Faulty botnet malware can be disabled 

B2B Cyber ​​Security ShortNews

Share post

Akamai researchers have investigated a crypto-mining botnet using its KmsdBot malware. The researchers accidentally caused the botnet to crash in a protected environment. Since the malware was programmed incorrectly, a command missing a space was enough to crash the botnet.

Earlier this month, Akamai Security Research published a blog post about KmsdBot, a cryptomining botnet that infects victims via SSH and weak credentials. After the malware infected an Akamai honeypot, the botnet was immediately analyzed and reported on in a post.

Botnet crash due to missing space

Akamai's experts continued to monitor the botnet and rendered it unusable by sending a few commands. The deadliest element of any malicious entity is the ability to gain command and control (C2). Since KmsdBot had C2 functionality, the experts wanted to test different related scenarios. Part of this testing consisted of modifying a recent example of KmsdBot to communicate with an IP address in the RFC 1918 address space.

This allowed the experts to play around in a controlled environment - and as a result, they were able to send their own commands to the bot on the test machine to test its functionality and attack signatures. Interestingly, after a single malformed command, the bot stopped sending commands. That prompts follow-up investigations. It's not every day you come across a botnet where the threat actors crash their own work. Interesting: A crashed bot no longer works. The system must first be reinfected in order to make it usable for the botnet again.

Poor programming of the malware

The experts found out as described in their blog post that a miscoded command line to the C2 crashed the network. The bot doesn't have any error checking built into its code to verify that the commands are formatted correctly. Therefore, a command with a missing space was enough to cause the crash. The complete technical description can be found in the blog post.

This botnet targets some very large luxury brands and gaming companies, and yet it cannot continue with one failed command.

More at Akamai.com

 


About Akamai

Akamai empowers and protects digital life. Leading companies around the world trust Akamai to build, deliver, and protect their digital experiences. In this way, we support billions of people every day in their everyday lives, at work and in their free time. Using the most distributed computing platform - from the cloud to the edge - we enable our customers to develop and run applications.


 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more