1 December 2022

Security researchers unintentionally crash KmsdBot botnet


Security researchers unintentionally crash KmsdBot botnet

Akamai security researchers accidently took down the KmsdBot cryptomining botnet while analyzing its capabilities.

Earlier this month, Akamai released a report detailing the KmsdBot botnet that infected victims via SSH and weak credentials. The botnet targets both Windows and Linux devices with the goal of deploying mining software and ensnare the compromised hosts into a DDoS botnet. Some of KmsdBot’s victims include gaming and technology companies, as well as luxury car manufacturers.

The researchers modified a recent sample of KmsdBot in order to test various scenarios related to C&C functionality.

“This allowed us to have a controlled environment to play around in — and, as a result, we were able to send the bot our own commands to test its functionality and attack signatures. Interestingly, after one single improperly formatted command, the bot stopped sending commands. It’s not every day you come across a botnet that the threat actors themselves crash their own handiwork,” Akamai vulnerability researcher Larry Cashdollar explained.

While the KmsdBot malware has the command-and-control functionality, the version analyzed by the researchers lacked an error-checking mechanism to verify that the commands are properly formatted, which allowed the expert to deactivate the malware.

More specifically, the crash was caused by a malformed command where the space between the target website and the port was missing, which severed connection between the Go binary running on the infected machine and the C&C server.

The researchers noted that because the bot doesn’t have any functionality for persistence on an infected machine, the only way to recover is to re-infect and rebuild the botnet from scratch.

“It’s not often we get this kind of story in security. In our world of zero-days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story. This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it,” Cashdollar concluded.


Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023