Microsoft uncovers DDoS campaign targeting Minecraft servers

Windows and Linux users are at risk, Microsoft warns

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsoftresearchers have discovered a Windows-Linux botnet taking downMinecraft serversin “highly efficient”DDoSattacks.

As reported byArsTechnica, the MCCrash botnet sends a command that populates the user name input dialog box in aMinecraftserver’s login page that crashes the server by exhausting its resources.

“The usage of the env variable triggers the use ofLog4j2 library, which causes abnormal consumption of system resources (not related to [the]Log4Shell vulnerability), demonstrating a specific and highly efficient DDoS method,” Microsoft researchers wrote.

MCCrash botnet’s massive reach

Microsoft also noted that MCCrash has the ability to crash servers running a wide variety of versions of the game’s server software.

This is where it gets a bit complicated: MCCrash itself is only hardcoded to target version 1.12.2, but the attack technique is enough to take down servers running versions 1.7.2 through 1.18.2, whichArsTechnicaestimatesto be about half of all Minecraft services running today.

Patchingthe server software to version 1.9 renders the botnet’s technique ineffective, but even without that, Microsoft is thankful that the impact of the botnet is limited.

“The wide range of at-risk Minecraft servers highlights the impact thismalwarecould have had if it was specifically coded to affect versions beyond 1.12.2,” Microsoft researchers wrote.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The unique ability of this threat to utilize Internet of Things (IoT) devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected.”

The most common initial infection points for MCCcrash areWindowsmachines that have installed software that purports to activate theoperating systemwith illicit licenses, but chiefly contains the malware that, on a delay, installs a python script that provides the botnet’s logic.

Here’s our list of the best endpoint protection right now>Minecraft server hit with record-breaking DDoS attack>A new dangerous malware is turning Windows and Linux devices into DDoS tools

Infected Windows devices then scan the internet in search of devices runningLinux distrossuch as Debian, Ubuntu, and CentOS, and use default login credentials to run the same .py script on these new devices, which are then used to launch DDoS attacks on Minecraft servers and other devices.

Microsoft didn’t reveal the number of devices infected by MCCrash, butArsTechnicaclaims a geographical breakdown reveals that many are located in Russia, echoing the sentiments of theMicrosoft Digital Defence Report for 2022, which claims that the Russia-Ukraine conflict is being, in part, driven by cybercrime.

Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call