KmsdBot, a cryptomining botnet that could also be used for denial-of-service (DDOS) attacks, broke into systems through weak secure shell credentials. It could remotely control a system, it was hard to reverse-engineer, didn’t stay persistent, and could target multiple architectures. KmsdBot was a complex malware with no easy fix.
That was the case until : forgetting to put a space between an IP address and a port in a command. And it came from whoever was controlling the botnet.
With no error-checking built in, sending KmsdBot a malformed command—like its controllers did one day while Akamai was watching—created a panic crash with an “index out of range” error. Because there’s no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot’s functions. It is, as Akamai notes, “a nice story” and “a strong example of the fickle nature of technology.”
KmsdBot is an intriguing modern malware. It’s written in Golang, partly because . When , it defaulted to targeting a company that created private Grand Theft Auto Online servers. It has a cryptomining ability, though it was latent while the DDOS activity was running. At times, it wanted to attack other security companies or luxury car brands.
Researchers at Akamai were taking apart KmsdBot and feeding it commands via when they discovered that it had stopped sending attack commands. That’s when they noticed that an attack on a crypto-focused website was missing a space. Assuming that command went out to every working instance of KmsdBot, most of them crashed and stayed down. Feeding KmsdBot an intentionally bad request would halt it on a local system, allowing for easier recovery and removal.
Larry Cashdollar, principal security intelligence response engineer at Akamai, told DarkReading that , though the authors may be trying to reinfect systems again. Using public key authentication for secure shell connections, or at a minimum improving login credentials, is the best defense in the first place, however.