MINECRAFT'S DEADLIEST COMPUTER VIRUS
HTML-код
- Опубликовано: 25 июн 2024
- When you download a mod, do you really know what you're downloading? Ideally, the answer is yes, but what if something malicious is hiding inside - and what if the creator of the mod didn't even know something malicious was inside?
CHAPTERS
0:00 - What is a Virus?
3:06 - A Mysterious Mod
7:45 - Inside the Virus
13:46 - The Dangerous Bit
16:58 - Aftermath
CREDITS
- The Fractureiser Mitigation Team (github.com/fractureiser-inves...) for researching and stopping this virus, as well as publishing this info publically
- @_thomas , nwunder and Angry_Pineapple for proofreading
- Everybody else involved in this investigation
MUSIC (in order of appearance)
On Little Cat Feet - OneShot OST
Resurrections - Celeste OST
Divide By Four Add Seven - C418
Negative Gravity - Foewi
Tides - HOME
DISCLAIMER
Nothing in this video is even remotely close to being malicious, nor does it provide any sort of framework for a potential malicious actor. If you choose to seek out any of the code for this virus, I accept no responsibility for anything that may happen if you run it on your computer and I do not encourage you to seek it out.
LINKS & SOURCES
- Fractureiser Investigation Document: github.com/fractureiser-inves...
- Payload Analysis Document: hackmd.io/5gqXVri5S4ewZcGaCbsJdQ
- SkyRage Extra Reading: ljskatt.no/analysis/updater_c...
- CurseForge Detector & Blog Post: support.curseforge.com/en/sup...
- Minecraft Malware Community: / discord
Use code : "Hellcastle" in the hypixel store when checking out to support the channel :)
Get the blanca hat to have a cat on your head 24/7 whilst you mindlessly grind for items! : essential.gg/hellcastle
Follow us on twitter so we can see some meaningless numbers increase :
/ hellcastlebtw
/ tylerwith4rs
-------------------------------------------------------------------------------------------
Our discord server : / discord
-------------------------------------------------------------------------------------------
Our Texture Pack video (includes the ones we use in videos) : • [READ DESCRIPTION, OUT...
-------------------------------------------------------------------------------------------
Our mods folder video (includes the ones we use in videos) : • (OUTDATED, READ DESCRI... Игры
Apologies for the random repeating parts in like, 2 seconds of the video. Seems like the file got corrupted whilst uploading - just pretend the video is HACKED and EVIL and that it adds to the atmosphere
What do you mean "pretend". It is EVIL. On a serious note, it's pretty much nothing.
Brain aneurysm go brrr
dont upload a minecraft virus video at 3 am!!!
Yeah
yipee heaven fortress updat
that's 10 times worse than just getting ratted and getting your coins stolen in skyblock
10 TIMES BETTER IF I LOOSE MY TERM I WILL SOB, WHO CARES ABT MY CRYPTO OR MONEY OR PERSONAL INFO
@@Acoldfox they will probably sell your entire minecraft account, so no more term, no more minecraft, no more pc pretty much
@@Acoldfox would you rather lose a term (replacable, just takes long time)
or lose your entire minecraft account, lose every single one of your files, its literally getting ratted but it effects much more (most likely non-replacable)
@@KingTurtle2607 as someone who doesn't have a term, i see this as a win
Although skyblock rats usually also steal all that other info, too; I still have to agree. The way viruses spread is terrifying, both in the digital and physical worlds!
I wanna make a joke comment but I just genuinely can’t stop appreciating the effort you two put into these videos. This feels like a legitimate documentary and it’s something that I feel like would be interesting even to those that have never played Minecraft in their life.
make the joke
It IS a legitimate documentary, but who is Tyler? Is hellcastle schizophrenic?
@@tariksleftnut yes
As a mod developper : A mod running in a sandbox doesn't really at all prevent making mods, as long as you do it well. Example : mods generally never really need to look for files beyond the game's location, so any file outside of that can be made unreachable to the game, without causing any real issue. Only cases where it would be problematic is if a mod needs a shared library to run, although those can just be placed inside of a folder accessible in the sandbox.
Kinda true, but mods (which arent really gonna be played by the public) ie. Instantly shutdown pc when a player dies or things like that won't work in a sandbox.. (other than that i completely agree with your point!)
After seeing this video, I saw your comment and, I completely agree as a mod developer aswell.
@@nicky7006 these are edge cases, a good option would be to be able to disable mod-by-mod sandbox, with the sandbox being enabled by default
was one of the people trying to survive through this, i didnt get infected but this was one of the scariest moments of my life, knowing how much i could've lost
i panicked so hard over this i reset my pc anyway. even though i lost most of my files im glad i didnt lose EVERYTHING
@@Nub85204 thats so lucky dude! im happy for you!
Sucks that so many people are getting hacked just for playing games they enjoy. Its been happening a lot with older fps titles such as the old cod games and even some more recent ones like battlefield 5
It's a shame. Only need a few people to ruin it for everyone else 😔
Got a bit of a scare because only a few days before the scare, my friends and I logged into MC for the first time in ~6 months to play modded for the first time and started a world. Luckily we didnt hit a landmine according to Forge's scan, but we still decided to stay off the game til Forge announced it was safe.
better safe than sorry, bro.
As someone who knows a lot about IT security, this was a great video! I loved how you explained everything.
Very fascinating video, thanks for doing what you can to spread awareness that people shouldn't just download random mods without checking! I see it way too often even with people I've told over and over again not to.
i do not like sircow
its our favourite sb creater ❤
wait i swear you had other sb videos
@@dahamvich2789 eh i decided making videos isnt really for me and i only make them rarely now
🍔
This video is great! Love to see a documentary like video on Fractureiser.
Thanks for having the courage to make this video and educate us! I remember being one of many using curseforge when that happened and I had no idea what was going on. This educational yet simple video taught me alot!
HellCastle and Tyler know more about malwareanalysys and stuff than i expected
Tyler scripted the entire video
I am so thankful for the premier countdown music because I almost missed the premiere
I loved that you used AE2 to describe this, great video!
the other big problem is, this is also a situation where you can get multiple false positives, there's plenty of legitimate mods that use classloaders, and this virus also tended to push like slightly different code to each other jar file
2:13 the things in the back ground and the item used to show the infected file are from the mod ae2(applied energestics 2)
I didn't end up using new mods for about two months, and even now I still check every file manually for stuff. I don't use CurseForge anymore because of the way they kinda just don't usually care about normal malware, and only do things when someone big notices which sucks
17:50 currently, im working on a modding api for minecraft, using javascript. since the javascript engine is as sandboxed as it gets, the mod loader can control exactly what the mod can do. the whole mod loader should be done by early january next year
How is the performance
I love JavaScript myself but am concerned about the slowness and bloat of such a high level language
@@Xnoob545Compared to the JVM? It should be just as fast, since both the JVM and major JS engines use JIT compilation to optimize often-executed "hot" code into faster machine code, based on information about the code that's collected over the time (what branches are more likely, what types are usually used, etc.). Also, JS engines are maintained by folks at Google (for V8), Apple (for JSC), and Mozilla (for SpiderMonkey), so a large amount of effort has been put in to make JS as fast as can be. In the end, JS itself isn't significantly slower than Java, and the only aspect that is likely to be more bloated is file size, since traditional mods are distributed in a literal .zip file containing JVM bytecode, and JS doesn't have such a (standardized and stable) bytecode (V8's bytecode doesn't really count).
What if someone made a mod that spread like malware, but instead of doing harm, it just added a weird mob into all of the packs?
Herobrine. Everyone would think Herobrine is real😂
There's only 2 routes this could go
horror mob
or
skrunkly little scrimbo
on little cat feet is such a good song its so fitting for the background!!
Can we appreciate that this guy used "On Little cat Feet" from OneShot?
You have given the best coverage on this I have seen. Good job.
fr
Fantastic video
Also I heard that OneShot OST :D
ah the 1am content from hellcastle, love it! at least it's a weekend...
POV: waiting for the 1 am piece of content that drops every 2 months
Dang it's 1am here too
6pm for me lol
I think I should sleep more bc I stay up like until 5am and wake up around 10 am
1 am gang
Its funny because ik the people that did this and you really barely scratched the surface, it goes so much deeper and in so many more communities
Not related with the video but you using On Little Cat Feet for background music at the start is awesome
wait, so if it uses that property to tell itself it's already run, could you potentially protect yourself from it by manually setting that property yourself?
The problem here is that programs which modify a lot of exe, jpg, docx, pptx, mp3, mp4 files are being instantly flagged as suspicious by AV companies, but the same principle doesn't apply for jar files.
Very informative video, great job as always!
I like your use of Minecraft mods to explain a virus about Minecraft mods.
Pog Oneshot and Celeste background music
That Oneshot bgm mmmhh *chef kiss*
15:23 this, this right there is why I don't save cookies on very important sites, (and why you shouldn't either) because its basically an open invitation for hackers to steal your login info.
I was so cared at the beginning because I recently downloaded litematica like day before yesterday and thought that I might have gotten infected
Thx for the on time news T_T
(but a real thx for a comprehensive explanation of the code)
That song from celeste is such a banger tho
The best day of the month is when you guys post a video
One of the most common Minecraft viruses will open the terminal app on your windows device.
Dude i am trying to stop my head from going crazy to the celeste ressurections OST
The big issue of us mod developers is: we are also just he average person, most of the time we too just trust files our friends send us, because why would we read every single bit of code, for the very small chance something is wrong
nah bro it feels like that thing happend weeks ago and curse forge already fixed everything
There is a version of the virus that actually deletes the virus then opens some anti virus webpages and then deletes itself
That's incredible
@@derpyslurp8779 is just someone who changed the code to be that thing, extremely basic coding
Not impressive at all
@@MilesProwerTailsFox it's impressive somebody did that at all lol
@@russianyoutube no, it’s always the first response to a big virus
@@MilesProwerTailsFox🤓🤓🤓
thanks for closure on this
Lets go another insane video incoming
Holly sh*t when i show the topic i knew this would be ur best video yet, atleast for me
and i was right
am rlly interested in that stuff and a video of your quality is fire
btw as a guy who dose code this code looks mad suspicious to an1 who codes, a guy who doesn't do code wouldn't read it anyways
I owned all of the mod packs, but luckily somehow used them all right before they were malicious.
Great video, almost a shame you don't make skyblock let's plays
0:37 This music... did you play that game?
I Hope you did....
If you did how was it?
Hearing that song confused me, since it's my background music from Wallpaper engine. Spent a couple minutes trying to figure out why it was playing before I realized it came from the video, lul. Really enjoyed the game! :D
hopefully he did, very underrated game
this, is a very informative video, thank you for making it :)
there is, in fact, a way to partially mitigate risks like this, which is running mc in a vm, but that doesn’t completely solve the problem, + it’s not something anybody is going to do
Great video explaining dangers of viruses!
that guy who was the last really trolled us all
love the combination of educational content and humor
Slight correction? Maybe? The community mostly figured out what it was (they found the code and were sending out instructions on how to check your pc for it) far before curseforge did anything..I was there when all hell broke loose and everyone was panicking sending warnings in their servers and everyone was going to curseforges discord server to find out what was up..the panic happened during the night for the curseforge devs so we had to wait a while for them to wake up of which they reposted the info being sent out by others and then worked on the virus checker thing on sight. It was so bizzare to be there during it all 😅one of the mods in their discord server really tried to convince everyone there was no virus and stuff..yea no one exactly bought it and people acted pretty aggressively to their comments.
Though it is true we didn't know at the time how infected curseforge was, or if curseforge itself was compromised..it was pretty scary ngl! We didn't know fully what the virus was programmed to do, where it came from (though we had a decent suspicion it was uploaded and infected people who downloaded it and thus infected those people's modpacks which spread it further), but we did know how to check for it! Crazy the virus stayed active that long without curseforge stomping it out (as you meantioned people had been on the case and were contacting curseforge about it about a week prior to the "massive panic day")..they only acted once it had grown to a massive level and everyone was freaking out.
I had no idea it was that bad! Currently watching what the virus does..I cannot believe it steals that much omg
Thank you i have been wonendering clueless around for far too long because i dont know anything abbout coding/java. Verry good explained even a complete brickhead like me understood it, verry gud👍
Hellcastle made me think that Tyler would speak this time :)
i cannot overhear the oneshot ost, really good game
I don’t know if it’s just me, but when I look at obfuscated text with something like hello or something I can kinda see the text very slightly. Maybe I’m just seeing things.
Starting off with Oneshot music, nice
This video in short: virus bad connecting to server stealing your entire Computer live
I heard the oneshot music, and instantly recognized it, i freaking love that game!!!!
Thank lord I was on my 1 year minecraft hiatus.
This is the 2nd time a website I frequent being hacked or something along those lines since May first was MyAnimeList on May 11th (I just use the list feature not the reviews) with a hack that overwrote any text with "Let's all Love Lain" (Based on the ending of Serial Experiments Lain)
How I avoided this playing Bugrock and Modded Sims 4 but avoiding CF (Game already had ways to download mods without CF since that was only introduced in Late 2022) on the latter since even though TS4 mods are Python based and are sandboxed (Props to EA for doing that) I wasn't taking any chances with CurseForge and I moved all my Modpacks from launchers so they would not get AutoUpdated to an infected version (Which was a bit overboard since I didn't even touch Java Edition at all during the time) and to added even overboard prep I even ran the Infection detector to be positive I didn't have this
'just realizee you used oneshot's ost in some parts of the vid. Did you play the game & if yes, what do you think of it?
Thanks for the info
Which modpack did you play in the Video?
great vid!
i actually nearly downloaded Create: Diesel & Oil generators but im glad i didnt
u know its gonna be a good day when this madlad uploads
edit: i dont think the current situation is good though, but its nice to have an upload from this mans
This music from oneshot made me cry
They should have a system like tmodloader's/terraria's, where its impossible to get a virus and modding is available ingame and not in sketchy websites. And yes i know websites like curseforge arent sketchy, but as proven, it can still contain viruses.
Curseforge honestly doesnt care about anyone (not mod devs or users) they just want you to see more ads. They only do something if it is a virus or it brings negative attention
bc of the most recent virus infection on curseforge im totally scared to even run moded game
This video made me understand how viruses work and made, pretty much a tutorial. there comes my summer online plans !
Damn. As a mod developer they deny my mod for having a somewhat similar checksum or having other jars in my modpacks ZIPs, but they don't catch this.
True lmao
Alright so is fracturizer gone now for people who has not already got it?
What mods were used for the ingame minecraft computers?
what kind of shaders do you use?
Is that me or there is a bug in the original source code at 7:27 before control obfuscation in 4th line:
if (n=0) {
because n will always be 0 (since n is assigned to 0) and thus that block will never be executed.
"Most mods arent even submitted in human-readable source code" well there's the problem right there. And the other problem is many, many mods' pages just have comments disabled, silencing anyone from speaking up and saying "hey, this is malware trash, do not download".
I'm glad it was caught quickly and didn't do that much damage, but still it shouldn't have been able to happen at all.
ONESHOT MUSIC ON THE BACKGROUND! I CAN HEAR IT FROM ANOTHER UNIVERSE
The oneshot ost slaps
essential sponsor on a vid about malware 🤣
Thanks for the guide👍
i love 11 pm content from hellcastle
i love 6pm content from hellcastle
On Little Cat Feet hits hard
This is the most detailed explanation ive seen on this topic so far! Hats off to you for the amazing video.
19:24 who else thought he was gonna be sponsored by ExpressVPN
you can automatically check for class loader modifications and url loading generaly these aren't used in normal mods still this wouldn't catch hardcoded mods
Nice waited for a new video
i have this virus in my minecraft server, but virus doesnt work, it tries to login a site, but the site doesnt exist so it gives http error, normally i have to remove all of the plugins and redownload it but whatever, im too lazy for it
Its kind of scary how simple the virus is i mean 17 lines of code and alrhough that will vary theough programing languages its still small and can easily be run by almost any file as long as it can have code in it
Not really. These 17 lines just download the actual malicious code from a http.
i love how people comment before the video actually is done with the premiere
When I got the notification all I saw for the title was minecraft's dead
when i tried to install the curse forge anti virus and put that on total virus it was a virus how?
Okay so I'm not an expert or anything but can't Curseforge edit mod files? Since the virus always updates itself, if a new version were be to uploaded where it deleted itself, wouldn't it be able to be resolved through that? Sorry if I'm wrong.
I think Curseforge can edit the files but the mods weren’t known as a virus before
The virus being updated on your PC was not something that went through Curseforge. It was being downloaded directly from the C2 server to your PC via the injection code within the infected mods themselves. They simply deleted all the infected mods/modpacks from Curseforge and worked to take down the C2 servers alongside the Fracturiser investigation team.
What is the modpack lol it looks really good
Btw error: the mods infected were not uploaded by a malicious person (probably) rather they didnt know they had been infected.
The virus came from somewhere..it likely started with one malicious person making the virus and putting it into a mod (probably one of the ones pretending to be other popular mods) and from there anyone who downloaded them grew infected which lead to it spreading to the modpacks they'd created.
I like how you say three and threat
i am confused if i have download for example the full better mc pack before the virus was created am i safe 2nd is the virus in the full better mc back
11:19 I'm reading the code and the fact that this is another example of "people forget to make viruses for macos so there are less viruses" has never been so true as right here.