MINECRAFT'S DEADLIEST COMPUTER VIRUS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good morning the following video contains details about highly illegal practices that carry heavy fines and several years worth of prison time and is entirely for educational purposes attempting to reproduce anything described in this video will likely cause you to get into a lot of legal trouble and also just makes you a genuinely terrible person oh also if you want to have this cat on my head since a lot of you asked in the last video you can buy it from the essential shop which is a very good Minecraft client that you should use also used throughout the hell castle if you buy gems from Hypixel ok I'm done with the disclaimer Tyler you can take the video from here if you've been around this tablet Community or watched one of our videos before you're probably familiar with the fact that Minecraft mods can contain malware it's really common and honestly pretty easy to add malware to an existing Minecraft mod or create an entirely fake mod for reasons I'll get into later but everything we've ever spoken about before has required a malicious person to manually trick other people into downloading a mod this means that we've only ever talked about a type of malware known as a trojan horse where a program pretending to be one thing really contains something else more malicious in this video we're going to talk about a virus the word virus is often used to mean malware when in reality a virus refers to a worse kind of malware that is capable of self-replication which makes it so much more dangerous than atypical Trojan when somebody downloads a file containing a virus the virus will scan other files on the user's computer and attempt to add itself into as many programs as possible before executing whatever malicious code is contained within the virus this does two things first if the original file is detected as a virus and then removed it had already been copied to every file possible on the system and is not really removed but most importantly because it has infected a bunch of other files if an infected user shares a file somewhere for someone else to download they will have unknowingly spread the virus to somebody else ready for that person to repeat the cycle to multiple people too just like how a real virus spreads from person to person the reason we don't see many computer viruses in modern time is because of the danger they carry Because the Internet makes virus has spread so much faster than they ever did in the days of physical data transfers across networks there are thousands of people whose jobs is to detect the new viruses and reverse engineer them to discover how they work as soon as their function is understood this information can be given to antivirus companies and operating system companies in order to add them to detection lists and stop them from running on any computer however in small communities like the Minecraft modding Community viruses have the potential to spread very far whilst avoiding detection because there isn't really anybody constantly watching the modded space for virus infections and this is where our story starts the Minecraft modding Community more specifically the bucket modding site owned by curseforge the budget site has been a well-known site for sharing plugins for Minecraft servers since 2011 because it allows developers to upload update and manage their server plugins for all versions of Minecraft so that their players can easily download and use them and many server hosting providers also provide tools to download plugins directly from sideslide bucket in May of 2023 a user by the name of fracturizer uploaded a plugin called haven elytra to the bucket website it was a very simple plugin advertising the ability to basically wear an elytra with a chest plate at the same time a feature that is really nice to have when playing casual survival Minecraft whether or not this plugin actually worth is not known but what is known is that this mod contained a virus in fact 36 bucket plugins 15 Forge mods and 3 modpads were uploaded by various throwaway single-use accounts all containing the same exact virus some of these mods were simple things like anti-chat report that people seek out all the time and others were just plain fade versions of real existing mods like dungeon apps pretending to be dungeon Z some of these mods dated back to April 2023. it was weeks after uploading before any of these plugins were discovered to be malicious the first person to identify malicious behavior was a user called d3sl on June 1st 2023 who began investigating the virus privately writing full reports to anti-virus companies and curse forged themselves in the hopes to get things sorted quickly and quietly without tipping off the attacker that they had been found it wasn't until the very early hours of June 6 that a separate team began publicly investigating the virus which at this point was still actively a threat this team of investigators found the virus separately in an undone documented update to the better Minecraft Modpack however better Minecraft was not one of the three throwaway mockbacks but is actually a very well known and popular Modpack meaning that the virus had somehow made its way into the smartback and in fact had actually made its way into various other mods and mothbats across the curse forged site most of these were found to be mods owned by Luna pixel Studios a well-known mod making Studio a few of their mods were found to contain the virus and there was no sign of any Mod update to replace them with the infected versions leading many people to reasonably believe that curse Forge had been had in some way and the hatchers had access to the website and the ability to upload whatever files they wanted in reality this was not the case but the community did not know this at the time someone who worked for Luna pixel had unknowingly downloaded an infected mod they days ago which both infected some mods they uploaded and also gave the virus Creator adds us to the Luna pixel account but we'll get to what this virus actually does to its victims in a bit word of a potential curse Forge hack quickly reached curse Forge itself who put out the following statement about it confirming that they were not had but didn't really know what was happening because researchers were still trying to figure out what the virus did and how it spread herzforge would work on developing detection tools for the virus with the help of some researchers releasing a simple detection tool on the same day and then a more advanced one a little later curse Forge also promised to stand their entire website with these tools to make sure that there were no lingering infections which to their credit they did it's honestly pretty great of course Forge to do this because none of this was really their fault and they just happened to be the target to distribute the virus as investigation continued the functions of the virus slowly became clearer as invest Navigators ran it on their computers and attempted to read the code documenting everything as they went doing this took a long time as the code was obfuscated essentially a process where the code is modified in such a way that it runs exactly the same as normal but is basically unreadable to a human but this was only a minor roadblock and Analysis found that the virus had four main steps at ran 3 when infected and it all started with this on screen now is the 17 lines of code present in all infected files yes just 17 lines is all a virus needs to infect a computer I'll do my best to explain all of the technical details of this virus in a way that's easy to understand but I'll leave a link to my source and very detailed explanations in the description too this code looks very confusing and this is intentional all of these numbers are actually the decimal numbers of the binary representation of letters and numbers surrounded by code that turns them back into strains of text by making this confusing the average person will just assume that all code looks like this and that they don't understand it so it's probably nothing to worry about if we clean this code up though it actually looks more like this here we can see that this code actually creates a new piece of code called utility that uses a feature of java known as a URL class loader a URL class loader allows Java to download and run code received from a URL which has many legitimate uses but in this case the URL class loader connects to http IP that starts with 85 DL this IP address connects to a server known as a demand and control center that does two things first it sends sends a whole lot of virus go to the impacted computer and second the infected computer uses the newly downloaded code to send this trend of random numbers back to the server it's believed that these random numbers are a way for the virus Creator to track the methods of infection as this random strain is different depending on which original infected mod was downloaded the reason all of this is done through a server is so that the virus Creator can make changes to their virus over time and also so that the file size does not change much when infected as not to create suspicion anyway the downloaded code first checks for a system property called necro dot run a system property is just a small data storage usually used for settings but this virus uses it to store an indicator for if the system is already infected or not if it exists the code immediately stops running and if it doesn't exist then a property named natural.run is added to indicate the system is infected this is just a way of the virus not running multiple times on the same system if they have like a hundred infected mods in a mod pad or something as this should draws noticeable lead or seems suspicious to antivirus software and ideally this virus wants to stay as hidden as possible if the system isn't already infected the virus attempts to connect to the IP that starts with 85. again although this time the IP directly and not a URL ending in slash DL if for some reason the server does go down and can't be connected to or the virus receives no response from the server it attempts to connect to a different URL https files-8ie.pages.dev IP this is a cloudflare domain essentially a domain that the owner can use to change the IPA leads to whenever they want the point of this is that if that first server is taken down the creator of the virus can create a backup server which will be connected to through the cloudflare domain to continue operations and if that backup is taken down another server can be set up and redirected to through the domain essentially infinitely once a connection to the control center is established one of two things happen if the infected computer runs Linux a file named live.jar is downloaded and hidden and it attempts to make this file run every time the computer starts up if the infected computer runs Windows a folder is created in the program's directory called Microsoft edge with a space the real Market Microsoft Edge folder does not have a space and this folder contains a file called libwebgl64.jar this file is then also set to run every time the computer starts up due to a bug in the code the Linux version of the file does not actually run on Startup but it still runs immediately after infection back to the investigation theme it didn't take too long for them to make some progress just three hours after the public investigation started the server hosted at the IP that starts with 85 was taken down by its server provider following an abuse report temporarily stopping the virus from infecting any new computers however the files-8i8 loud flare page remained up leaving the Creator time to swap to the new server and update the code spread through new infections to connect to this new IP which eventually came up 9 hours after the original server was taken down however just 15 minutes after being set up the cloud flare domain was also taken down after being reported the new server remained active for a further 5 hours before its host was also taken down this meant that within 14 hours of Discovery the virus no longer had a server to connect to and was unable to infect any new users and remains in a dead dormant state to this day but back when the servers were active the third step of the virus was very simple first it connects to the command center for a third time the server tells the infected computer what the newest version of the final step of the virus is if the infected computer has an older version of the virus or just hasn't downloaded that before it it asks the server to download it creating the new file or replacing the old version with a new version then the program Waits 5 seconds before running it again never finishing this ensures the virus is always up to date on an infected computer and can be changed to do different things whenever wanted this final part of the virus is known as the payload and is basically where all of the actual bad stuff happen to you and your computer pretty much everything before this was just a way of getting around antivirus programs and allowing the virus to be updated over time one of the main things this payload does is self-replicate it stands the user's Entire Computer for any jar files and then checks their contents to see if they are a bungee torque server plug-in fabric mod Forge mod spigot Plugin or the Minecraft client itself if the files match the criteria the original 17 lines of code are injected to run in the place where the code mode starts being run in the mod for all other dot jar files the code is set to run in the main method which is the generic place that dot jar files start their execution this means that in theory this virus had the capacity to completely escape the Minecraft Community altogether and cause a much much better problem all good viruses have to steal your personal data and just like all good viruses this stage barely works on Linux or Mac computers as most of its code is hard-coded for Windows devices the virus attempts to steal your username PC specs IP address Microsoft login information Minecraft login information specifically targeting the official launcher labimod prism that net feather client and poly MC Discord Lord in Toten all of the information from your destroys account including billing information which can be used to prove ownership of an account to the sport support duties and save login data from all of the browsers on screen now and finally your cryptocurrency wallet if you use exodus in other words probably everything you could possibly care about on your computer will be stolen after all of your personal data has been stolen the virus is still not finished whenever a cryptocurrency address is tropied and detected in the user's clipboard it is instead replaced with a cryptocurrency address owned by the virus Creator as if that's not bad enough in fact the computers remain permanently connected to the CNC server in which the server can take partial control of the infected computers to create a botnet designed to DDOS targets and allow for basically any command to be executed remotely on the computer proactively granting full control to the Creator if they really wanted it the payload was actually swapped out before the second CNC server was taken down to a different virus called styrage a virus that spread very limitedly in 2022 but I won't be talking about it that that much in this video by doing that the Creator intended to keep the infection spreading as both of the servers for the initial virus were dead because all of the servers are dead the virus can no longer spread or run and so is effectively dead and harmless to this day and had been dead barely 14 hours after the public investigation began even so it's recommended to scan your systems using curse words tool to make sure that you are not infected as having a random virus drought floating around in your files is not a great idea finally we need to talk about how this even happened and if this has ever happened before the short answer is that it has happened before and it's probably going to happen again the thing about Minecraft modding is that it doesn't run in a sandbox which essentially means that Minecraft mods run as completely normal code on your computer and therefore can do literally anything a normal program can do this this is great actually it allows us to make mods that do all sorts of stuff at the cost of the risk of malware it would be totally possible to make a modding API that only accepts certain actions and commands a bit like what Minecraft Bedrock has for its add-ons but that would be extremely limiting to mod creators and a lot of work for whoever has to maintain it and honestly the risk isn't that bad as long as people use common sense in what they're downloading there's also a lot of criticism on curse Forge for not properly streaming their mods this is totally fair but given that they received thousands of mods and can't really expect some employee to read all of the code and manually check all of the code for anything suspicious it's basically impossible to keep on top of as a result there isn't really anything more they can do other than made some automated antivirus systems that screen mods and even then antivirus is usually only at detecting threats that have already been identified in other systems it wouldn't help against the new attacks like this this also isn't the first virus to target Minecraft modding a virus named skyrage spread around in 2022 targeting Spirit plugins but was fairly quickly identified and warnings were sent out it's actually possible that the people behind skyrage were also responsible for fracturizer as a later version of the fracturizer virus had its payload replaced with the same one used in the styrage virus but that goes beyond the scope of this video so I'll leave a link to somewhere you can read more about it in the description no matter what the amount of coverage this virus has gotten on the internet and the fact that this should be incredibly effective if done correctly will definitely Inspire copycat attacks I wouldn't be surprised if we see more viruses like this popping up especially in the Stabler Community where malware is already extremely rampant if you want to protect yourself from things like like this in the future the only advice I can give you is not to download mods from anywhere other than their original Source you never really know if someone even a good intentioned friend who sends you a mod has been unknowingly infected with something and at this point it honestly isn't worth the risk we just need to hope that mod developers hopefully know what they are doing and downloading and are way less likely to become infected than the average person anyway I hope this hasn't deterred anyone from Minecraft modding or using curse Forge in the end the virus was found to have been downloaded only around 6 000 times from firstforge and probably not many times from secondary infections spread from infected users generally modded Minecraft is really fun and safe and as long as you aren't downloading from dodgy websites you're gonna be okay but thanks to all of the volunteer researchers who helped us make this video who put hours researching and documenting this virus simply because they are passionate about keeping this community safe see ya and have a nice day [Music] [Applause] [Music]
Info
Channel: HellCastle & Tylerrrr
Views: 157,653
Rating: undefined out of 5
Keywords: hypixel, skyblock, hypixel skyblock, hellcastlebtw, furryeboy, hellcastle, Tylerrrr, tylerwith4rs, malware investigation, computer virus, fractureiser, curseforge virus, bukkit virus, nekoClient, nekoclient virus
Id: hU4-BjrqR_U
Channel Id: undefined
Length: 20min 44sec (1244 seconds)
Published: Sat Jun 24 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.