New Minecraft password-stealing trojan
Published March 1st, 2013 at 4:46 PM EDT , modified March 1st, 2013 at 4:46 PM EDT
Minecraft has been targeted by malware before (see Cross-platform malware Jacksbot found in the wild), and with Minecraft and Minecraft modifications continuing to be popular, it’s no surprise that it has happened again. Intego announced today the discovery of a new trojan that it has named Minesteal.
This new trojan comes in the form of a Java applet named Minecraft Hack Kit.jar, which promises to give the user all kinds of powerful in-game capabilities on Minecraft servers. In reality, however, the applet contacts Dropbox and downloads another Java applet named mainInstaller.jar. This applet, in turn, downloads another two applets, minesender.jar and SecCorrect.jar.
The malware is installed inside a folder called SysJar, which is placed in the user LaunchAgents folder and made invisible. Three .plist files are also added to the LaunchAgents folder, which are also made invisible, and which serve to launch the three downloaded .jar files at startup.
According to Intego’s analysis, these processes currently serve to steal Minecraft passwords, but they include self-update capabilities. This means that the malware author could add other nasty features at some point in the future.
It’s important to note that Gatekeeper – a feature of Mac OS X 10.8 that prevents applications from unknown developers from opening – will block this app from running. Further, if the user opts for a one-time exemption to allow the Minecraft Hack Kit.jar applet to open, the mainInstaller.jar applet will still be prevented from opening once it has been downloaded. The only way this malware can install properly is through complete disabling of Gatekeeper.
Only users who play Minecraft and aren’t careful about what they download are likely to ever see this. Further, this is a trojan, not another Java exploit, so even if you play Minecraft and like to download mods, you still cannot be infected with this malware unless you purposefully download and open it.