A new DDOS Botnet built using Minecraft Servers with Malicious Plugins
Malicious Minecraft Plugins have been discovered spreading rapidly across Minecraft servers. Disguised as legitimate .jar files, these plugins initiate DDoS attacks and infect other plugins with malicious code upon installation.
-
Behavior: Once installed, the malware swiftly transforms the Minecraft server to a part of botnet. It begins by flooding specific IP addresses with excessive traffic, hampering the functionality of targeted server. Simultaneously, it compromises the integrity of the server by modifying existing plugins, either by replacing them entirely or injecting malicious code into it.
-
Propagation: This malware doesn't just stay on one server. When server owners share their plugins with others, they're also sharing the malware without realizing it. This means it can spread to more servers and cause even more trouble.
-
Impact: The consequences of this malware infiltration are significant. It not only impairs the performance of Minecraft servers but also undermines the stability of other servers by flooding them with traffic. Additionally, the infected server's unwitting participation in DDoS attacks can lead to legal consequences.
Malicious Plugin (.jar file) is designed to send traffic to the HTTP port 80 of the target IP. So here we use wireshark to identify instances of HTTP traffic originating from the malicious file. It is strongly advised not to conduct this test on your personal computer. Instead, please use a virtual machine environment to avoid any potential damage to your system.
- Install Java and wireshark.
- Download and install papermc or other minecraft server verion.
- Run java -jar papermc.jar.
- Accept EULA.
Now the test environment is ready.
No HTTP traffic is detected by wireshark, when no plugins are installed.
STEP.1.mp4
When plugins are installed from legitimate sources like SpigotMC, no HTTP traffic is detected by wireshark.
STEP.2.mp4
When the malicious plugin is installed. Wireshark starts detecting HTTP traffic, originating from the server. Also in this demonstration, Luckperms and Clearlag gets infected with malicious code. Both of them experiences a change in their file hashes.
STEP.3.mp4
Wireshark is still detecting HTTP traffic, even after removing the malicious plugin and it's dependencies. This is because both Luckperms and Clearlag are now infected with malicious code and now conducting attack on behalf of the real malicious file.
STEP.4.mp4
LuckPerms-Bukkit-5.4.117.jar: 39b7156ae34094e6e8f7e42e067daced246e7d9a4034ab6cca0fc1d7a6275dc0
Clearlag.jar: 7187dade49f7622ef6adae7ca28b15eed82321d7aef25668bba98c39e6648835
LuckPerms-Bukkit-5.4.117.jar: b5be160485ae762eeeb16c77b9c3ededebf13a86d0fc3fc71393e7ef8d862f77
Clearlag.jar: 9aceca57e98ebd1eb6b035b573aaecfb376392a2d840f7e2f35bb77c39d79af8
Luckperms and Clearlag, both installed from verified sources, are now infected with malicious code by Vault.jar, which itself is an infected plugin and they both can now replicate/spread their malicious behavior to other plugins running on the same server.
To the best of my knowledge, there isn't any solution to tackle this malware. However, if there is one, please let me know.
This report has been generated by me. And if there is any mistake, please let me know.