1 December 2022

Security researchers unintentionally crash KmsdBot botnet


Security researchers unintentionally crash KmsdBot botnet

Akamai security researchers accidently took down the KmsdBot cryptomining botnet while analyzing its capabilities.

Earlier this month, Akamai released a report detailing the KmsdBot botnet that infected victims via SSH and weak credentials. The botnet targets both Windows and Linux devices with the goal of deploying mining software and ensnare the compromised hosts into a DDoS botnet. Some of KmsdBot’s victims include gaming and technology companies, as well as luxury car manufacturers.

The researchers modified a recent sample of KmsdBot in order to test various scenarios related to C&C functionality.

“This allowed us to have a controlled environment to play around in — and, as a result, we were able to send the bot our own commands to test its functionality and attack signatures. Interestingly, after one single improperly formatted command, the bot stopped sending commands. It’s not every day you come across a botnet that the threat actors themselves crash their own handiwork,” Akamai vulnerability researcher Larry Cashdollar explained.

While the KmsdBot malware has the command-and-control functionality, the version analyzed by the researchers lacked an error-checking mechanism to verify that the commands are properly formatted, which allowed the expert to deactivate the malware.

More specifically, the crash was caused by a malformed command where the space between the target website and the port was missing, which severed connection between the Go binary running on the infected machine and the C&C server.

The researchers noted that because the bot doesn’t have any functionality for persistence on an infected machine, the only way to recover is to re-infect and rebuild the botnet from scratch.

“It’s not often we get this kind of story in security. In our world of zero-days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story. This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it,” Cashdollar concluded.


Back to the list

Latest Posts

Tornado Cash users’ funds at risk due to malicious code

Tornado Cash users’ funds at risk due to malicious code

The exploit primarily targeted users accessing Tornado Cash via IPFS gateways, like ipfs.io and cf-ipfs.com.
27 February 2024
Ransomware attack on Optum subsidiary disrupts healthcare services across the US

Ransomware attack on Optum subsidiary disrupts healthcare services across the US

The attack compromised Change Healthcare's IT systems, leading to widespread disruptions in pharmacy services across the US.
27 February 2024
New IDAT Loader variant uses steganography to deliver Remcos RAT

New IDAT Loader variant uses steganography to deliver Remcos RAT

While focusing their strategic efforts on entities in Ukraine, UAC-0184 seemingly aimed to broaden their scope to include further entities associated with Ukraine.
27 February 2024