Malware

Botnet self-terminates thanks to typo

Akamai Security Research wrote the KmsdBot botnet crashed almost entirely thanks to an error-check fail.
article cover

Francis Scialabba

· 3 min read

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Aaaand it’s gone. Akamai researchers recently saw an entire botnet destroy itself after its operators accidentally input a command missing a space.

Akamai Security Research wrote in early November that it had detected a new Golang-based malware, which it called KmsdBot, and that this malware infected machines via SSH connections with weak credentials and had varied targets, “including the gaming industry, technology industry, and luxury car manufacturers.” While its primary purpose appeared to be engaging in DDOS attacks via UDP, TCP, HTTP POST, and GET commands, KmsdBot also functioned as a cryptocurrency miner.

Security researchers at Akamai modified KmsdBot code to respond to its own commands rather than those of its operators for testing purposes. However, at the end of the month, they noticed their sample bot crashed after receiving a malformed command directing it to attack bitcoin.com.

“The guys running the botnet crashed it by accident,” Akamai’s principal security intelligence response engineer, Larry Cashdollar, told Dark Reading. “They sent in a command that was missing a space between the target URL and port number.”

The specific command, according to Akamai’s blog post (note the lack of a space after the URL):

!bigdata www.bitcoin.com443 / 30 3 3 100 

Akamai’s team concluded the bot did not have error-checking capabilities, causing the Go binary to crash with an “index out of range” error. In their report, they wrote this likely terminated the entire botnet, adding that since “the bot doesn’t have any functionality for persistence on an infected machine, the only way to recover is to re-infect and rebuild the botnet from scratch.”

Detectable signs of KmsdBot virtually ceased entirely after the incident, Cashdollar told Dark Reading, although there were signs its presumably very embarrassed operators were trying to rebuild the botnet.

Last month, researchers at Netskope ran into a similar situation involving the notorious BlackCat ransomware group. An attacker who had breached a corporate network and begun deploying malware misspelled the name of the “wevtutil” command-line binary, effectively forgetting to clear system logs that allowed Netskope to gain an unusually detailed look into the tactics and methods used by the group.


Rather than relying on finger fumbles by attackers, Akamai recommends using public key authentication to protect SSH connections.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] Want to go encrypted? Ask Tom for his Signal.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.