"Researchers Accidentally Crash Cryptomining Botnet"

Security researchers at Akamai, analyzing a prolific botnet, recently managed to accidentally kill it due to the coding equivalent of a typing error.  The researchers detected the "KmsdBot" last month.  The Golang-based bot is designed to conscript machines via SSH and weak credentials and has the functionality to launch DDoS and cryptomining campaigns.  The KmsdBot is targeting the gaming, technology, and luxury car industries, among others.  The researchers decided to test some of the botnet's command and control (C2) functionality as part of their research, so they set up a controlled environment by modifying a recent sample of KmsdBot to talk to an IP address in RFC 1918 address space.  This allowed the researchers to have a controlled environment to play around in, and, as a result, they were able to send the bot their own commands to test its functionality and attack signatures.  The researchers noted that, interestingly, after one single improperly formatted command, the bot stopped sending commands.  The command in question was simply missing a space between the target website and the port, but it was enough to bring the entire bot crashing down.  The researchers stated that this is because, unfortunately for the bot herders, KmsdBot didn't have error-checking built into its code to verify that commands are properly formatted.  Because of this, an improperly formatted command will cause the Go binary to crash with a stack trace stating an "index out of range" error.  This is because the wrong number of arguments were supplied.  The researchers noted that this malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2, essentially killing the botnet.  The researchers also stated that the bot also didn't have any ability to maintain persistence on an infected machine, so the group behind it will effectively now have to start from scratch by reinfecting machines.  

 

Infosecurity reports: "Researchers Accidentally Crash Cryptomining Botnet"

Submitted by Anonymous on