MCCrash Botnet Launches DDoS Attacks Against Private Minecraft Servers, Microsoft Warns

Microsoft recently disclosed details of a cross-platform botnet used in an aggressive distributed denial-of-service (DDoS) campaign against private Minecraft servers. The botnet, dubbed MCCrash, uses crafted packets to launch DDoS attacks.

Researchers believe the botnet, tracked as DEV-1028, likely resulted from malicious software downloaded on Windows devices. However, they also noticed a propagating mechanism allowing it to spread on various Linux-based systems.

“The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices,” Microsoft’s security advisory reads. “Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet.”

Company experts discovered that most botnet participants were acquired through the installation of malicious tools that pose as illegal Windows activators. The faux cracking tools comprise additional code that uses PowerShell commands to download and launch a rogue version of svchost.exe.

The executable then launches malicious.py, a Python script that scans for SSH-enabled devices such as Ubuntu, Debian, CentOS or Raspbian, and attempts to propagate through a dictionary attack.

“The botnet’s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet,” Microsoft said.

Although the malware was designed to specifically target Minecraft server version 1.12.2, researchers say that all versions between 1.7.2 and 1.18.2 are vulnerable to this attack method. Even worse, the threat’s ability to use IoT devices as part of the botnet decreases its detection rate and substantially increases its viciousness.

Dedicated software such as Bitdefender Ultimate Security can protect you from cyberthreats thanks to its extensive range of features, including:

• 24/7, all-around protection against viruses, Trojans, worms, zero-day exploits, rootkits, ransomware, spyware and other e-threats
• Threat prevention module that detects and blocks suspicious network-level activities such as brute force attacks, sophisticated exploits, and botnet-related URLs
• Behavioral detection technology that thoroughly monitors active apps and takes instant action upon detecting suspicious activity to prevent infections