OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New Minecraft password-stealing trojan

Published March 1st, 2013 at 4:46 PM EDT , modified March 1st, 2013 at 4:46 PM EDT

Minecraft has been targeted by malware before (see Cross-platform malware Jacksbot found in the wild), and with Minecraft and Minecraft modifications continuing to be popular, it’s no surprise that it has happened again. Intego announced today the discovery of a new trojan that it has named Minesteal.

MincraftHackKitThis new trojan comes in the form of a Java applet named Minecraft Hack Kit.jar, which promises to give the user all kinds of powerful in-game capabilities on Minecraft servers. In reality, however, the applet contacts Dropbox and downloads another Java applet named mainInstaller.jar. This applet, in turn, downloads another two applets, minesender.jar and SecCorrect.jar.

The malware is installed inside a folder called SysJar, which is placed in the user LaunchAgents folder and made invisible. Three .plist files are also added to the LaunchAgents folder, which are also made invisible, and which serve to launch the three downloaded .jar files at startup.

According to Intego’s analysis, these processes currently serve to steal Minecraft passwords, but they include self-update capabilities. This means that the malware author could add other nasty features at some point in the future.

It’s important to note that Gatekeeper – a feature of Mac OS X 10.8 that prevents applications from unknown developers from opening – will block this app from running. Further, if the user opts for a one-time exemption to allow the Minecraft Hack Kit.jar applet to open, the mainInstaller.jar applet will still be prevented from opening once it has been downloaded. The only way this malware can install properly is through complete disabling of Gatekeeper.

Only users who play Minecraft and aren’t careful about what they download are likely to ever see this. Further, this is a trojan, not another Java exploit, so even if you play Minecraft and like to download mods, you still cannot be infected with this malware unless you purposefully download and open it.

Tags: , , ,

5 Comments

  • aalien says:

    “Further, if the user opts for a one-time exemption to allow the Minecraft Hack Kit.jar applet to open, the mainInstaller.jar applet will still be prevented from opening once it has been downloaded. The only way this malware can install properly is through complete disabling of Gatekeeper.”

    Interesting feature of Gatekeeper… 🙂

    But —> Java, java, java, again! 🙁 They definitely should figure out a new substitute…

    It’s a good thing I don’t have java neither don’t play games… I rather prefer to make music! 😀

    • Thomas says:

      Well, keep in mind that this could have very well been done in a variety of other ways. There’s nothing special about Java in this case, except that Minecraft is written in Java, so Minecraft users are accustomed to downloading mods in the form of Java applets. No vulnerabilities are required, but that also means the user has to purposefully download and install the applet. It can’t install by itself!

      • Ezekiel says:

        It should be noted that Mojang (makers of minecraft) are changing the login system and the password will no longer be stored locally. Instead they are switching to a sessionID system so although login will be possible, account changing will be out the door, and login won’t even be possible after an amount of time.

  • Someone says:

    And people ask me why I don’t play Minecraft…

  • Daniel Stan says:

    I think in this moment that in the last few weeks we were witnesses of a full fledged cyber attack on the companies based in the USA and the rest of the world but mainly in the USA. Right now Evernote announced that was hacked, what’s happening? Are we in the middle of a cybernetic war? And if we are I’m only seeing the bad guy’s winning.

This post is more than 90 days old and has been locked. No further comments are allowed.