Announcement Malware Announcement

We've seen a lot of reports of a new malware going around Minecraft servers. It seems to be spread by compromised Spigot plugin-author accounts, and is somewhat difficult to detect. We do know that the following exception is caused by it:

Code:
java.net.NoRouteToHostException: No route to host

If you see this in your logs, that server is most likely infected. There are other indicators too - the compromised JAR will have inside of it a file called plugin-config.bin. We do have a one-liner for searching for this in your plugin directories, if you're on a Linux system:

Code:
grep -R "plugin-config.bin" .

If you're on a Windows system you can run this command in your plugins directory:

Code:
findstr /sml /c:"plugin-config.bin" *

Run the above while in your server or plugin directory, and if you get a match, you likely have an infected plugin. If you do not get a match, that is a good thing - you are likely not infected.

@Optic_Fusion1 's AntiMalware tool on https://github.com/OpticFusion1/MCAntiMalware has caught onto this malware about a month ago already and catches more variants of it. We highly suggest users run this tool as it contains checks for a lot more malware sources. If this tool reports any malware found, be sure to double check whether it's a false positive or not (known example: ForceOP check falsely triggers on a handful of plugins because of how it's used in plugins).

If you do get a match or think that you are infected, you should delete all of your JAR files and re-download them, as the malware spreads itself to other JARs. You should also immediately reinstall your machine, as this malware is known to install system services outside of Minecraft. It might be more effort, but it is important that infected machines are reinstalled, or else the malware will remain.

If you frequently download plugins from third-party sources e.g. SpigotMC, it's not a bad idea to do routine checks with this tool e.g. once a month or so. Remember to only download reputable plugins from reputable sources & authors.

Keep an eye out, and thanks.
 
Last edited by a moderator:
I have little experience with malware, but is there any safety concerns relating to world files or is this .jar specific?
 
I have little experience with malware, but is there any safety concerns relating to world files or is this .jar specific?
If this is found in your server, reinstall the entire OS. It should not spread to world files as far as I know, so backups of those specifically should be good.
 
  • Like
Reactions: AnonymousNA
Does anyone know what plugins have been infected??
No, because it infects the whole library of plugins when it's run. We might eventually find it, or perhaps an update to the infected plugin has already removed the malware and it's spreading through already-installed plugins. Quite difficult to know!
 
  • Like
Reactions: PurpleWolfMC
@PurpleWolfMC - Please don't post repeatedly.
1. The malware is known to install system services which give it the ability to do pretty much anything it wants. You don't want it on your computer because it can cause all sorts of havoc potentially after lying dormant for ages and ages.
2. The announcement itself has a linked service for finding corrupted JAR files. It also has two commands, depending on the OS you use to run your server.
 
Will it infect all the jars in my main server directory or all of the jars on my computer? And if the malware is on the computer can it only turn on when the server is on? Or can it run whenever it wants
 
I mean, the thing modifies every jar in the server folder in order to inject it's payload which installs the malware to the OS itself. That payload is what downloads the thing to make your machine join the CNC server, and do whatever the heck it wants. every jar in your server folder is borked, and unless you where using a container, your system is probably compromised.
 
If you are infected, you need to reinstall your OS and download all JARs fresh from reputable sources. Geyser is not distributing this malware, but it may be that your Geyser JAR has already been modified by the malware.
 
I did. It still says that it does. I haven't reinstalled my os but i did download the jars fresh from the og source(geysermc.org)
 
Will other things(like other world files and stuff and the servers world file) be infected if you transfer it to an sd card and then add it back to the now reset pc?