Akamai security researchers accidently took down the KmsdBot cryptomining botnet while analyzing its capabilities.
Earlier this month, Akamai released a report detailing the KmsdBot botnet that infected victims via SSH and weak credentials. The botnet targets both Windows and Linux devices with the goal of deploying mining software and ensnare the compromised hosts into a DDoS botnet. Some of KmsdBot’s victims include gaming and technology companies, as well as luxury car manufacturers.
The researchers modified a recent sample of KmsdBot in order to test various scenarios related to C&C functionality.
“This allowed us to have a controlled environment to play around in — and, as a result, we were able to send the bot our own commands to test its functionality and attack signatures. Interestingly, after one single improperly formatted command, the bot stopped sending commands. It’s not every day you come across a botnet that the threat actors themselves crash their own handiwork,” Akamai vulnerability researcher Larry Cashdollar explained.
While the KmsdBot malware has the command-and-control functionality, the version analyzed by the researchers lacked an error-checking mechanism to verify that the commands are properly formatted, which allowed the expert to deactivate the malware.
More specifically, the crash was caused by a malformed command where the space between the target website and the port was missing, which severed connection between the Go binary running on the infected machine and the C&C server.
The researchers noted that because the bot doesn’t have any functionality for persistence on an infected machine, the only way to recover is to re-infect and rebuild the botnet from scratch.
“It’s not often we get this kind of story in security. In our world of zero-days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story. This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it,” Cashdollar concluded.
