Security researchers analyzing a prolific botnet managed to accidentally kill it due to the coding equivalent of a typing error, according to Akamai.
The cloud security firm detected the “KmsdBot” last month. The Golang-based bot is designed to conscript machines via SSH and weak credentials, and has the functionality to launch DDoS and cryptomining campaigns – targeting the gaming, technology and luxury car industries, among others.
Akamai decided to test some of the botnet’s command and control (C2) functionality as part of its research, so it set up a controlled environment by modifying a recent sample of KmsdBot to talk to an IP address in RFC 1918 address space.
“This allowed us to have a controlled environment to play around in – and, as a result, we were able to send the bot our own commands to test its functionality and attack signatures,” explained Akamai principal security intelligence response engineer, Larry Cashdollar.
“Interestingly, after one single improperly formatted command, the bot stopped sending commands.”
The command in question was simply missing a space between the target website and the port, but it was enough to bring the entire bot crashing down.
That’s because, unfortunately for the bot herders, KmsdBot didn’t have error-checking built into its code to verify that commands are properly formatted.
“Because of this, an improperly formatted command will cause the Go binary to crash with a stack trace stating an ‘index out of range’ error. This is because the wrong number of arguments were supplied,” explained Cashdollar.
“This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 – essentially, killing the botnet.”
Even better for the Akamai team is the fact that the bot also didn’t have any ability to maintain persistence on an infected machine, so the group behind it will effectively now have to start from scratch by reinfecting machines.
“It’s not often we get this kind of story in security. In our world of zero days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story,” Cashdollar concluded.
“This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue.”