An actor destroyed his bot beyond repair with nothing more than a typo.
Cybersecurity firm Akamai spotted the critical bug in KmsdBot, a crypto botnet that also distributed denial-of-service (DDoS) (Opens in a new tab)), before crashing recently and reporting an “out of range” error.
Akamai researchers were monitoring a botnet while an attack was taking place on a website that focused on cryptography. At that very moment, the threat actor “forgot” to put a space between the IP address and port in the command, and sent the command to every working instance of KmsdBot. This results in most of them crashing, and given the nature of the robots, they stay down.
There is no continuous botnet
The botnet is written in Golang and has no immutability, so the only way to get it back up and running again is to infect all the devices that made up the botnet again.
Talking to dark readingNearly all of the company’s tracked KmsdBot activity has stopped, said Larry Cashdollar, principal security intelligence response engineer at Akamai, but added that threat actors may attempt to re-infect the endpoints. (Opens in a new tab) repeatedly. report the news, Ars Technica He added that the best defense against KmsdBot is to use public key authentication for secure shell connections, or at least to improve login credentials.
According to Akamai, the botnet’s default target is a company that builds private online servers for Grand Theft Auto, and while it could mine attackers’ cryptocurrency, this feature was not working during the investigation. Instead, DDoS activity was in play. In other cases, it has targeted security companies and luxury car brands.
The company first detected the botnet in November of this year, while brute force systems with weak SSH credentials.