Microsoft researchers have discovered a hybrid Windows-Linux botnet that uses a highly effective technique to remove Minecraft servers and perform distributed denial of service attacks on other platforms.
Named MCCrash, the botnet infects Windows machines and devices running various distributions of Linux for use in DDoS attacks. Among the commands accepted by the botnet software is one called ATTACK_MCCRASH. This command fills in the username in a Minecraft server login page with ${env:random payload of specific size:-a}. The chain drains server resources and crashes it.
“The wide range of people at risk Minecraft highlights the impact this malware could have had if it had been specifically coded to affect versions beyond 1.12.2,” the Microsoft researchers wrote. “This threat’s unique ability to use IoT devices that often remain unattended as part of the botnet greatly increases its impact and reduces its chances of detection.”
The first point of infection for MCCrash is Windows machines that have installed software that claims to provide pirated licenses for the Microsoft operating system. The code hidden in the downloaded software surreptitiously infects the device with malware that eventually installs malware.py, a python script that provides the botnet’s main logic. Infected Windows devices then scan the Internet for Debian, Ubuntu, CentOS, and IoT devices that accept SSH connections.
Once found, MCCrash uses the regular default credentials to attempt to run the same malware.py script on the Linux device. Windows and Linux devices then become part of a botnet that executes Minecraft attacks as well as other forms of DDoS. The graph below shows the attack flow.
A breakdown of devices infected with MCCrash shows that most of them are located in Russia. Microsoft did not specify the number of infected devices. The company’s researchers said they believe botnet operators are using it to sell DDoS services on criminal forums.