Thousands of Minecraft players attempting to download game mods might have received a nasty surprise in the form of malware designed to reformat their hard drives.
The code in question was spotted by security firm Avast, who reported it was written into files for custom Minecraft skins. Specifically, these skins:
If you’re not a Minecraft player or you’ve only used the default game thus far, skins redesign the player character’s avatar. The market for Minecraft skins is vast, with thousands of fan-made skins across dozens of websites.
Once downloaded, the infectious malware could “reformat hard-drives and delete backup data and system programs.” To add insult to injury, some of the afflicted users could get charming messages such as, “You Are Nailed, Buy A New Computer This Is A Piece Of Sh*t,” “You have maxed your internet usage for a lifetime,” or “Your ass got glued.”
Avast estimates the number of infected computers to be about 50,000. Compared with Minecraft‘s userbase of roughly 74 million players, that might seem like a small number, but it’s still higher than it should be. Avast speculates the likely target for the attack might be Minecraft’s millions of underage users, who might not have the wariness of tech-savvy adults.
Most alarming, the skins in question were on the official Minecraft site, meaning the unwary might have been duped into thinking they were somehow okayed by Microsoft or the developers. Mojang is currently working on a fix.
According to Kotaku, Microsoft has removed the infected skins from the site.
Update 4/19: A Microsoft spokesperson told TNW:
We have addressed this issue and put additional measures in place to protect our community. We encourage players to report any suspicious activity to feedback.minecraft.net
Additionally, Mojang addressed the issue, explaining how it was protecting the community from a repeat:
Any Minecraft: Java Edition player can upload their own custom skin in the widely-used PNG file format to our webservice at minecraft.net and this will then appear on their character in-game. PNG files can contain things other than an image, such as metadata, which includes information on what tool created it, when it was made, who made it, etc. This meant that PNG files could be created containing code in this inert part of the skin file. However, this code would not be run or read by the game itself. …To further protect our players, however, we deployed an update that strips out all the information from uploaded skin files other than the actual image data itself.