Cartoon image of a desktop computer under attack from viruses.

Microsoft researchers have discovered a hybrid Windows-Linux botnet that performs distributed denial of service attacks on other platforms.

Windows machines and devices running various distributions of Linux can be used in a distributed denial of service (DDos) attack. One of the commands accepted by the software is ATTACK_MCCRASH. The user name in the login page is populated by this command. The string causes the server to crash.

Minecraft servers.">A packet capture showing the TCP payload for crashing <em>Minecraft</em> servers.
Enlarge / A packet capture showing the TCP payload for crashing Minecraft servers.

Microsoft researchers wrote that the use of the env variable triggered the use of the Log4j 2 library, which caused abnormal consumption of system resources, not related to the Log4Shell vulnerability. There are a wide range of versions of the game.

There is only one version of the Minecraft server software that is hardcoded. Half of the world'sMinecraft server will be taken down by the attack technique. If the software is updated to target all vulnerable versions, its reach could be much larger. The attack can't work because of a modification in the server version.

Microsoft researchers wrote that the wide range of at-risk minecraft server highlights the impact this malware could have had. The ability of this threat to use internet of things devices that are not monitored increases its impact and reduces its chances of being detected.

Advertisement

There are Windows machines that have installed software that pretends to give licenses for the Microsoft OS. The main logic for the botnet is provided by a python script that is hidden in the software. The Internet is used by Windows devices to search for devices that acceptSSH connections.

Trojanized cracking tools that install MCCrash.
Enlarge / Trojanized cracking tools that install MCCrash.

The same malicious.py script can be run on the Linux device if MCCrash uses common default login credentials. The Windows and Linux devices are part of a group of computers that are part of a network that performs various types of attacks. There is a graphic showing the attack flow.

Most of the devices are located in Russia. Microsoft didn't specify how many devices were affected. The researchers said they think the operators use it to sell their services.

Minecraft servershybrid Windows-Linux botnetdiscovered a hybridbotnet
Related News
Patrick Mahomes, Kansas City Chiefs prevail against Buffalo Bills, win wild AFC divisional game in overtime
Popular on TVN
Stay In Touch

All Rights Reserved © 2024