Jump to content

Malware spreading through minecraft mods.

Summary

 Malware is spreading through minecraft mods and have already infected files on curseforge and possibly other sites as well.

 

Quotes

Quote

Coming from a discord announcement on the Iris Project server "We have reason to believe Curseforge, or at least many accounts on Curseforge, have been hacked and are uploading malicious files containing bot-nets. Luna Pixel Studios, the owner of many big modpacks, is one of the affected accounts."

 

My thoughts

 I am a big fan of modding minecraft and luckily I have not downloaded any mods recently but if I had I would not have noticed the malware until it was too late. I'm a bit surprised that this kind of thing has not happened before as minecraft players are a big target.

 

Sources

 

https://www.bleepingcomputer.com/news/security/new-fractureiser-malware-used-curseforge-minecraft-mods-to-infect-windows-linux/

Link to comment
Share on other sites

Link to post
Share on other sites

This has been a growing problem for a while now unfortunately. Curseforge really has to work with the community to resolve these issues, there were people stealing content and rehosting it there as well...

Like watching Anime? Consider joining the unofficial LTT Anime Club Heaven Society~ ^.^

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, Fred Castellum said:

This has been a growing problem for a while now unfortunately. Curseforge really has to work with the community to resolve these issues, there were people stealing content and rehosting it there as well...

Yeah there have been malware uploaded on curseforge before. This time tough it spreads from one mod to another on users computers and the people making mods are getting infected and thus their mods are getting infected before they upload it to curseforge further spreading it. And it had infected some pretty popular mods.

Link to comment
Share on other sites

Link to post
Share on other sites

Damn, thank you for this.

 

I was using Better Minecraft just a few months ago, which is on the affected list. The article says it's an issue if you download and ran an affected mod in the last 3 weeks, so I should be okay. 

 

I'm currently using a modpack called Life in the Village 3, which doesn't appear to be affected (yet), but we should be careful, using Curseforge with caution for the next little bit. 

 

Lower in the article there's a link to a scanner to check for signs of infection, along with tips to check manually if you prefer that. Anti viruses should be updated soon, I'd imagine. Especially Windows Defender hopefully, given that Microsoft owns Minecraft.

Link to comment
Share on other sites

Link to post
Share on other sites

CurseForge has already released a tool that is intended to check for (and attempt to clean) any infection.  There are a few known files that have shown up during the first wave, which makes it fairly easy to identify if you've been compromised.  The thing these scanners cant (and shouldnt) do is the followup if you are infected.  Change. your. passwords! (and completely logout and back in on all devices.)  Some of the Stage 3 infections have been analyzed and confirmed to be doing things like siphoning credential cookies for things like discord and microsoft, as well as silently swapping out cryptocurrency addresses in your clipboard (oh what a shame), and otherwise just hoovering up all the data they can from your browser.  If these scanners find any evidence of the virus, it's safe to assume your account logins are compromised.  It's also safe to assume if *any* mod is comprimised, *all* mods are.  It's currently believed that Luna Pixel Studios (the first established infection) likely was infected by a dev looking into a "promising new mod" which was the original infection.  This trojin finds some clever spots to hide, including other nearby mods, as well as hunting for jar files elsewhere in the system it can hide in, resulting in it getting uploaded to maven repos, and eventually the entire source stack. 

Good news is that triage seems to be going well, and between the majority of the mods being cleaned up, and the Stage 1 server being blacklisted, most of the potential future harm is staved off.

Link to comment
Share on other sites

Link to post
Share on other sites

bleepingcomputer.com has a good report on the issue and a guide on how to detect and remove the infected portions of the mods, although one suggestion is to clean install the OS and change critical passwords and login details, such as bank and crypto. Affects both Linux and Windows.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, the Curseforge twitter said they're in the process of scanning all of their Minecraft projects, with an estimated time to completion of about 12 hours. 

Link to comment
Share on other sites

Link to post
Share on other sites

Lets hopw they also release the full list of affected mods they found.

Also it seems like cloudflare shot down the subdomain that provided the malware with CnC IPs......

Edited by jagdtigger
Link to comment
Share on other sites

Link to post
Share on other sites

Yeah this is why you don't randomly install stuff from the internet. Minecraft mods have always been problematic in regards to malware.

Link to comment
Share on other sites

Link to post
Share on other sites

yeah rip minecraft mods, love the mods, but hated how more unsafe it became and the lack of support for modding.

Link to comment
Share on other sites

Link to post
Share on other sites

And this is why it's important to find yourself a tech friend who spends hours researching every mod and painstakingly puts together the entire pack from scratch....

*looks at my own work*

I have too much time on my hands.

Link to comment
Share on other sites

Link to post
Share on other sites

Why isn't the code being peer reviewed and signed off by trusted members before being available?

Link to comment
Share on other sites

Link to post
Share on other sites

11 hours ago, StDragon said:

Why isn't the code being peer reviewed and signed off by trusted members before being available?

 

I'd expect it to be hard to check every line of code. I believe there was some sort of check before, but this was a new attack. Now that they're aware, they have said they've scanned all the files and taken steps to stop this from happening again. But there will still be some new way to be shady in the future as well, no doubt. It's just a cat and mouse game, like traditional viruses.

Link to comment
Share on other sites

Link to post
Share on other sites

19 hours ago, StDragon said:

Why isn't the code being peer reviewed and signed off by trusted members before being available?

For a lot of open source projects, they are, at least on the source code hosting side.  Unfortunately a large portion of mods are not open source, nor do the devs trust anyone else to view or handle their code.  Given that, in the past, this has included some rather popular mods (the Thaumcraft dev was rather secretive for a while there), simply saying "No more closed source mods" would be fairly damaging, and would open the doors for the likes of Modrinth (probably the best contender for CurseForge replacement).

Add on top that "Trusted Members" is fairly meaningless when most people have no idea who even made the most popular mods, and the fact that marking someone as "Trusted" instantly makes them another high profile target, it's gonna be hard to balance this.

Though I would be very happy if the Minecraft Community moved to nothing but open source mods.  I'm always sad when a good mod dies because no one can port it forward.

Link to comment
Share on other sites

Link to post
Share on other sites

Curseforge has been absolutely atrocious this last year or so, and while it's useful I don't really have any positive thoughts on it.

So this made me laugh. Screw em

Someone told Luke and Linus at CES 2017 to "Unban the legend known as Jerakl" and that's about all I've got going for me. (It didn't work)

 

Link to comment
Share on other sites

Link to post
Share on other sites

  • 2 weeks later...

Wait, so the files uploaded by mod authors aren't automatically scanned for malware? That's ridiculous and a huge oversight for a mod sharing community.

If someone did not use reason to reach their conclusion in the first place, you cannot use reason to convince them otherwise.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×