Malware Authors Inadvertently Take Down Own Botnet

A single improperly formatted command has effectively killed KmsdBot botnet, security vendor says.

3 Min Read
Network of blue platforms in the dark with bots on top botnet cybersecurity concept 3D illustration
Source: BeeBright via Shutterstock

It's not often that malware authors go through the effort of creating a malicious tool for assembling a botnet, only to then find a way to effectively sabotage it themselves.

But that appears to be precisely the case with "KmsdBot," a distributed denial-of-service (DDoS) and cryptomining botnet that researchers from Akamai found infecting systems across multiple industries last month. Now, it has since gone largely silent because of a single improperly formatted command on the part of its author.

A Versatile Threat

The malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and uses UDP, TCP, and HTTP POST and GET commands in DDoS attacks. Kaspersky found the malware is designed to target multiple architectures such as Windows, Arm64, and mips64 systems. Among those the malware has affected are luxury car makers, gaming companies, and IT firms.

In all the attacks that Akamai observed, the threat actors used KmsdBot to execute DDoS attacks, though the malware also contains cryptomining functionality.

Following Akamai's initial disclosure in November, researchers from the company continued to monitor and analyze the threat. As part of the exercise, they modified a recent sample of KmsdBot and decided to test various scenarios related to the malware's command and control (C2) functionality.

The Akamai researchers found the spot in the malware's code that contained the IP address and port for KmsdBot's C2 server and modified it, so the address pointed to Akamai's IP space. The goal was to have a controlled environment from where the researchers could send their own commands to the bot sample to see how it worked.

A Fatal Oopsie

During the testing, the Akamai researchers discovered the bot suddenly stopped working after receiving a command to send a bunch of junk data to, in an apparent bid to DDoS the website.

A closer look showed the command to be malformed. "The guys running the botnet crashed it by accident," Larry Cashdollar, principal security intelligence response engineer at Akamai, tells Dark Reading. "They sent in a command that was missing a space between the target URL and port number."

The bot does not contain any error-checking functionality to verify if the commands it receives are properly formatted, Cashdollar says. As a result, the Go binary crashes with an "index out of range" error message.

He also says that Akamai was able to replicate the issue by sending the bot it had modified an improperly formatted command of its own. 

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Akamai noted in its update on the malware this week.

Importantly, the bot does not support any persistence mechanism. So, the only way for the malware authors to rebuild the KmsdBot botnet is to reinfect systems from scratch.

Cashdollar says almost all of the KmsdBot-related activity that Akamai was tracking over the past several weeks has ceased. But there are signs that the threat actors have begun attempting to infect systems again, he notes.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights