Minecraft players might find themselves at risk for a malware that's spreading. According to Avast, 50,000 accounts have fallen victim to a malicious code which infects your computer and reformats users' hard drives. Supposedly, this malware isn't complex at all, but the issue is that people were able to upload this virus via Minecraft skins, and onto the official Minecraft site, where many people go to in order to download skins for their characters. With a 75 million playerbase, there's a multitude of users that could be potentially affected, although only younger users are more likely to download skins, therefore leaving them the most susceptible to downloading the malware. There's a handful of specific skins, such as the ones above, that have the malware script attached, but it would be the safer option to not download any skins at this time. Claims are being made that if an affected user joins a host that you're on, it can also affect you as well and put you at risk, though this is unverified.

Affected users that wound up downloading an infected skin began receiving unusual messages in their inbox on the Mojang site, such as,

“You Are Nailed, Buy A New Computer This Is A Piece Of Sh*t”
“You have maxed your internet usage for a lifetime”
“Your a** got glued”

There's also a variant that can affect "tourstart.exe" on your computer, which causes massive performance issues to your PC, especially on startup. Avast claims that they've protected over 15,000 threats by removing the harmful software, or preventing it from downloading. At the time of writing, the issue has not been resolved, but Mojang is currently working to address this problem.

Source

Edit: The Minecraft official Site has responded to the problem and have fixed this issue.

This is now resolved, but we wanted to explain what happened and the measures we’ve put in place to protect our community.

Any Minecraft: Java Edition player can upload their own custom skin in the widely-used PNG file format to our webservice at minecraft.net and this will then appear on their character in-game. PNG files can contain things other than an image, such as metadata, which includes information on what tool created it, when it was made, who made it, etc. This meant that PNG files could be created containing code in this inert part of the skin file. However, this code would not be run or read by the game itself.

While your antivirus software might detect this code and alert you to its presence, the code would not be able to run by itself. Additionally, even if you found the code within the file and chose to run it, your antivirus software should detect and block the attempt.

To further protect our players, however, we deployed an update that strips out all the information from uploaded skin files other than the actual image data itself.

Supposedly, the claims by Avast were false, and that code hidden in the skins couldn't actually be executed, according to Minecraft developers. Regardless, any potential for such a problem to occur with the Java version has been fixed.

 

[Yepi69]

I guess this also affects Linux since Java has direct unsupervised access to your computers hard drive the minute you boot the game.
The Bedrock version only has access to one folder in which you need to take ownership to modify it, something Windows itself is finicky with.

--------------------- MERGED ---------------------------

Its not Java fault on failing with security but its mojang that has done many things wrong

You're right, they should kill the Java version outright.

 

[Flaflo]

I guess this also affects Linux since Java has direct unsupervised access to your computers hard drive the minute you boot the game.
The Bedrock version only has access to one folder in which you need to take ownership to modify it, something Windows itself is finicky with.

--------------------- MERGED ---------------------------


You're right, they should kill the Java version outright.

I dont think using java for this game is a bad thing but they should really get rid of 2 versions going side on side.
Also the method i am used to cant work at linux because linux is not handling by default such kind of files and the code that is used here is vbscript which i think is also not supported from linux by default.

 

[DinohScene]

Got a Cat Noir skin.
Guess I'm safe : D

 

[Deleted User]

Good thing I don't play Minecraft. Now people will actually take me seriously when I say, "Minecraft is a hazard. Don't play it!"

 

[HamBone41801]

This is creepypasta come to life. Never seen malware going through a game and specifically targeting players of that game before, but I guess it had to happen sooner or later.

There's probably an flaw in the png code Minecraft uses, then all they need to do is carefully craft the file so it causes code execution to jump to a part of the png file that contains their payload. And from there the possibilities are endless.

lmfao. some fucker weaponized minecraft.

 

[osaka35]

I'm guessing only reason they still have the JAVA version still running is inability to port saves over. If they figure out a way to convert the saves, they could totally get rid of the java version.

 

[Flaflo]

I'm guessing only reason they still have the JAVA version still running is inability to port saves over. If they figure out a way to convert the saves, they could totally get rid of the java version.

I dont think thats the problem. minecrafts save format is open documented. thats why there exits so much tools for editing your saves (NBTEdit, MCEdit, WorldPaint...)

 

[osaka35]

I dont think thats the problem. minecrafts save format is open documented. thats why there exits so much tools for editing your saves (NBTEdit, MCEdit, WorldPaint...)

You'd think so, but there's no way to transfer from one to the other easily. You'd just have to edit a save in the non-java version to match your save from the java version. Unless there's been a tool released in the past year or so I'm unaware of (which, please let this be the case lol)

 

[gudenau]

I knew about this exploit about more than a year, its kinda shocking that it took so long for other to notice.
Btw this exploit does only run on windows because the code is appended on the png file with a special format that is only interpreted by windows.
Dont gonna explain more detail because as of now this exploit is not fixed.

--------------------- MERGED ---------------------------


Nope this applies to the java version of minecraft

How does it? From what I remember of poking around in the code there is no way that you could get code execution from a skin.

 

[Lumince]

Sorry for the poor kids. But maybe this game will die from this... please... kill it... end its suffering...

 

[AxlSt00pid]

Some people just want to watch the world burn?

Says the user who has lotsa Charmander on her signature

 

[Mnecraft368]

Sorry for the poor kids. But maybe this game will die from this... please... kill it... end its suffering...

While some aspects of the game (kids) I don't like, playing on a multiplayer server is somewhat fun for me as I don't really play any online games. But if it does die I wouldn't be too upset (apart from all the money I spent on it)

 

[SkittleDash]

Don't play Minecraft so this doesn't concern me. Still a shitty move to inject viruses to skins though. Do those guys who made it have a life worth living?

 

[Lumince]

While some aspects of the game (kids) I don't like, playing on a multiplayer server is somewhat fun for me as I don't really play any online games. But if it does die I wouldn't be too upset (apart from all the money I spent on it)

It died for me when the EULA crap happened. Then Microsoft bought it and it became even worse. Servers that I loved shut down because of these changes. I loved it 1.5 and below. That's as far as I remember playing it and actually enjoying it. I spent money on servers, hosting and perks. Sad that It had to die in my eyes.

 

[Paralel]

I just don't see how the file can get unrestricted access to format a system, unless its using an exploit in Windows itself to execute with administrative access.

 

[leon315]

what happens if console players download those skins?? will x1 and ps4 got hacked??

 

[Deleted User]

Minecraft ransomware when? You have to play minecraft for 43648 hours to get your files back.

 

[BvanBart]

Kids >____> my IT departement plays this game...

 

[VinsCool]

Minecraft ransomware when? You have to play minecraft for 43648 hours to get your files back.

Jesus if this happens, I'd be damned.
I'd rather pay big money.

 

[Flaflo]

How does it? From what I remember of poking around in the code there is no way that you could get code execution from a skin.

Well as we discovered this vulnerability in 1.7.2 as i remembered it was easy but this way got patched some minor versions later. But somehow was still possible in some specific 1.8 versions but here i am not too sure because i am not the one who discovered the execution in 1.8