https://github.com/aravind-manoj/minecraft-server-botnet

A new DDOS Botnet built using Minecraft Servers with Malicious Plugins.
https://github.com/aravind-manoj/minecraft-server-botnet

botnet botnet-detection ddos ddos-attacks malware-analysis malware-detection minecraft minecraft-hack minecraft-plugin minecraft-server

Last synced: 6 months ago
JSON representation

A new DDOS Botnet built using Minecraft Servers with Malicious Plugins.

• Host: GitHub
• URL: https://github.com/aravind-manoj/minecraft-server-botnet
• Owner: aravind-manoj
• Created: 2024-02-11T12:51:04.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-02-11T13:09:06.000Z (over 1 year ago)
• Last Synced: 2025-02-08T05:16:20.382Z (8 months ago)
• Topics: botnet, botnet-detection, ddos, ddos-attacks, malware-analysis, malware-detection, minecraft, minecraft-hack, minecraft-plugin, minecraft-server
• Homepage: https://dsc.gg/upzare
• Size: 20.4 MB
• Stars: 5
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Minecraft-Server-Botnet

**A new DDOS Botnet built using Minecraft Servers with Malicious Plugins**

## Overview

**Malicious Minecraft Plugins have been discovered spreading rapidly across Minecraft servers. Disguised as legitimate .jar files, these plugins initiate DDoS attacks and infect other plugins with malicious code upon installation.**

## Analysis

- **Behavior:** Once installed, the malware swiftly transforms the Minecraft server to a part of botnet. It begins by flooding specific IP addresses with excessive traffic, hampering the functionality of targeted server. Simultaneously, it compromises the integrity of the server by modifying existing plugins, either by replacing them entirely or injecting malicious code into it.

- **Propagation:** This malware doesn't just stay on one server. When server owners share their plugins with others, they're also sharing the malware without realizing it. This means it can spread to more servers and cause even more trouble.

- **Impact:** The consequences of this malware infiltration are significant. It not only impairs the performance of Minecraft servers but also undermines the stability of other servers by flooding them with traffic. Additionally, the infected server's unwitting participation in DDoS attacks can lead to legal consequences.

# DEMO

**Malicious Plugin (.jar file) is designed to send traffic to the HTTP port 80 of the target IP. So here we use wireshark to identify instances of HTTP traffic originating from the malicious file. It is strongly advised not to conduct this test on your personal computer. Instead, please use a virtual machine environment to avoid any potential damage to your system.**

### Setup Test Environment

1) Install [Java](https://docs.papermc.io/paper/getting-started) and [wireshark](https://www.wireshark.org/download.html).

2) Download and install [papermc](https://papermc.io/downloads/paper) or other minecraft server verion.

3) Run java -jar papermc.jar.

4) Accept EULA.

**Now the test environment is ready.**

### STEP 1: Run without any plugins

No HTTP traffic is detected by wireshark, when no plugins are installed. 

https://github.com/aravind-manoj/Minecraft-Server-Botnet/assets/136658800/52b6925e-ea34-477a-9272-c0a98a10fc7e

### STEP 2: Install plugins from verified source

When plugins are installed from legitimate sources like SpigotMC, no HTTP traffic is detected by wireshark.

https://github.com/aravind-manoj/Minecraft-Server-Botnet/assets/136658800/22c1c97c-fecf-4711-b626-e52853bdadbd

### STEP 3: Install malicious plugin

When the malicious plugin is installed. Wireshark starts detecting HTTP traffic, originating from the server. Also in this demonstration, Luckperms and Clearlag gets infected with malicious code. Both of them experiences a change in their file hashes.

https://github.com/aravind-manoj/Minecraft-Server-Botnet/assets/136658800/c618502b-65f9-4512-a877-b4249ba17784

### STEP 4: Remove malicious plugin

Wireshark is still detecting HTTP traffic, even after removing the malicious plugin and it's dependencies. This is because both Luckperms and Clearlag are now infected with malicious code and now conducting attack on behalf of the real malicious file.

https://github.com/aravind-manoj/Minecraft-Server-Botnet/assets/136658800/4f77e0bb-fa12-4645-9945-cebac416114b

# Changes in File Hashes

![hashes](https://github.com/aravind-manoj/Minecraft-Server-Botnet/assets/136658800/20aef5f5-3a18-40f2-ab54-e1d487d415fe)

### Original File Hash

**LuckPerms-Bukkit-5.4.117.jar**: `39b7156ae34094e6e8f7e42e067daced246e7d9a4034ab6cca0fc1d7a6275dc0`

**Clearlag.jar**: `7187dade49f7622ef6adae7ca28b15eed82321d7aef25668bba98c39e6648835`

### Infected File Hash

**LuckPerms-Bukkit-5.4.117.jar**: `b5be160485ae762eeeb16c77b9c3ededebf13a86d0fc3fc71393e7ef8d862f77`

**Clearlag.jar**: `9aceca57e98ebd1eb6b035b573aaecfb376392a2d840f7e2f35bb77c39d79af8`

# Packet Sample

![packet](https://github.com/aravind-manoj/Minecraft-Server-Botnet/assets/136658800/a90b1976-19cf-40a4-b14a-83b763cc3f44)

# Finally

**Luckperms and Clearlag, both installed from verified sources, are now infected with malicious code by Vault.jar, which itself is an infected plugin and they both can now replicate/spread their malicious behavior to other plugins running on the same server.**

### Solution:

**To the best of my knowledge, there isn't any solution to tackle this malware. However, if there is one, please let me know.**

# Author

This report has been generated by me. And if there is any mistake, please let me know.