Cyber attacks have been on the rise over the past few years, and this includes attacks against the Minecraft server community. Infected plugins and mods have become significantly more common, with even a few instances of malware on more reputable sites. Malware can wreak havoc on your server, and even potentially put your data at risk. Knowing this, how can you recognize the signs of malware, how can you prevent installing malware in the first place, and what should you do in the worst case where your server ends up infected?
How do I know if I’m infected?
As all malware is different, there’s no definitive way to check that you’re infected, but there are a few signs to look out for.
Increasing plugin file sizes
Malware usually hides itself within your plugin’s jar files, to make it harder to detect. As all computer code inherently takes up space, you might notice plugin jar files increasing in size when they’re infected.
Increased resource usage
Some forms of malware do malicious tasks, such as crypto mining or logging and reporting activity to a remote server. As these tasks take up server resources, if you’ve suddenly seen an increase in lag or lower tick rates, this might indicate a malware infection. It’s also worth noting though that malware is only one of the many reasons resource usage can increase, with a vast majority just being due to benign player activity on the server. While this can be a sign, it’s not evidence of a malware infection by itself.
Strange errors
There are a large number of strange errors that can show up due to malware infections, usually in other systems not specifically built to find malware that incidentally notices something odd. Paper’s plugin remapping system for example can’t deal with many forms of obfuscation that Minecraft malware typically uses, and can cause errors during the remap process.
Similarly, WorldEdit and WorldGuard contain systems to detect when other plugins incorrectly contain parts of WorldEdit or WorldGuard, as this can cause instability. This system also incidentally triggers with many forms of Minecraft malware. If you’re suddenly getting big errors that a plugin is including parts of WorldEdit or WorldGuard that you didn’t see before, this is a good indicator you have malware.
Another error that might indicate malware are “zip file closed” errors. While these have many possible causes, most harmless, malware is a possibility.
Antivirus Software
Something to note is that while antivirus or antimalware software is generally a good way to detect malware, they are not at all reliable for Minecraft malware. Not only will they almost never detect actual Minecraft malware, they’re also very prone to giving false positives on entirely innocent plugin jar files. While getting a virus alert from this software might be a good indicator to double check you’ve got a legitimate file, the alerts are more often than not a false positive and safe to ignore.
How can I avoid infection?
While the possibility of malware can be scary, there are many ways you can keep yourself safer.
Only use official downloads
The main method to avoid malware is to make sure you only ever access software from official sources. This can be done by making sure the location you’re downloading software from is the actual place that the developers of the software are uploading it to. For example, if a plugin only uploads to Modrinth, a copy uploaded to the Spigot website by someone else would be considered unofficial and a bad idea to use. Reuploads of plugins by unofficial sources can be modified in ways that you wouldn’t expect and are therefore a common vector for malware. One of the most common sources of malware are actually pirated plugin sites that reupload paid plugins for free.
It's also important to ensure you only get your server software from official sources. As Spigot can only be officially obtained from Spigot’s BuildTools system, numerous sites have popped up that offer direct Spigot jar file downloads. As these are all unofficial reuploads, these can possibly be a source of malware. While some sites or reuploads might be safe, this is difficult to verify and it’s better to not take the risk.
A good way to verify official sources is to check whether the plugin or software has an official website, and check where they link to for the downloads. It’s safest to use whatever is linked to by other sources from the developers of software.
Try to avoid unknown plugins, or newly uploaded plugins
Even if you only download from reputable websites, there have been a few cases of malware from these sources in the past. These cases have usually been newly uploaded plugins from non-established developers. If you want to be safe, it’s likely a better idea to use more well-known plugins from more reputable developers, than brand new plugins from new developers.
While a vast majority of new plugin developers are not doing anything malicious, it can be a good idea to wait at least a few weeks or longer before using brand new plugins as malware is usually discovered fairly quickly if present.
What do I do if I have it?
In general, malware is fairly annoying to properly get rid of. Most Minecraft malware tries to spread itself to other jar files on your server, and if you’re running multiple servers on the same machine that can access each other at the file level, even to jar files on other servers. Due to this, the only way to be sure you’ve removed it is to do the following.
Removing malware
The first step to remove malware is to delete every single jar file that it might have access to. This includes plugin jar files, the server software jar file, and potentially all the jar files on other servers on the same machine that it might have had access to. If you’re using Paper there might also be jars in folders such as cache, versions, and the .paper-remapped
directory in the plugins folder. Every single jar file you find should be removed, because any of them could contain malware. If you’re not sure whether everything is gone or not, try using search functionality to look for jar files, ideally, you’ll find none.
Once every single jar file has been removed, you should re-download everything you want from official sources, and then start your server. It’s very important to not start your server midway through the process and to ensure that all jar files are removed before downloading new ones, because if any of the files currently on the server contain malware, they can spread it to the newly downloaded jar files.
Conclusion
Malware can be scary, annoying to remove, and extremely disruptive. It’s important to be aware of what it can look like and how to avoid getting it, as well as how to remove it for a worst case scenario.
About the Author
Hi, I'm Maddy Miller, a Senior Software Engineer at Clipchamp at Microsoft. In my spare time I love writing articles, and I also develop the Minecraft mods WorldEdit, WorldGuard, and CraftBook. My opinions are my own and do not represent those of my employer in any capacity.