KmsdBot botnet crashes after operators make a typo
A syntax error in the KmsdBot botnet has caused it to stop sending commands, essentially killing the network.
Researchers at Akamai found that the botnet stopped sending attack commands last week, after a new update from its operators.
The team began analysing KmsdBot after it infected one of their honeypots.
KmsdBot is a cryptomining botnet that infects targets via SSH connections and weak login credentials. It can be used to carry out DDoS attacks, and can target numerous architectures and remotely control machines, though lacks the ability to remain persistent.
When Akamai's honeypot was infected, the botnet started targeting a firm that developed private Grand Theft Auto Online servers.
The majority of KmsdBot's targets, says Akamai, are associated with the tech, gaming, and luxury vehicle industries.
As a controlled test environment, Akamai configured its own customised version of KmsdBot aimed at an internal IP address to track the commands it was receiving from its C2 server.
At one point, researchers noticed that the malware had ceased sending attack commands, after receiving the following command from operators:
!bigdata www.bitcoin.com443 / 30 3 3 100
The command, which lacked a space between the URL and port number, was probably meant to launch DDoS attacks against Bitcoin[.]com by throwing data at it.
Due to the lack of error-checking in the code, the syntax error was enough to break the malware.
Larry Cashdollar (yes, that is his real name), Senior Security Response Engineer at Akamai, said almost all KmsdBot activity they were tracking has ceased.
However, it is important to be vigilant and follow good security procedures, as botnet operators will probably try to reinfect systems in coming days.
"It's not often we get this kind of story in security. In our world of zero-days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story.
"This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it."