A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet

The KmsdBot was known for targeting both Linux and Windows devices.
A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet

KmsdBot was a newly discovered cryptocurrency mining botnet killed accidentally by Akamai’s team of researchers while researching on KmsdBot. According to researchers, a syntax error caused it to stop sending commands, which destroyed the botnet.

What is KmsdBot?

Named by Akamai Security Intelligence Response Team (SIRT) in November 2022, KmsdBot is was a crypto mining botnet equipped with command-and-control abilities. It infected victims by exploiting weak credentials and SSH via brute force.

The Akamai team assessed and reported on the botnet after one of its honeypots got infected. The botnet targeted both Linux and Windows devices using a range of microarchitectures to deploy mining software and include the compromised hosts in its DDoS bot army. Its main targets included gaming and tech firms and luxury vehicle makers.

  1. Dangerous WireX Android DDoS Botnet Killed by Security Giants
  2. Andromeda Botnet that infected millions of devices is dismantled
  3. Mirai botnet resurfaces with MooBot variant against D-Link devices
  4. Russian Rsocks Botnet Powered by Millions of IoT Devices dismantled
  5. FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence agency

Incident Details

In a blog post, Larry W. Cashdollar, a researcher at Akamai, the commands sent to the botnet while assessing its operational mechanism within a controlled environment mistakenly led to the malware’s neutralization.

After a single “improperly formatted command,” Cashdollar explains, the bot stopped sending any command. This could be possible because of the absence of an internal error-checking feature built into its source code to verify the incoming commands. 

So, any instruction given without a space between the port and the target website caused the Go binary on the infected device to crash entirely and stop communicating with its C2 server. Hence, this killed the botnet.

Since the botnet doesn’t feature a persistence mechanism, the malware operators will need to re-infect the devices once again and rebuild the entire infrastructure from scratch.

“This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it,” Cashdollar explained.

Total
0
Shares
Related Posts