trigram-mrp / fractureiser Goto Github PK

https://github.com/clrxbl/NekoClient/blob/main/dev/neko/nekoclient/api/windows/vmescape/VMEscape.java#L27

This virus can detect and use clipboard exploits to escape certain VMs. Specifically, it will try to escape if one or more of the following is true:

• Simulated baseboard (motherboard) has its version value start with Hyper-V or VIRTUAL,
• OR the model returns a value of Virtual Machine
• OR the GPU reads as Microsoft Remote Display Adapter
• OR the disk model reads as Microsoft Virtual Disk
• OR the RAM reads as being manufactured by Microsoft Corporation

Add warnings to the mod player document to avoid attempts to run Minecraft and the infected mod jars through a virtual machine, since it has a good possibility of escaping that VM. Virtual machines are not safe from this.

https://github.com/fractureiser-investigation/fractureiser/blob/b8173b003de6b1d750ba1b36bfc6fc1e1a0b19fc/docs/users.md?plain=1#L50

We cannot assume that this will only affect MC related jars. Do not perpetuate dangerous assumptions.

How Do i Use And Run it?

If we have a signature for the virus I am going to start emailing some antivirus company's to see if I can get the virus into an definition update

Check here: main...faq-rfc

A bit of this was copied from quat's gist, thank you quat. Non-contributors to the repo with FMT discord access are welcome to @ me with suggestions or LGTMs.

I know this has been asked already, but is this whole Fracturizer thing over? Is it safe to download Optifine or Sodium?

I heard this is the place to ask, I can help if needed not really code wise but uhh. i have a mac which could be useful

I would like to access some of the mod files (for decompilation), but all the mods have been taken down from their host sites. Does anyone have access to any of these?

I've downloaded ow's scanner and used it (thank god no fractureiser detected, no "Microsoft Edge" folder either)
but then windows defender notified me that this scanner is dangerous (Sabsik.FL.B!ml) and deleted it.
I've downloaded it from this thread so i shouldn't worry, right?

Rather than "Modded Players" maybe put "Mod Users"

I followed the steps to find out if I'm infected and I only have one folder that is just named Microsoft. There are no other folders having anything to do with Microsoft, is this an issue?

Until further notice, exercise extreme caution with Minecraft mod downloads, regardless of origin. While the control server for this malware is currently offline, any download from Curseforge or the Bukkit plugin repository in the last 2-3 weeks should be treated as potentially malicious. Some malware scanners have started adding signatures to their databases, but until this rolls out to all of them, please exercise caution.

At this point we cannot be confident claiming any hosting service is unaffected. Please exercise caution regardless of what site you use. Even Maven repositories may be infected, and this malware goes back months.

Two paragraphs saying the same thing basically.

Permalink: https://github.com/fractureiser-investigation/fractureiser/blob/7559e1b39f326374bb4419403176259504acddd8/docs/users.md

Deleted

Use this link to get to the pull we are using to work on this

#52 (comment)_

Hello! I have a question or java data packs. Are they affected by the fractureiser?

Not sure if this is the place for questions, but the minecraft reddit is currently privated and I simply just want to know if fractureiser is still something I should be concerned about.

I want to start a minecraft server for the 1.20 update with a few friends, and we usually use some performance mods (like sodium). How risky would it be to download these mods? I have searched the internet but I haven't really found a conclusive answer so I was hoping someone here would be able to clear it up. Thank you!

(Also I am very sorry if this is not the place for questions. If it is not, I would appreciate it if you could direct me to the right place)

If you use just minecraft uninstall java so when you clear the mods the virus can’t run on your system

Thank you @Vazkii for warning the community about the virus.

Is there any evidence that suggests that systems running open rc were affected by these viruses?

PS: I'm a big fan of your work

Hey everyone, I am part of the GitHub Campus Experts program and I just want to let you know that I have raised this issue to my supervisor, who is forwarding it to his team on GitHub, who can reach out to Microsoft and by extension, probably Mojang.

Let's hope this reaches Mojang's ears soon!
If there is anything the team needs help with from GitHub proper, I can deliver the message to my supervisor.

Good Luck!

I was intrigued by the article mentioning that the fractureiser bukkit was marked as being last active on jan 1st 2000, so i went to take a look, and the user page now states:
Member for 22 days and 10 hours Last active Fri, Dec, 31 1999 19:00:00
what does this mean? who knows! probably nothing, maybe a surreptitious method of communication, maybe a weird glitch?
in any case, i hope u found this interesting!

Hi, not sure how to say this but is it possible that mods that i downloaded before the vulnerability are infected?

im not sure how the mods work if they download some things when you install them or something similar

also if there is some how to contribute with the project?

thank you for your effort 👍

Proving I'm who I am.

Committer to this repo, currently asking in #lobsters from nickserv williewillus

Given fractureiser uses this ref ID itself to keep track of infection point I think it would make sense to put the included IDs in the table as well

Proper nouns are always capitalized

Make a discord server dedicated to this for discord users to discuss it

!

stop spreading missinformation "I'm Not Infected, Now What?"

The absolute safest thing you can do at the moment is to not launch Minecraft at all. Yes, even Vanilla.
We do not know 100% everything that's compromised, and there's no way to guaranteed any one given installation has not been corrupted by a step of the code we have not found yet." you kept ignoring my pull requests and ignoring the NOT In every of my fix this, YOU ARE SAFE WHEN YOU ARE USING VANILLA ive already pulled 2 requests on this and ignore me you are totally trying to spread missinformation

Just out of plain curiosity I'd like to know where to find one of these infected mods so I can study it myself.

We currently don't have an agreed-upon formatter for Markdown files. This can potentially result in merge commits.

title. i am really curious and it is 2am

They seem to be mimicing some kind of filestructure (from where I do not know).

Each folder has a file in it, and can have varying names, in my case, there were these files:

1. unity.psp (inside blue-helmets, 3kb in size, modified on 6/9/2023 at 9:45 PM (I MAY HAVE EDITED IT, I DO NOT REMEMBER), created at 5/31/2023 at 11:03 PM)
2. work.json (inside ts-modmail, 1kb in size, modified on 5/31/2023 at 11:03 PM, created at 5/31/2023 at 11:03 PM)
3. rec.lm (inside jun-takahashi, 3kb in size, modified on 5/31/2023 at 11:03 PM, created at 5/31/2023 at 11:03 PM)

rec.lm and unity.psp are ALMOST the same as eachother, with a bunch of numbers inside, and the first 293 characters being the EXACT SAME, I do not know what they mean and don't want to show it in case of it being something else, like some kind of identifier or something. I will show a snippet of each though.
work.json however has a different set of numbers.

rec.lm and unity.psp:
_
6E71FC6E25A4B3 (there are 2738 more numbers)

work.json:
_
60BF812A87CABB (there are 388 more numbers)

I feel like I have deleted them before, but they have reappeared...

Could uninfected mods be copied to a blockchain and each time minecraft is run, the installed mods are checked against the blockchain copies that would be known to be safe since they couldn't be altered?

From what I've read, and please let me know if im mistaken, the malware isn't capable of escalating its privileges to root access. If this is the case, then isolating your MC server instance, its directories, and packages to a single minecraft system user with no other privileges would infact completely isolate it to only those directories for linux systems.

This is important to note as one of the primary directories used by the malware in propagating itself is the ~/.config/.data with ~ standing for the users home directory. Since system users do not have home directories by default this would effectively end the propagation outright.

And with proper root group permissions set, even if it manages to propagate to jars within the directories controlled by the defined system user it could never leave those directories, effectively containing the spread.

If this is the case I would advise servers hosted on linux systems to take the added precaution of seting up a minecraft system user and assigning them control over the directories needed to run mincraft server instances.

Even if the risk of infection is diminishing any further spread, or even copycats, could be effectively isolated should they use the same method of infection as fractureiser.

We're a small team trying our best to get this all documented and researched so the community can know what's up and what to do.

Constantly fielding good-faith but ultimately unconstructive PRs eats into our limited time and so we have opted to lock the repo.

Please join us on IRC if you would like to discuss things.

I found a shortcut in the mentioned file path on my windows system, it had the same name as an installed app, is this definitely the file and what course of action should I take?

This would help people to understand how exactly the client-server request for that stage works.

I've manually checked for the Microsoft Edge folder and found nothing, but I am still quite paranoid. Is there any program to automatically scan it like the Overwolf .jar scanner? Or is the only way to check to do it manually? Thank you.

The file says the following:

Second, is using a system such as Flatpak, but notably in its default configuration Flatpak and other containerization systems are not sandboxes.

This is not true, and the author at the linked website is twisting the meaning of the word "sandbox" to fit their definition of the word. The Flatpak sandbox is a sandbox, regardless of what permissions you give it. The Flatpak sandbox is also strictly sandboxed in its default configuration, some application maintainers just decide to loosen it as required such that the applications work properly.

Also noting that, in the Prism Launcher Flatpak, the malware is utterly unable to function, even with a potential sandbox escape in device=all. This was not an opt-in sandbox, but opt-out.

Eventually, the hope is for Portals and Flatpak to become expected for application distribution, and for your off-the-shelf application to not require any potential sandbox escapes in order to function properly. But some applications partially disabling the sandbox does not quality it to not be considered a sandbox.

Linux users can theoretically prevent stage 1 from saving stage 2 using filesystem permissions by pre-making the ~/.config/.data directory, making it owned by root, and setting the immutable flag. This can be accomplished with the following commands:

mkdir ~/.config/.data
sudo chown root:root ~/.config/.data
sudo chattr +i ~/.config/.data

(Edit: found a better way to prevent the directory from being deleted)

Message from @williewillus on how to format and work properly on translations:

Replicate the main tree under lang/zh_cn (e.g.) and note in some way which commit or date at which it was last updated from English. No external services. No branches. Just send PR's under a subfolder and get someone else who knows the language (and can show it) to review. Thanks

Original issue:
As you have probably seen, there are quite some forks dedicated to translation.

Doing so is a very good idea so the information can be spread easier but centralising all the traffic to this repository seems better.

But for that we need to agree on a convention on how to name our file and what the file tree will look like.

Just do it for us "tugas" plz

Another person in our network used CurseForge, likely getting infected. Now its on another computer through the network, and it seems like it is trying to ransome it. Maybe you will find evidence for that, but furthermore, if you find the private key generator for the encryption in the file, you could dismantle the effectiveness of the attack!

Edit: It might be that fractureisee isn’t the reason for the problem, so there is no certainty that it actually ransoms. Still something to look out for