This article is more than 1 year old
KmsdBot botnet is down after operator sends typo in command
Cashdollar: 'It’s not often we get this kind of story in security'
Somewhere out there, a botnet operator is kicking themselves and probably hoping no one noticed the typo they transmitted in a command that crashed their whole operation.
Unfortunately for the typographically-challenged botnetter, it happened on the internet, so someone knows: Akamai, in this case, had been watching for some time.
Even worse for the operator(s), their Golang-coded KmsdBot lacked persistence, meaning the whole botnet is toast thanks to the apparent decision to forgo error handling.
"It's not every day you come across a botnet that the threat actors themselves crash [through] their own handiwork," said Akamai vulnerability researcher Larry Cashdollar.
- Google wins lawsuit against alleged Russian botnet herders
- Notorious Emotet botnet returns after a few months off
- FBI: Russian hacktivists achieve only 'limited' DDoS success
- Akamai: We stopped record DDoS attack in Europe
Security researchers at the content delivery network first spotted KmsdBot earlier this month, noting that it was dangerous in part because it used SSH connections with weak login credentials to infect targets. According to Akamai, the botnet was able to mine cryptocurrencies, but had also been used to launch DDoS attacks, with most of its targets associated with the gaming, tech and luxury automotive sectors.
How to crash your own botnet
Akamai set up its own modified version of KmsdBot pointed at an internal IP address to use as a controlled test environment to monitor what commands it was receiving from its C2 server.
"During the testing, we noticed the botnet stopped sending attack commands after observing a single malformed command," Cashdollar said.
!bigdata www.bitcoin.com443 / 30 3 3 100
The command was likely intended to DDoS Bitcoin.com by tossing junk data at it, but check out that lack of space between the URL and port number. Oops. Most sophisticated software would know how to handle that, but not so for KmsdBot.
After reconstructing the command and tossing it at their internal KmsdBot, the Akamai researchers noticed that lack of space between URL and port number caused the Go binary to crash, throwing up an "index out of range" error because the wrong number of arguments were supplied.
The command "likely crashed all the botnet code that was running on infected machines and talking to the C2," Cashdollar said. "In our world of zero-days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story." ®