Oh boy. I let my little cousin play on my account and he's always downloading a bunch of random-ass skins.
How in the sweet fuck are they putting shit into PNG files of all things?
Good thing I make all my skins myself.
Thank fuck I've used the same minecraft skin for 8 years
https://files.facepunch.com/forum/upload/58149/608b146a-d385-45f6-b10e-5739aff7079e/image.png
you can hide a lot of stuff in image files, the image on the right has all of Shakespeares works hidden in it, the image on the left is untouched
I mean, I've heard of that sort of thing before, but I still don't know how it's done entirely.
Wouldn't that increase its filesize a really noticeable amount?
Not really. Look at this for example: Minecraft skins are only a few KBs and It could only be up by a KBs, but nothing major.
Get the fuck out of my room I'm- reinstalling windows 😢
God it's starting to seem like the only surefire way to not get a virus is to just not be connected to the internet and never connect anything to the computer.
All sourcemods had an issue for awhile where you could pack whatever the fuck you wanted into a spray. This sort of thing is common.
remember in 2007 when 4chan had epic sink threads where people posted pictures of cool looking sinks?
those images had zip files of child pornography embedded in them and "epic sink threads" were a codename for CP sharing threads. It got so bad 4chan implemented a server side script that scans an image for embedded files whenever an image is uploaded.
if you have old images resembling things like this you should probably delete them:
https://s-media-cache-ak0.pinimg.com/originals/16/3a/40/163a406ffb242c9ef9564c1de2dfd36e.jpg
This isn't actually embedding anything into the PNG though. It's just overlaying an image on top of it in a very specific way that doesn't change the image enough for any normal person to see differences but can be decoded by a filter.
And even if it did affect the filesize substantially, the people they're targeting are too young to understand why that's a red flag.
I'm wondering how the scripts even get executed, by all means the simple act of opening a PNG with an embedded script shouldn't cause the script to run
Yeah, you can hide data in any format (image, music, etc..), but executing that is different matter, really interesting how they did it lol.
Wouldn't you have to actively scan the image for encoded data to get any meaningful code out of it this way?
https://i.imgur.com/G9Lql37.jpg
Skin loaded and in-game, absolutely fuck-all happening to the VM
I, too, am extremely curious as to how the flying fuck data dumped at the end of a PNG is being executed in Powershell. I can't even begin to think of how that would happen in any way that isn't the result of a pants-on-head retarded decision on the end of the programmer writing the software that is handling the PNG.
That's exactly what I'm trying to figure out as well. Were they somehow disguising a .png file as an executable or batch file? I can't understand how code is being executed. If it was somehow running from within the .png itself, the entire internet would be infected. So what gives?
Side note, my minecraft account has been jacked for like a year now by someone who changed my username, and I have no goddamn idea how they're still getting in. Changed all accounts and passwords related, so they must be getting in with an access key or something somehow. Script kiddy dicks seem to really enjoy messing with Minecraft.
No change with the game running as admin. I even universally allowed unsigned scripts for good measure. None of the articles I've found mention how the payload is executed, at this point I'm thinking it's just the old .png.exe trick (or .png.ps1 in this case)
The fact that you can just embed code into random files and somehow run said code is both terrifying and fascinating to read about. It's also slightly concerning how many games have gaping holes in security to let malware in. I posted a thread about CoD games running on Quake 3 and how you could (supposedly) send malware via altering the packets sent on the P-2-P networking of the matchmaking. Now we have the fact that you can embed malware into images becoming apparent.
If that's the case, this is way less dangerous than I thought it would be. But would easily fool a lot of kids or even adults if they aren't paying attention.
But if it's a matter of tacking the .ps1 extension onto the end of the filename, then wouldn't it mean that it'd:
1.) Show up as .png.ps1 in your testing (since I'm sure you have "Hide Common Extensions" disabled)?
2.) Require victims to explicitly double-click the file to run it?
I mean, I guess I can see kids double-clicking the PNG to open it up in Windows Photo Viewer, to see what makes their Minecraft skin look the way it does. I remember doing the same with Quake 2 texture files when I was in middle school.
But still. If that really is the case, then I feel like these articles reporting on it (especially like Avast) should explicitly point that out and warn people to not blindly double-click skins they download off the Minecraft site, until the problem is fixed.
The "replace the file extension with another and hope it's hidden" trick doesn't make sense to me. To my understanding to change skin, you upload said skin and tie it to your Minecraft account. If so, it'd require some pants-on-head retarded security that a nine year old designed to allow you to upload a .exe file and try to associate the character's skin with. It'd also require some hi-lariously terrible security to let you upload .exe files directly to Mojang's website for anyone to download, which I'm going to believe that they thought that through, and disallowed it.
then wouldn't it mean that it'd:
1.) Show up as .png.ps1 in your testing (since I'm sure you have "Hide Common Extensions" disabled)?
Well I downloaded it directly from the URL in the Avast article, which is a link to the skin on the actual Minecraft web servers. Naturally that download only had a .png extension. I'm assuming that whoever originally hosted the skin would have tacked on the other one.
2.) Require victims to explicitly double-click the file to run it?
Yep. This is anecdotal, but having worked in computer repair it wouldn't surprise me at all if 50,000 people infected themselves by double clicking a shady file.
Honestly though I don't know at this point. I tried running the file with several different extensions but none of them executed the payload. The PNG data makes the script interpreter throw a shitfit.
The funny thing is, last I checked (a few years ago) it was still possible to upload .jpg files with embedded .rar archives to 4chan. The server side script just scans for a rar file header, and so long as you mangle/remove the header in some way, and the person on the other end adds it back in either manually or with a script, you can still do the same sort of thing.
It's why, despite content creators "hurting" for ad money, I cannot, and will not, disable any ad-blockers on my machine. My machine's security is more important than the .01 cents they get for me looking at a potentially malicious ad.
Old room-mate of mine downloaded "King Ralph" (in quotes for an obvious reason) off of Limewire and got infected with ransomware, back when they still didn't have tools to properly remove such things. Had to reformat his entire machine to get it to run again. The first clue should have been that it was a 100~KB .zip file. To an "average user", things like file-size or even extensions mean nothing.
It's more likely that whatever site they're downloading the skins from in the first place is running malicious scripts of some sort in the background, if I were to make a guess.
That would've been the most obvious thing to assume, if these skins weren't being downloaded from Minecraft's official website. And if the Official MC site was running malicious scripts, we've got far bigger issues on our hands.
Have you tried going on a multiplayer server? I'm assuming there is a vulnerability on how skins from other players and processed that is allowing the hidden code to be loaded into memory. I'd recommend looking into the source code of Minecraft and seeing how skins are loaded onto the entity that's probably where the issue lies.
You can now proudly say that to your kids, Minecraft gives computers viruses.
Sorry, you need to Log In to post a reply to this thread.
