines that have installed software that claims to provide pirated licenses for the Microsoft operating system. The code hidden in the downloaded software surreptitiously infects the device with malware that eventually installs, a python script that provides the botnet’s main logic. Infected Windows devices then scan the Internet for Debian, Ubuntu, CentOS, and IoT devices that accept SSH connections.

Trojan cracking tools that install MCCrash.

Once found, MCCrash uses the regular default credentials to attempt to run the same script on the Linux device. Windows and Linux devices then become part of a botnet that executes Minecraft attacks as well as other forms of DDoS. The graph below shows the attack flow.

A breakdown of devices infected with MCCrash shows that most of them are located in Russia. Microsoft did not specify the number of infected devices. The company’s researchers said they believe botnet operators are using it to sell DDoS services on criminal forums.

Leave a Comment