A threat actor irretrievably destroyed its own botnet with nothing more than a typo.
Cybersecurity firm Akamai spotted the blunder in KmsdBot, a cryptomining botnet that also had distributed denial of service (DDoS) capabilities, before recently crashing and reporting an “index out of range” error.
Akamai’s researchers were monitoring the botnet while an attack on a crypto-focused website was taking place. At that very moment, the threat actor “forgot” to put a space between an IP address and a port in a command, and sent out the command to every working instance of KmsdBot. That resulted in most of them crashing, and given the botnet’s nature, staying down.
No persistence botnet
The botnet is written in Golang and has no persistence, so the only way to get it up and running again would be to infect all of the machines that comprised the botnet all over again.
Speaking to DarkReading, Akamai’s principal security intelligence response engineer, Larry Cashdollar, said almost all KmsdBot activity tracked by the company stopped, but added that the threat actors might try to reinfect the endpoints again. Reporting on the news, Ars Technica added that the best way to defend against KmsdBot is to use public key authentication for secure shell connections, or at least to improve login credentials.
According to Akamai, the botnet’s default target is a company that builds private Grand Theft Auto online servers, and while it is capable of mining cryptocurrencies for the attackers, this feature was not running during investigation. Instead, it was the DDoS activity that was running. In other instances, it targeted security companies and luxury car brands.
The company first spotted the botnet in November this year, while it was brute-forcing systems with weak SSH credentials.