Minecraft servers hit with cross-platform DDoS botnet attack

Robert Collins

On Thursday Microsoft reported a cross-platform botnet that can launch DDoS attacks against private Minecraft servers. As the report explained,

The Microsoft Defender for IoT research team recently analyzed a cross-platform botnet that originates from malicious software downloads on Windows devices and succeeds in propagating to a variety of Linux-based devices.

The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet. The botnet’s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.

Referred to as “MCCrash,” the botnet’s initial infection points were apparently devices infected via the installation of cracking tools meant to procure illegal Windows licenses. Below is a diagram of the botnet’s attack flow via microsoft.com.

A graphic that presents the entire DDoS botnet attack flow from initial infection through a malicious cracking software to the running of DDoS commands from infected devices.


Thus far reported infections have been largely restrained to Russia, Kazakhstan, Uzbekistan, Ukraine, Belarus, Czechia, Italy, India, Indonesia, Nigeria, Cameroon, Mexico, and Columbia, as seen in the map below. The bulk of reported infections have sourced form Russia.

Cross-Platform DDoS Botnet

One of the DDoS commands the botnet is designed to deploy is “ATTACK_MCCRASH,” which is specifically intended to crash Minecraft servers.

This news comes on the heels of a newly found botnet known as GoTrim that breaks into WordPress sites’ admin accounts.

Featured image via thehackernews.com.