Anti-Malware for minecraft
Home Page: https://www.spigotmc.org/resources/spigot-anti-malware-detects-over-200-malicious-plugins.64982/
License: GNU General Public License v3.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Although the readme claims that the code of this project is open source no license with such terms is provided in neither the readme, file root nor the actual code files. Hence the only license this project is under (besides being proprietary) is github's ones that allows simple forking and editing on their platform and nothing more, so not open source at all.
As far as i'm aware only the Skripts scripts file is supported.
This should add support by recursively scanning through every zipped file
As it stands the only issue open that handles this is #1
Support should be added by checking the database using the file name.
Example:
If the file name is Example.sk it should check the database by checking to see if "Example" is set, if it is get the list of checksums and check against that, return true if the checksum exists otherwise false
TLDR; If the file is a sk file, check the filename (minus the .sk part (Example.sk would be Example)) against the database.
Certain things break under certain conditions see #95 .
If needed notifications should be handled in a C language, if that's the cases windows taskbar notifications should be handled in a C language as well.
Adding the ability to load (and possibly) run skripts will allow me to deal with deobfuscating skripts without relying on a website or adding security issues (having the program run while the server is runing since that would FORCE all plugins AND skripts to run for example)
A Force OP check for Skript, I would implement it if the feature request get's approved.
For whatever reason scanning breaks on certain plugins, Anti JoinLeave Message.zip
chances are this is due to mass downloading/checking however i'm not sure WHAT breaks this specifically.
This specifically issue is because certain plugins run through all the checks over and over again, filling the log in the process
How about a support discord server? It would be a better way to help people instead of GitHub.
There should be optimization of the entire program where possible. The code should also be cleaned up so it's more efficient, less copy & pasting if possible...etc..etc..etc..
Self explanatory, it should be able to check against spigot and if there's a new update then update using spiget
(This is essentially a note to self)
A properly setup VPS/Dedicated server will allow testing of malicious plugins, this will allows us to see what obfuscated malicious plugins do, as well as (hopefully) safely get a copy of any plugin they download, very few people should have access to it however due the nature of such a thing
A VPS/Dedicated server would also allow some automation of the current process of downloading, checking plugins, etc..etc..etc..
If showDebugMessages is enabled anytime a plus is suspected as malicious, the path to the class should be printed to console, this will make things easier in the future when it comes to detecting false-positives or malicious plugins in general
Anti JoinLeave Message.zip causes the following error
java.lang.IllegalArgumentException
at org.objectweb.asm.ClassReader.(ClassReader.java:246)
at org.objectweb.asm.ClassReader.(ClassReader.java:166)
at org.objectweb.asm.ClassReader.(ClassReader.java:152)
at org.objectweb.asm.ClassReader.(ClassReader.java:273)
at optic_fusion1.mcantimalware.check.checks.AAC_API.process(AAC_API.java:33)
at optic_fusion1.mcantimalware.check.CheckManager.process(CheckManager.java:105)
at optic_fusion1.mcantimalware.DirectoryWatcherService.processFiles(DirectoryWatcherService.java:124)
at optic_fusion1.mcantimalware.DirectoryWatcherService.access$000(DirectoryWatcherService.java:25)
at optic_fusion1.mcantimalware.DirectoryWatcherService$1.run(DirectoryWatcherService.java:91)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
when decompiling i get
java.lang.IllegalArgumentException: Argument 'value' must be in the range [1, 18], but value was: 100.
at com.strobel.core.VerifyArgument.inRange(VerifyArgument.java:346)
at com.strobel.assembler.ir.ConstantPool$Tag.fromValue(ConstantPool.java:532)
at com.strobel.assembler.ir.ConstantPool.read(ConstantPool.java:362)
at com.strobel.assembler.metadata.JarTypeLoader.getInternalNameFromClassFile(JarTypeLoader.java:105)
at com.strobel.assembler.metadata.JarTypeLoader.tryLoadType(JarTypeLoader.java:78)
at us.deathmarine.luyten.LuytenTypeLoader.tryLoadType(LuytenTypeLoader.java:25)
at com.strobel.assembler.metadata.MetadataSystem.resolveType(MetadataSystem.java:125)
at com.strobel.assembler.metadata.MetadataSystem.lookupTypeCore(MetadataSystem.java:86)
at com.strobel.assembler.metadata.MetadataResolver.lookupType(MetadataResolver.java:46)
at us.deathmarine.luyten.Model.openEntryByTreePath(Model.java:338)
at us.deathmarine.luyten.Model$TreeListener$1.run(Model.java:266)
Chances are this plugin should just get skipped, the resource on spigot has the same issue https://www.spigotmc.org/resources/anti-join-leave-message.5444/
Your say that this plugin interacts with Skript and after looking through the source, I can't see anyway in which it does? Can you explain how it prevents any malicious Skript code? Thanks!
Not 100% sure how i'd go about doing this, like with most things the Anti-Malware CAN'T be a plugin due to the security risks
Now that there are a lot more checks (28 total) the logs are MUCH larger due to how logging is handled, it would be better if it was something like
file-name: MalwareFound
or something
Example
Example-Plugin: ExampleMalware, ExampleMalware3, etc..etc..etc..
The AntiMalware should be able to hook into spigot/bukkit and its forks WITHOUT creating a plugin in the plugins folder.
Due to how JEssentials handles permissions certain commands cause false positives
JEssentials V1.3.4.zip
The plugin "NightVision+" was added recently as a PUP, because it cancelled all running tasks.
However, the dev has fixed this in version 2.2, so the check is no longer needed.
I also posted this issue in the malicious hash database repo.
Certain plugins cause a java.lang.ArrayIndexOutOfBoundsException: 6 exception to be thrown
This, weirdly is only for InvictusPolice and LagSignFixer checks, both the new malware, the code that causes that exception to be thrown is ClassReader reader = new ClassReader(inputStream);
The attached plugin is one of the plugins that cause this error. It is malicious but it's safe to run on a localhost server since all it is is a force op.
BlockPlugins.zip
Transporter(281).zip causes a
java.lang.IllegalArgumentException
at org.objectweb.asm.ClassReader.(ClassReader.java:246)
at org.objectweb.asm.ClassReader.(ClassReader.java:166)
at org.objectweb.asm.ClassReader.(ClassReader.java:152)
at org.objectweb.asm.ClassReader.(ClassReader.java:273)
at optic_fusion1.mcantimalware.check.checks.AAC_API.process(AAC_API.java:33)
at optic_fusion1.mcantimalware.check.CheckManager.process(CheckManager.java:105)
at optic_fusion1.mcantimalware.DirectoryWatcherService.processFiles(DirectoryWatcherService.java:124)
at optic_fusion1.mcantimalware.DirectoryWatcherService.access$000(DirectoryWatcherService.java:25)
at optic_fusion1.mcantimalware.DirectoryWatcherService$1.run(DirectoryWatcherService.java:91)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
for any class under resources/client
java.lang.IllegalStateException: Wrong magic number: numberhere
at com.strobel.assembler.metadata.ClassFileReader.readClass(ClassFileReader.java:338)
at com.strobel.assembler.metadata.MetadataSystem.resolveType(MetadataSystem.java:129)
at com.strobel.assembler.metadata.MetadataSystem.lookupTypeCore(MetadataSystem.java:86)
at com.strobel.assembler.metadata.MetadataResolver.lookupType(MetadataResolver.java:46)
at us.deathmarine.luyten.Model.openEntryByTreePath(Model.java:338)
at us.deathmarine.luyten.Model$TreeListener$1.run(Model.java:266)
Due to the nature of minecraft and the modding scene in general there is a need to come up with guidelines to make sure things don't get miscategorized now AND in the future. As of right now this program has THREE main types PUP (Potentially Unwanted Programs (Plugins in this case)), MALWARE and VIRUS.
Title says it all, this program can't detect and deobfuscate this sort of stuff right now.
https://github.com/java-deobfuscator/deobfuscator/blob/master/src/main/java/com/javadeobfuscator/deobfuscator/executor/MethodExecutor.java should do, it's just an issue of figuring out it works, and then rewriting it for this program
A LOT of code ends up being the same for EVERY check so it would be a good idea to have the information be put in a yml file it could be similar to
malwareName:
type:
name:
blacklistedStrings:
blacklistedMethodNames:
blacklistedClassPaths:
malwareName:
etc..etc..etc..
It should try to download from an online database (which i'll host as a github repo). If that fails then use a database provided in the jar
Correct statement in the Overview. The scan directory . (dot) is not the directory in which the JAR resides, but the directory from which the command "jar ..." is run.
You can also do --scandirectory . to scan whatever directory the jar is in
should read
You can also do --scandirectory . to scan whatever directory from which the command is run
The following github repo https://github.com/Neembuu-Uploader/neembuu-uploader is perfect for this, the required code just needs to be added to this repo, which is probably easier said than done
Add a feature to disable suspected malicious plugins, all current false-positives MUST be fixed before this gets PRd, otherwise it would do more harm than good
05:27:34 [EXCEPTION] Error
java.lang.NullPointerException: entry
at java.util.zip.ZipFile.getInputStream(Unknown Source)
at java.util.jar.JarFile.getInputStream(Unknown Source)
at optic_fusion1.mcantimalware.check.CheckManager.isInChecksumDatabase(CheckManager.java:69)
at optic_fusion1.mcantimalware.check.CheckManager.process(CheckManager.java:169)
at optic_fusion1.mcantimalware.DirectoryWatcherService.firstRun(DirectoryWatcherService.java:101)
at optic_fusion1.mcantimalware.Main.run(Main.java:128)
at java.lang.Thread.run(Unknown Source)
LocaleLib-1.0.zip
For whatever reason re-scanning breaks the AntiMalware and causes things to NOT scan, other than the re-scanning
Citizens throws this error, i'm not sure if it's an issue with the new malware infecting it or if it's related to the official Citizens.jar
java.lang.IllegalArgumentException: Unsupported class file major version 8243
at org.objectweb.asm.ClassReader.(ClassReader.java:184)
at org.objectweb.asm.ClassReader.(ClassReader.java:166)
at org.objectweb.asm.ClassReader.(ClassReader.java:152)
at org.objectweb.asm.ClassReader.(ClassReader.java:273)
at optic_fusion1.mcantimalware.check.checks.DailyLootBox.process(DailyLootBox.java:30)
at optic_fusion1.mcantimalware.check.CheckManager.process(CheckManager.java:105)
at optic_fusion1.mcantimalware.DirectoryWatcherService.processFiles(DirectoryWatcherService.java:124)
at optic_fusion1.mcantimalware.DirectoryWatcherService.access$000(DirectoryWatcherService.java:25)
at optic_fusion1.mcantimalware.DirectoryWatcherService$1.run(DirectoryWatcherService.java:91)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
It also seems like it might be always trying to scan it since it repeatedly shows up in the logs
For some reason the following error can occur
06:29:39 [SEVERE] Exception in thread "Timer-120213"
06:29:39 [SEVERE] java.lang.IllegalArgumentException: MALFORMED
06:29:39 [SEVERE] at java.util.zip.ZipCoder.toString(Unknown Source)
06:29:39 [SEVERE] at java.util.zip.ZipFile.getZipEntry(Unknown Source)
06:29:39 [SEVERE] at java.util.zip.ZipFile.access$900(Unknown Source)
06:29:39 [SEVERE] at java.util.zip.ZipFile$ZipEntryIterator.next(Unknown Source)
06:29:39 [SEVERE] at java.util.zip.ZipFile$ZipEntryIterator.nextElement(Unknown Source)
06:29:39 [SEVERE] at java.util.zip.ZipFile$ZipEntryIterator.nextElement(Unknown Source)
06:29:39 [SEVERE] at optic_fusion1.mcantimalware.check.checks.AAC_API.process(AAC_API.java:30)
06:29:39 [SEVERE] at optic_fusion1.mcantimalware.check.CheckManager.process(CheckManager.java:100)
06:29:39 [SEVERE] at optic_fusion1.mcantimalware.DirectoryWatcherService.processFiles(DirectoryWatcherService.java:128)
06:29:39 [SEVERE] at optic_fusion1.mcantimalware.DirectoryWatcherService.access$000(DirectoryWatcherService.java:28)
06:29:39 [SEVERE] at optic_fusion1.mcantimalware.DirectoryWatcherService$1.run(DirectoryWatcherService.java:96)
06:29:39 [SEVERE] at java.util.TimerThread.mainLoop(Unknown Source)
06:29:39 [SEVERE] at java.util.TimerThread.run(Unknown Source)
As far as i'm aware directories aren't supported. This should recursively scan through every directory, scanning zipped/jar files
Hi, I've dived in this repo after searching something that looks fun and found this,
and I've never heard about there was malware-mod in minecraft.
Before I raised this issue, I've searched for basic information about this topic and found really awesome article link
Can you send me a sample of malware-mod if you have one?
I have no guts to test on my own minecraft
As of right now all this program supports is Player#setOp
however supporting things like Bukkit.dispatchCommand(commandSender, command); and such would be nice, if possible there should be a way to get what command is being dispatched so we can limit the false positives
All but one string passed through that check fails to deobfuscate correctly.
The StringDeobfuscator methods and the containsBlacklistedWord methods work correctly.
It's either the StringDeobfuscator methods aren't taking into account certain unicode OR the way strings are handled needs to be changed
This fix should be applied to every check
When processing "Malicious" Worldguard-bukkit-6.2.2.jar(Also an false-positive report), it does this:
Well it just does everything fine, until that.
For some reason the following error happens
log.log
The plugin this happens to (There are more that have this error, but i assume the cause is the same)
PlotSquared#1177.zip
Apparently VotingCrates.zip gets detected as a leaked plugin (DirectLeaks check) however i'm not really 100% sure what's causing it.
Due to recent features the CheckManager class has become a mess and/or unoptimized, this should be fixed ASAP
Certain plugins cause a false positive due Player#setOp
this is usually used in the following way
setOp
dispatchCommand
setOp
The plugin below is an example of this, more plugins with this false positive can be provided as needed
ActionLibOpenSource(47507).zip
Adding a variety of deobfuscators too the AntiMalware would be nice, though it would probably require large rewritting of the deobfuscator
List of deobfuscators that should be added to the AntiMalware
https://github.com/java-deobfuscator/deobfuscator
https://github.com/ThisTestUser/deobfuscator
https://github.com/ThisTestUser/AntiSmokeFlowObf
https://github.com/ThisTestUser/AntiSmokeObfuscator
adding these and others will make it MUCH easier to deal with obfuscation for current and possible future checks
Edit: Merge as required
The attached file contains a force-op the next update will include a basic check for this malware, however i'd like to check for certain strings. If someone can add a proper deobfuscator for them, that would be lovely the forceop path is com/unknownmyname/listener/DataListener
SpookyAC-v1.zip
I'm a lazy fuck, this would simply show a Notification popup any time a malicious plugin is found, java has limitations on this sort of thing which won't be that huge of an issue, however if possible JNI or similar should be used so there can be complete support for such a thing.
The above is only for windows, when it comes to linux, i have no fucking clue
The plugin.yml its self doesn't really matter, however for whatever reason i'm not able to hide this exception
05:02:11 [SEVERE] Exception in thread "Thread-1"
05:02:11 [SEVERE] java.lang.SecurityException: SHA-256 digest error for plugin.yml
05:02:11 [SEVERE] at sun.security.util.ManifestEntryVerifier.verify(Unknown Source)
05:02:11 [SEVERE] at java.util.jar.JarVerifier.processEntry(Unknown Source)
05:02:11 [SEVERE] at java.util.jar.JarVerifier.update(Unknown Source)
05:02:11 [SEVERE] at java.util.jar.JarVerifier$VerifierStream.read(Unknown Source)
05:02:11 [SEVERE] at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
05:02:11 [SEVERE] at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
05:02:11 [SEVERE] at sun.nio.cs.StreamDecoder.read(Unknown Source)
05:02:11 [SEVERE] at java.io.InputStreamReader.read(Unknown Source)
05:02:11 [SEVERE] at java.io.BufferedReader.fill(Unknown Source)
05:02:11 [SEVERE] at java.io.BufferedReader.readLine(Unknown Source)
05:02:11 [SEVERE] at java.io.BufferedReader.readLine(Unknown Source)
05:02:11 [SEVERE] at optic_fusion1.mcantimalware.configuration.file.FileConfiguration.load(FileConfiguration.java:160)
05:02:11 [SEVERE] at optic_fusion1.mcantimalware.configuration.file.YamlConfiguration.loadConfiguration(YamlConfiguration.java:230)
05:02:11 [SEVERE] at optic_fusion1.mcantimalware.check.CheckManager.isInChecksumDatabase(CheckManager.java:65)
05:02:11 [SEVERE] at optic_fusion1.mcantimalware.check.CheckManager.process(CheckManager.java:150)
05:02:11 [SEVERE] at optic_fusion1.mcantimalware.DirectoryWatcherService.firstRun(DirectoryWatcherService.java:101)
05:02:11 [SEVERE] at optic_fusion1.mcantimalware.Main.run(Main.java:136)
05:02:11 [SEVERE] at java.lang.Thread.run(Unknown Source)
False Positives & error interrupting scan
I'm quite certain all these plugins are false positives and safe so I've started this issue report to let u know of the suspected plugins; (they were all suspected of being infected with ForceOP(Malware))
Advanced-Portals-0.0.49-snapshot.jar
https://dev.bukkit.org/projects/advanced-portals/files/2610976/download
AgarthaLib.jar
https://www.spigotmc.org/resources/agarthalib-1-7-x-1-13-x.56940/download?version=254788
craftbook-3.10-SNAPSHOT-dist.jar
http://builds.enginehub.org/job/craftbook/11173/download/craftbook-3.10-SNAPSHOT-dist.jar
Denizen-1.0.4-b722-DEV.jar
https://ci.citizensnpcs.co/job/Denizen_Developmental/722/artifact/target/Denizen-1.0.4-b722-DEV.jar
other builds:
https://ci.citizensnpcs.co/job/Denizen/
https://www.spigotmc.org/resources/denizen.21039/download?version=265799
JupiterCore.jar/MoneyHunters
https://www.spigotmc.org/resources/moneyhunters-1-13.22450/download?version=267471
LuckPerms-Bukkit-4.4.0.jar
https://www.spigotmc.org/resources/luckperms-an-advanced-permissions-plugin.28140/download?version=267214
MythicMobs-4.5.5.jar
https://dev.bukkit.org/projects/mythicmobs/files/2696745/download
Error Interupting scan, was scanning PyrCore at the time:
2019-04-13 20:34:11 [INFO] Checking to see if PyrCore_v6.4.1.jar is infected
2019-04-13 20:34:11 [INFO] Checking if PyrCore_v6.4.1.jar is infected with AAC_API(Malware)
2019-04-13 20:34:11 [INFO] PyrCore_v6.4.1.jar MIGHT not be infected with AAC_API(Malware)
2019-04-13 20:34:11 [INFO] Checking if PyrCore_v6.4.1.jar is infected with AdminAccess(Malware)
2019-04-13 20:34:11 [INFO] PyrCore_v6.4.1.jar MIGHT not be infected with AdminAccess(Malware)
2019-04-13 20:34:11 [INFO] Checking if PyrCore_v6.4.1.jar is infected with AdminTools(Malware)
2019-04-13 20:34:11 [SEVERE] Exception in thread "Thread-1"
2019-04-13 20:34:11 [SEVERE] java.lang.NullPointerException
2019-04-13 20:34:11 [SEVERE] at optic_fusion1.mcantimalware.configuration.file.YamlConfiguration.loadConfiguration(YamlConfiguration.java:223)
2019-04-13 20:34:11 [SEVERE] at optic_fusion1.mcantimalware.check.checks.AdminTools.detect(AdminTools.java:74)
2019-04-13 20:34:11 [SEVERE] at optic_fusion1.mcantimalware.check.checks.AdminTools.process(AdminTools.java:31)
2019-04-13 20:34:11 [SEVERE] at optic_fusion1.mcantimalware.check.CheckManager.process(CheckManager.java:119)
2019-04-13 20:34:11 [SEVERE] at optic_fusion1.mcantimalware.DirectoryWatcherService.firstRun(DirectoryWatcherService.java:101)
2019-04-13 20:34:11 [SEVERE] at optic_fusion1.mcantimalware.Main.run(Main.java:114)
2019-04-13 20:34:11 [SEVERE] at java.lang.Thread.run(Unknown Source)
Instead of always logging to one file, the logging should follow a similar format to how spigot handles logging, all of the code and such can easily be gotten from spigot its self
This should stop the jar from being deleted.
Edit: Should be possible with the SecurityManager or something
This should be obvious Heuristic_analysis wiki.
I personally don't really have the skill to do this
Title says it all pretty much.
There should be support for checking premium plugins against the SHA-1 database, the only issue is the Anti-Piracy has to either be 1. Ignored when getting the scanned jars SHA-1 checksum or 2. The Anti-Piracy its self has to be completely removed and then re-scanned to get the correct checksum. All within memory (no creating files) if possible
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
