This dangerous botnet might have been taken down by a simple typo
Proofread your virus infections, folks
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A threat actor irretrievably destroyed its own botnet with nothing more than a typo.
Cybersecurity firm Akamai spotted the blunder in KmsdBot, a cryptomining botnet that also had distributed denial of service (DDoS) capabilities, before recently crashing and reporting an “index out of range” error.
Akamai’s researchers were monitoring the botnet while an attack on a crypto-focused website was taking place. At that very moment, the threat actor “forgot” to put a space between an IP address and a port in a command, and sent out the command to every working instance of KmsdBot. That resulted in most of them crashing, and given the botnet’s nature, staying down.
No persistence botnet
The botnet is written in Golang and has no persistence, so the only way to get it up and running again would be to infect all of the machines that comprised the botnet all over again.
Speaking toDarkReading, Akamai’s principal security intelligence response engineer, Larry Cashdollar, said almost all KmsdBot activity tracked by the company stopped, but added that the threat actors might try to reinfect theendpointsagain. Reporting on the news,Ars Technicaadded that the best way to defend against KmsdBot is to use public key authentication for secure shell connections, or at least to improve login credentials.
This is the most powerful botnet ever seen>A fearsome new botnet is rapidly gaining momentum>Check out the best firewalls around
According to Akamai, the botnet’s default target is a company that builds privateGrand Theft Autoonline servers, and while it is capable of mining cryptocurrencies for the attackers, this feature was not running during investigation. Instead, it was the DDoS activity that was running. In other instances, it targeted security companies and luxury car brands.
The company first spotted the botnet in November this year, while it was brute-forcing systems with weak SSH credentials.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Your doctor may have an AI assistant taking notes during your next Zoom call
