Minecraft players might find themselves at risk for a malware that's spreading. According to Avast, 50,000 accounts have fallen victim to a malicious code which infects your computer and reformats users' hard drives. Supposedly, this malware isn't complex at all, but the issue is that people were able to upload this virus via Minecraft skins, and onto the official Minecraft site, where many people go to in order to download skins for their characters. With a 75 million playerbase, there's a multitude of users that could be potentially affected, although only younger users are more likely to download skins, therefore leaving them the most susceptible to downloading the malware. There's a handful of specific skins, such as the ones above, that have the malware script attached, but it would be the safer option to not download any skins at this time. Claims are being made that if an affected user joins a host that you're on, it can also affect you as well and put you at risk, though this is unverified.

Affected users that wound up downloading an infected skin began receiving unusual messages in their inbox on the Mojang site, such as,

“You Are Nailed, Buy A New Computer This Is A Piece Of Sh*t”
“You have maxed your internet usage for a lifetime”
“Your a** got glued”

There's also a variant that can affect "tourstart.exe" on your computer, which causes massive performance issues to your PC, especially on startup. Avast claims that they've protected over 15,000 threats by removing the harmful software, or preventing it from downloading. At the time of writing, the issue has not been resolved, but Mojang is currently working to address this problem.

Source

Edit: The Minecraft official Site has responded to the problem and have fixed this issue.

This is now resolved, but we wanted to explain what happened and the measures we’ve put in place to protect our community.

Any Minecraft: Java Edition player can upload their own custom skin in the widely-used PNG file format to our webservice at minecraft.net and this will then appear on their character in-game. PNG files can contain things other than an image, such as metadata, which includes information on what tool created it, when it was made, who made it, etc. This meant that PNG files could be created containing code in this inert part of the skin file. However, this code would not be run or read by the game itself.

While your antivirus software might detect this code and alert you to its presence, the code would not be able to run by itself. Additionally, even if you found the code within the file and chose to run it, your antivirus software should detect and block the attempt.

To further protect our players, however, we deployed an update that strips out all the information from uploaded skin files other than the actual image data itself.

Supposedly, the claims by Avast were false, and that code hidden in the skins couldn't actually be executed, according to Minecraft developers. Regardless, any potential for such a problem to occur with the Java version has been fixed.

 

[Mnecraft368]

Minecraft just turned dark :/
Well its a good e-safety lesson for the kids that play it

Though deleting hard drives is gonna cause alot of problems for many of them as they might not know what to do and their parents might not be very "computer-knowledgable"

 

[Taffy]

beautiful

starbound is better anyways.

...Eh. It's still a worrying thing, I hope it gets sorted out.


...Really makes you think. Somebody had nothing better to do than make a virus that'll make millions of young kids (and adults) freak out.......actually I can't wait to see that happen. Popcorn time.

 

[AxlSt00pid]

How great...
Remind me why some people care to do these kind of malware?

 

[Chary]

How great...
Remind me why some people care to do these kind of malware?

Some people just want to watch the world burn?

 

[Taffy]

How great...
Remind me why some people care to do these kind of malware?

Well, people get bored. And boredom is boring. So people piss off other people and do things like that.

Aside from geting to watch kids go ballistic, I *GUESS* it'll make the owners of the computers angry. But still, popcorn time

 

[Mnecraft368]

They could just want to see some kids raging about it on youtube
Also, is this affecting the Bedrock (Windows 10, PE, Xbox) or Java (PC) versions of the game. I'm guessing the PC version but I wanna make sure if I ever decide to play for a while (not that I download skins, I made my own)

 

[Deleted User]

nice
i wonder how much mcafee is gonna make off 12 year olds using their moms card

 

[jimmyj]

Oh well

--------------------- MERGED ---------------------------

nice
i wonder how much mcafee is gonna make off 12 year olds using their moms card

Yeah lol

--------------------- MERGED ---------------------------

How does the virus even execute? Isn't a skin just a png file?

 

[Sonic Angel Knight]

Minecraft came installed with windows 10, time to uninstall a game i never played.

 

[The Real Jdbye]

This is creepypasta come to life. Never seen malware going through a game and specifically targeting players of that game before, but I guess it had to happen sooner or later.

Oh well

--------------------- MERGED ---------------------------


Yeah lol

--------------------- MERGED ---------------------------

How does the virus even execute? Isn't a skin just a png file?

There's probably an flaw in the png code Minecraft uses, then all they need to do is carefully craft the file so it causes code execution to jump to a part of the png file that contains their payload. And from there the possibilities are endless.

 

[Mnecraft368]

There's probably an flaw in the png code Minecraft uses, then all they need to do is carefully craft the file so it causes code execution to jump to a part of the png file that contains their payload. And from there the possibilities are endless.

They could bait lots of people by saying "Download this skin and you get free hacks in all servers", then it does give them the hacks but as soon as they finish playing they find out that only Minecraft is installed, and re-opening it wipes the remainder of the hard drive.
I should try that...jk

 

[souler92]

you can fuse a png and exe file into 1 file. then when the extension png is there, it opens the image, when extension .exe, bat or whatsoever the payload is, it loads up

probably they found a way for minecraft to execute the malicious malware

 

[gudenau]

I am guessing this is just the inferior C based versions, since this should not do anything on the real version.

 

[nl255]

Oh well

--------------------- MERGED ---------------------------


Yeah lol

--------------------- MERGED ---------------------------

How does the virus even execute? Isn't a skin just a png file?

Seriously? You are here on gbatemp, a console hacking site, and don't understand that there is no such thing as a harmless file and that almost any file type can be used to execute arbitrary code.

Remember, Soundhax is/was just an AAC audio file yet gave full access to the 3DS including it's arm9 security chip thus allowing the installation of full blown custom firmware. That's right, full blown custom firmware just by playing a "harmless" music file.

--------------------- MERGED ---------------------------

you can fuse a png and exe file into 1 file. then when the extension png is there, it opens the image, when extension .exe, bat or whatsoever the payload is, it loads up

probably they found a way for minecraft to execute the malicious malware

Or the png file itself contains the malware. After all if you can get full blown custom firmware on a system just by playing a "harmless" sound file then why not? It's not like Microsoft is known for good security.

 

[Flaflo]

I knew about this exploit about more than a year, its kinda shocking that it took so long for other to notice.
Btw this exploit does only run on windows because the code is appended on the png file with a special format that is only interpreted by windows.
Dont gonna explain more detail because as of now this exploit is not fixed.

--------------------- MERGED ---------------------------

I am guessing this is just the inferior C based versions, since this should not do anything on the real version.

Nope this applies to the java version of minecraft

 

[Yepi69]

It's not like Java is super secure, it was only a matter of time.
It's no wonder that browsers discontinued it, I'm sticking with the Windows 10 version so far and downloaded a couple of skins this week.
So far so good

 

[Flaflo]

you can fuse a png and exe file into 1 file. then when the extension png is there, it opens the image, when extension .exe, bat or whatsoever the payload is, it loads up

probably they found a way for minecraft to execute the malicious malware

well its kinda like this but its not .exe code appended to the png file. also as of i know this does not apply to all minecraft versions. i tested it on 1.7.9 up to 1.8.X

 

[Mnecraft368]

Nope this applies to the java version of minecraft

Thought so. I would highly doubt that Bedrock would see this issue.

 

[Flaflo]

It's not like Java is super secure, it was only a matter of time.
It's no wonder that browsers discontinued it, I'm sticking with the Windows 10 version so far and downloaded a couple of skins this week.
So far so good

Its not Java fault on failing with security but its mojang that has done many things wrong