“Fractureiser” malware in popular Minecraft mods and modpacks (opens in new tab)

kind of reminds me of the very subtle malware found in a modified version of a bitcoin wallet that would lay low but when you copy-paste a BTC address in the recepient field, the malware replaces the clipboard with their own address in hopes you don't check it twice

But only if the user has a high balance on their own wallet.

At least one person fell for this when they made a small test-transfer which went through but when they entered the higher BTC amount the recipient was replaced. Pretts smart and evil stuff

This is one of the (several) modern trends of computing that I dislike severely. There are lights for all kinds of nonsense but actually useful information, like Wifi status, disk activity, and even POWER ON/OFF are removed for some misdirected sense of minimalism or style.

For a modern OS a some inductor LED for drive activity would just be constantly flashing at different rates. Something is always writing to a log somewhere, just on the OS itself.

To actually be useful more information would need to be carried: different rates (by colour, brightness, or a simple bar of variable length), an indicator per drive if multiple, ...

I find that SSDs have a terrible failure mode too. Everyone thinks they are "fast" so they do all sorts of file operations that would have previously been considered too slow. However, consumer SSDs are only "fast" until they run out of DRAM buffer or SLC cache. Then they slow WAY down, like slower IOPS than my spinning rust disk. That means your busy machine goes from perfectly fine to nearly locked up, because even the OS now thinks file operations are "cheap" enough to block on and rely on in all sorts of hot paths.

Once that buffer or cache runs out, all those mostly extraneous IOPS just pile up, and the SSD will basically never catch up, because the technology fundamentally cannot catch up to a sustained load like that, but the load is sustained because all the software was designed with "SSDs are fast and lots of small writes will be fast" so they just keep growing the queue.

Previously most of the OS would be in memory and only page out if absolutely needed. It feels like modern windows is perfectly willing to page itself out because "SSDs are fast" and have random, pointless file ops everywhere. So if your SSD gets bogged down, now your operating system basically dies too, so good luck killing whatever app(s) are causing the problem

My new-ish Dell XPS laptop actually does make noises; I think from the SSD due to [0]. It can indeed be quite useful for figuring out when something’s not quite right.

[0] https://superuser.com/a/1603734

Guess we have to run promontory [0] at all times to see what's going on

[0] https://learn.microsoft.com/en-us/sysinternals/downloads/pro...

Time to get one of these: https://www.retrokits.de/index.php/hdd-clicker-hdd-sound-sim... ;>)

Also, it checks the entire system for JARs and injects it’s stage0 bootstrap!, that includes maven and gradle caches. Reading this part sent a slight cold shiver down my back. Am infected mod dev could become a new spreader

It's not hard to wait for some other io to occur, then issue a few requests and piggyback on the blink. I assume they're not in a big hurry.

I have cpu, network, memory, and i/o graphs in my desktop panel for this reason.

MATE desktop but I bet there are equivalents everywhere.

What's amazing to me is you have an entire modscene of young or amateur programmers uploading binary code to god-knows-where and this is the first time this sort of thing has happened (that I can recall)

What's the security like on Steam workshop? Or Nexusmods? Gaming and modding is still rife with lots of little "here download my exe from this forum post and give it a run please".

Pretty much every game I play modded ends up with some kind of support framework DLL that tons of other mods build from. I am amazed that that has still not really blown up in our faces here in 2023.

I'm sure people have thought about it, it's just hard, annoying, and asking a lot of mostly unpaid OSS contributors. Many mod developers are high school / college aged.

Sandboxing Java code running in process requires ugly and obscure security APIs and restricts you to having to have a common modding API (Forge). Many mods use bytecode patching and would be broken completely.

The page this post links to is for the prism launcher, a 3rd-party launcher that enables a lot of very useful features such as automatic mod installs. Crucially, it is distributed as a flatpak with sane default permissions, which means that pretty much all linux users are safe (turns out even the ones not using flatpak were safe because they borked their unit file but still).

People thought of sandboxing the stuff, but the people thinking of that and the people making the mods aren't the same people and the people making the mods would rather be able to do things outside a single API.

This severely downplays how much work adversaries put into making sure that despite your best efforts, their payloads will make it through.

I foresee this being a big problem for the Godot game engine as it gains popularity. There's absolutely no sandboxing or "safe mode" or anything when loading extra resource packs, and any resource or scene file can have an embedded script which executes upon loading.

Funnily enough, it would simply never work on a mobile OS — it’s the desktop OSs that are at the optimistic 90s levels of security, still.

The same could be said about NPM, or pip, or crates. The security model is "they will probably find the backdoor before it affects me", and it's unreasonably effective.

What until you learn about javascript and npm

Just play vanilla for now, I guess

I thought it took a hot minute to get mods updated anyway

Maybe this is a dumb suggest, but what about using a VM or second computer?

I’m not a malware expert by any means, but I am pretty sure VMs are extremely hard for malware to escape when it isn’t expecting it.

And VMs take almost no technical skill to set up nowadays.

You could play the game/mods on a burner PC or in a VM and do everything else, such as access your accounts, from a different computer.

Also would be surprised if a commercial AV like Bitdefender doesn’t pick this malware up.

It's one of the biggest games in the world, so I can see the appeal of targeting Minecraft players, especially since a lot of them are children and don't know what's going on. I checked my sons computer for this malware yesterday, and luckily he wasn't infected, but I ran OSForensics on his computer afterwards to see if he did get infected what kind of data an attacker might be able to get, and there was all sorts of PII from myself and my wife having used that computer before at one point or another. I'm sure with such a large install base there's plenty of opportunity to steal lots of valuable info.

Some of the very first reports of log4j were against Minecraft servers. If you go look at the original Github issue in which it was identified, all of the posts prior to anyone understanding its gravity were from Minecraft server operators.

What does that mean?

from TFA: > Until further notice, do not use the official CurseForge launcher, or download anything from CurseForge or the Bukkit plugin repository. While the control server for this malware is currently offline, any download from CurseForge or the Bukkit plugin repository in in the last 2-3 weeks should be treated as potentially malicious. This malware is unlikely to be detected by Windows Defender or similar antimalware products.