Minecraft players might find themselves at risk for a malware that's spreading. According to Avast, 50,000 accounts have fallen victim to a malicious code which infects your computer and reformats users' hard drives. Supposedly, this malware isn't complex at all, but the issue is that people were able to upload this virus via Minecraft skins, and onto the official Minecraft site, where many people go to in order to download skins for their characters. With a 75 million playerbase, there's a multitude of users that could be potentially affected, although only younger users are more likely to download skins, therefore leaving them the most susceptible to downloading the malware. There's a handful of specific skins, such as the ones above, that have the malware script attached, but it would be the safer option to not download any skins at this time. Claims are being made that if an affected user joins a host that you're on, it can also affect you as well and put you at risk, though this is unverified.

Affected users that wound up downloading an infected skin began receiving unusual messages in their inbox on the Mojang site, such as,

“You Are Nailed, Buy A New Computer This Is A Piece Of Sh*t”
“You have maxed your internet usage for a lifetime”
“Your a** got glued”

There's also a variant that can affect "tourstart.exe" on your computer, which causes massive performance issues to your PC, especially on startup. Avast claims that they've protected over 15,000 threats by removing the harmful software, or preventing it from downloading. At the time of writing, the issue has not been resolved, but Mojang is currently working to address this problem.

Source

Edit: The Minecraft official Site has responded to the problem and have fixed this issue.

This is now resolved, but we wanted to explain what happened and the measures we’ve put in place to protect our community.

Any Minecraft: Java Edition player can upload their own custom skin in the widely-used PNG file format to our webservice at minecraft.net and this will then appear on their character in-game. PNG files can contain things other than an image, such as metadata, which includes information on what tool created it, when it was made, who made it, etc. This meant that PNG files could be created containing code in this inert part of the skin file. However, this code would not be run or read by the game itself.

While your antivirus software might detect this code and alert you to its presence, the code would not be able to run by itself. Additionally, even if you found the code within the file and chose to run it, your antivirus software should detect and block the attempt.

To further protect our players, however, we deployed an update that strips out all the information from uploaded skin files other than the actual image data itself.

Supposedly, the claims by Avast were false, and that code hidden in the skins couldn't actually be executed, according to Minecraft developers. Regardless, any potential for such a problem to occur with the Java version has been fixed.

 

[kuwanger]

Depends on what OS they're running and whether it's an optional update or not. Windows Defender has been known to be relatively weak though, don't know if things have improved as the last test I looked at was a while ago and IIRC the updates are delivered via windows updates.

Yea, last I read as well it's not really the best as far as completeness and updates by Windows update, hence my once a month comment.

It could still be useful depending at what stage of infection like those in the OP, 'common sense' would likely say to most people that the official site would be trustworthy.

Trust != Secure, is the thing. That's been proven to be true countless times. I mean, how many AV software have been shown to be exploitable?

As I said, AVs aren't perfect and I know how they work, they're a tool and in this case I can see it being useful to some, particularly while news spreads and before patches are released.

I don't really disagree, but I don't think most people do understand how AV works, so they tend to depend on AV way more than what it can deliver.

I've dealt with people in the past who unknowingly gave me malware infected portable HDDs which my AV detected, so I can say first hand they do have their uses and it detected it before I even opened explorer.

While I've had similar circumstances, I've had way more false positives. Meanwhile, at least in one instance Windows Defender entirely missed malware that wiped a MBR--the official site of a popular program was hijacked and the software replaced and in Windows most software still goes unsigned. Thankfully it was a VM I was toying with. I don't presume other AV would have necessarily detected it.

I just find it weird that people think they should do nothing to try and protect themselves, particularly in this day an age.

While I don't disagree that people should do something to protect themselves, AV software tends to act like guards patrolling the border of some fortress that still has the drawbridge down. Sure, the guards at the guardhouse may be able to filter out known malware or try to detect malicious behavior, but a sufficiently motivated adversary can just setup their own fortress with guards and keep tweaking their malware until the guards let it in. Like I said, I see AV as best for blocking known stuff, and so Windows Defender would be enough if it merely had a more complete database.

BTW, there have been other online game based malware scares IIRC, one involved the Source engine before an update was released.

Of course. Quake too. That's why I said, it's really not a question of if online games are exploitable. By the time your AV software is updated to combat an actual threat, odds are good that either (1) you're already infected or (2) you've heard the news and can just avoid the game until there's a fix. You might get lucky and the malware writers were stupid and didn't test if AV software would already catch it so the AV software doesn't need a virus update, but that's wishful thinking in my view.

I'm not trying to diss AV software or anything. Like I keep saying, a good virus database to scan "new" files for old threats isn't a bad thing. It's just not clear to me that 99% of the processing power AV software uses is really meaningful at actual protection.

 

[tech3475]

Yea, last I read as well it's not really the best as far as completeness and updates by Windows update, hence my once a month comment.

Trust != Secure, is the thing. That's been proven to be true countless times. I mean, how many AV software have been shown to be exploitable?

I don't really disagree, but I don't think most people do understand how AV works, so they tend to depend on AV way more than what it can deliver.

While I've had similar circumstances, I've had way more false positives. Meanwhile, at least in one instance Windows Defender entirely missed malware that wiped a MBR--the official site of a popular program was hijacked and the software replaced and in Windows most software still goes unsigned. Thankfully it was a VM I was toying with. I don't presume other AV would have necessarily detected it.

While I don't disagree that people should do something to protect themselves, AV software tends to act like guards patrolling the border of some fortress that still has the drawbridge down. Sure, the guards at the guardhouse may be able to filter out known malware or try to detect malicious behavior, but a sufficiently motivated adversary can just setup their own fortress with guards and keep tweaking their malware until the guards let it in. Like I said, I see AV as best for blocking known stuff, and so Windows Defender would be enough if it merely had a more complete database.

Of course. Quake too. That's why I said, it's really not a question of if online games are exploitable. By the time your AV software is updated to combat an actual threat, odds are good that either (1) you're already infected or (2) you've heard the news and can just avoid the game until there's a fix. You might get lucky and the malware writers were stupid and didn't test if AV software would already catch it so the AV software doesn't need a virus update, but that's wishful thinking in my view.

I'm not trying to diss AV software or anything. Like I keep saying, a good virus database to scan "new" files for old threats isn't a bad thing. It's just not clear to me that 99% of the processing power AV software uses is really meaningful at actual protection.

As of writing I know the BBC doesn't have it on their website and that's how I know some 'casual' people will get their tech news. So in this case the AVs are beating at least some outlets.

I know that trust != secure (just look at ccleaner) and again I know AVs aren't perfect and have flaws, but chances are most people on the street would think that as it's an official Minecraft site, it's trustworthy AND secure even though it's user generated content.

There's a reason iOS is a good target for malware when it can happen, such as the xcode based one a while back.

I've regularly dealt with people who are better with an AV than without, would have certainly saved me allot of time in the past; and with a game popular with kids and casuals, I think something is better than nothing until something is done by MS and potentially inhibit the infection to some extent.

Again I'm not saying it is the be all and end all, it's just something which I think would help in certain instances in the general market.

 

[Valery0p]

Can anyone check out the skin linked from avast? So we can end theorizing:

Spoiler

http://textures.minecraft.net/texture/37996a0a5ed45f7ea2c2a42f86976947825a2673e9419b59ba6e23d5f6f0

Sorry for begging you @Flaflo , but it uses a similar method to the one that you know?

Because I've read that this may just be a script+image that you have to rename the extension, run and give it administrator privileges to work...

IMPORTANT EDIT: mojang confirmed that the skins are completely harmless, for you and for anyone playing online, since the script text is included in the... Photo Metadata :[ so the code won't never be executed.
This seems to be only a false positive on the string detection heuristics used by avast as a marketing tactics...
@Chary please update the article.

 

[gudenau]

>C
>Inferior to Java

Sit in the corner facing the wall and think about what you've said until you start feeling bad.

The C version of Minecraft is lesser than the Java version.

No mods.
No cross compatibility.
No Linux support.
Looks wrong.
Controls wrong.
etc..

 

[Alm]

breaking news! roblox's currency got H A C K E D !!

 

[Foxi4]

The C version of Minecraft is lesser than the Java version.

No mods.
No cross compatibility.
No Linux support.
Looks wrong.
Controls wrong.
etc..

All of these things sound like advantages to me. Jokes aside, lack of support is pretty apparent, but C is by far the superior choice for coding.

 

[gudenau]

All of these things sound like advantages to me. Jokes aside, lack of support is pretty apparent, but C is by far the superior choice for coding.

If it originally used C it would not be what it is, the ease of modifications helped it out from what I see.

Plus it is why I learned Java.

 

[Foxi4]

If it originally used C it would not be what it is, the ease of modifications helped it out from what I see.

Plus it is why I learned Java.

It was originally made in Java because Notch is a hack, fraud and one-hit wonder. There's thousands of games coded in C/C++ with full mod support, the language is not a barrier, Microsoft being lazy with their IP is.

 

[Joom]

So what do you suggest people do then?

What happened here was unfortunate, but again, it could have been avoided if Mojang sanitized images upon upload. An AV wouldn't protect against this regardless unless it detected already known heuristics. What I recommend for the adults that still play Minecraft is to stop and get a better hobby. For the children, their parents should already be monitoring their online activity heavily, and this little mishap is entirely on them.

Sorry for begging you @Flaflo , but it uses a similar method to the one that you know?

Because I've read that this may just be a script+image that you have to rename the extension, run and give it administrator privileges to work...

IMPORTANT EDIT: mojang confirmed that the skins are completely harmless, for you and for anyone playing online, since the script text is included in the... Photo Metadata :[ so the code won't never be executed.
This seems to be only a false positive on the string detection heuristics used by avast as a marketing tactics...
@Chary please update the article.

Thanks for further proving what I said about Avast being garbage. Also, the Unicode mirror character wouldn't work in this situation as it doesn't actually change the extension of the file (which is what you're referring to). This technique purely only works for direct social engineering.

Anyone else think of a time it was dangerous to go online with a game?

When Ember was selling his private DLL injection that allowed anyone to take over any CS Source server by injecting themselves as an admin into the server. Those were fun times.

--------------------- MERGED ---------------------------

I will be waiting for a more in-depth analysis that actually shows what's going on.

Here you go.
https://gbatemp.net/threads/new-mal...at-risk-of-malware.501410/page-4#post-7924208

 

[Chary]

This seems to be only a false positive on the string detection heuristics used by avast as a marketing tactics...
@Chary please update the article.

Updated the thread! Just so you know for next time, tagging people in an edit doesn't alert them, but the report was forwarded to me. Thanks.

 

[MFDC12]

All of these things sound like advantages to me. Jokes aside, lack of support is pretty apparent, but C is by far the superior choice for coding.

Came on as a software developer (professionally, recreational) and just wanted to say there is a phrase "the right tool for the right job", and there are countless reasons why sometimes c is going to be a viable or good choice for doing something.

 

[tech3475]

What happened here was unfortunate, but again, it could have been avoided if Mojang sanitized images upon upload. An AV wouldn't protect against this regardless unless it detected already known heuristics. What I recommend for the adults that still play Minecraft is to stop and get a better hobby. For the children, their parents should already be monitoring their online activity heavily, and this little mishap is entirely on them.

With the update saying any code couldn't be executed through the game, the situation is moot anyway.

That said, I will point out that if this was a real issue (i.e. in game execution), 'being a better parent' wouldn't have done anything if the parent wasn't aware of the situation in the first place and unless every hypothetical upload was 'randomised'/altered known heuristics would still have potentially been useful.

Don't forget 'normal' people may be very ignorant in certain areas, I've dealt with people who have fallen victim to malware and nearly fell for otherwise obvious scams.

 

[Maximilious]

Supposedly, the claims by Avast were false, and that code hidden in the skins couldn't actually be executed, according to Minecraft developers. Regardless, any potential for such a problem to occur with the Java version has been fixed.

Once I saw Avast reported this issue I immediately cringed. If anyone uses Avast, do yourself a favor - Uninstall it an install Immunet instead. Free AV powered by Cisco Advanced Malware Protection and ClamAV.

 

[gudenau]

View attachment 120701​

Minecraft players might find themselves at risk for a malware that's spreading. According to Avast, 50,000 accounts have fallen victim to a malicious code which infects your computer and reformats users' hard drives. Supposedly, this malware isn't complex at all, but the issue is that people were able to upload this virus via Minecraft skins, and onto the official Minecraft site, where many people go to in order to download skins for their characters. With a 75 million playerbase, there's a multitude of users that could be potentially affected, although only younger users are more likely to download skins, therefore leaving them the most susceptible to downloading the malware. There's a handful of specific skins, such as the ones above, that have the malware script attached, but it would be the safer option to not download any skins at this time. Claims are being made that if an affected user joins a host that you're on, it can also affect you as well and put you at risk, though this is unverified.

Affected users that wound up downloading an infected skin began receiving unusual messages in their inbox on the Mojang site, such as,



There's also a variant that can affect "tourstart.exe" on your computer, which causes massive performance issues to your PC, especially on startup. Avast claims that they've protected over 15,000 threats by removing the harmful software, or preventing it from downloading. At the time of writing, the issue has not been resolved, but Mojang is currently working to address this problem.

Source

Edit: The Minecraft official Site has responded to the problem and have fixed this issue.



Supposedly, the claims by Avast were false, and that code hidden in the skins couldn't actually be executed, according to Minecraft developers. Regardless, any potential for such a problem to occur with the Java version has been fixed.

So, I was right. :-P

 

[Deleted User]

View attachment 120701​

Minecraft players might find themselves at risk for a malware that's spreading. According to Avast, 50,000 accounts have fallen victim to a malicious code which infects your computer and reformats users' hard drives. Supposedly, this malware isn't complex at all, but the issue is that people were able to upload this virus via Minecraft skins, and onto the official Minecraft site, where many people go to in order to download skins for their characters. With a 75 million playerbase, there's a multitude of users that could be potentially affected, although only younger users are more likely to download skins, therefore leaving them the most susceptible to downloading the malware. There's a handful of specific skins, such as the ones above, that have the malware script attached, but it would be the safer option to not download any skins at this time. Claims are being made that if an affected user joins a host that you're on, it can also affect you as well and put you at risk, though this is unverified.

Affected users that wound up downloading an infected skin began receiving unusual messages in their inbox on the Mojang site, such as,



There's also a variant that can affect "tourstart.exe" on your computer, which causes massive performance issues to your PC, especially on startup. Avast claims that they've protected over 15,000 threats by removing the harmful software, or preventing it from downloading. At the time of writing, the issue has not been resolved, but Mojang is currently working to address this problem.

Source

Edit: The Minecraft official Site has responded to the problem and have fixed this issue.



Supposedly, the claims by Avast were false, and that code hidden in the skins couldn't actually be executed, according to Minecraft developers. Regardless, any potential for such a problem to occur with the Java version has been fixed.

That'll teach everyone to play this cancerous game

 

[Flaflo]

Sorry for begging you @Flaflo , but it uses a similar method to the one that you know?

Because I've read that this may just be a script+image that you have to rename the extension, run and give it administrator privileges to work...

IMPORTANT EDIT: mojang confirmed that the skins are completely harmless, for you and for anyone playing online, since the script text is included in the... Photo Metadata :[ so the code won't never be executed.
This seems to be only a false positive on the string detection heuristics used by avast as a marketing tactics...
@Chary please update the article.

Ok so as far as i can tell it is the one Garkolym released a while ago, which are completely harmless as mojang confirmed but 1.7.2 is attackable as also a specific version of 1.8 is.
Furthermore there is another exploit which works on versions up to 1.12 that can execute code remotly.
POC of that Exploit:

 

[Kioku]

Avast lied to their customers and userbase? I'm SO shocked!!

No, not really.

 

[Foxi4]

Came on as a software developer (professionally, recreational) and just wanted to say there is a phrase "the right tool for the right job", and there are countless reasons why sometimes c is going to be a viable or good choice for doing something.

The only reasons for using Java *ever* is easy portability since it runs on a VM, ease of coding due to rich libraries and the possibility of embedding your software online, but even that advantage is diminishing with the advent of C# and .NET. I can't think of a single instance when a video game would ever benefit from being coded in Java unless it's explicitly coded with the intention of running on mobiles or as a portable game across various platforms, most ambitious titles always lean towards C since it allows them to run much closer to the metal. Of course it's a matter of preference, both languages have the same roots, really, but personally if I can avoid a VM, I always will, even if it only gives me a small percentage of a performance boost. Sure, Java makes debugging easier since you're debugging for a fixed environment, but it just doesn't sit well with me. Programming is becoming increasingly separated from the hardware and I personally see that as a huge negative.

 

[Flaflo]

The only reasons for using Java *ever* is easy portability since it runs on a VM, ease of coding due to rich libraries and the possibility of embedding your software online, but even that advantage is diminishing with the advent of C# and. NET. I can't think of a single instance when a video game would ever benefit from being coded in Java unless it's explicitly coded with the intention of running on mobiles or as a portable game across various platforms, most ambitious titles always lean towards C since it allows them to run much closer to the metal. Of course it's a matter of preference, both languages have the same roots, really, but personally if I can avoid a VM, I always will, even if it only gives me a small percentage of a performance boost. Sure, Java makes debugging easier since you're debugging for a fixed environment, but it just doesn't sit well with me. Programming is becoming increasingly separated from the hardware and I personally see that as a huge negative.

There are many cases where a VM can be better than being directly "on the metal". Its not a huge negative that managed programming languages like java become so popular. Managed languages are a very good thing if you want to know their benefits i would recommend you to read some articles. These languages have the same right to exist as C or C ++

 

[Foxi4]

There are many cases where a VM can be better than being directly "on the metal". Its not a huge negative that managed programming languages like java become so popular. Managed languages are a very good thing if you want to know their benefits i would recommend you to read some articles. These languages have the same right to exist as C or C ++

Of course they do, as long as they're fit for purpose, I acknowledged as much.