A command typo might have dismantled most of an advanced malware's network.

syntax errors are the doom of us all, including botnet authors

/ If you’re going to come at port 443, you best not miss (or forget to put a space between URL and port).Getty Images

KmsdBot, a cryptomining botnet that could also be used for denial-of-service (DDOS) attacks, broke into systems through weak secure shell credentials. It could remotely control a system, it was hard to reverse-engineer, didn’t stay persistent, and could target multiple architectures. KmsdBot was a complex malware with no easy fix.

That was the case until researchers at Akamai Security Research witnessed a novel solution: forgetting to put a space between an IP address and a port in a command. And it came from whoever was controlling the botnet.

With no error-checking built in, sending KmsdBot a malformed command—like its controllers did one day while Akamai was watching—created a panic crash with an “index out of range” error. Because there’s no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot’s functions. It is, as Akamai notes, “a nice story” and “a strong example of the fickle nature of technology.”

KmsdBot is an intriguing modern malware. It’s written in Golang, partly because Golang is difficult to reverse engineer. When Akamai’s honeypot caught the malware, it defaulted to targeting a company that created private Grand Theft Auto Online servers. It has a cryptomining ability, though it was latent while the DDOS activity was running. At times, it wanted to attack other security companies or luxury car brands.

Researchers at Akamai were taking apart KmsdBot and feeding it commands via netcat when they discovered that it had stopped sending attack commands. That’s when they noticed that an attack on a crypto-focused website was missing a space. Assuming that command went out to every working instance of KmsdBot, most of them crashed and stayed down. Feeding KmsdBot an intentionally bad request would halt it on a local system, allowing for easier recovery and removal.

Larry Cashdollar, principal security intelligence repsonse engineer at Akamai, told DarkReading that almost all KmsdBot activity his firm was tracking has ceased, though the authors may be trying to reinfect systems again. Using public key authentication for secure shell connections, or at a minimum improving login credentials, is the best defense in the first place, however.

TECH NEWS RELATED

Critical Windows code-execution vulnerability went undetected until now

Microsoft elevates security rating for vulnerability resembling EternalBlue.

View more: Critical Windows code-execution vulnerability went undetected until now

Lobbyists have held up nation’s first right-to-repair bill in New York

Passed with bipartisan support, the bill could die on Gov. Hochul's desk.

View more: Lobbyists have held up nation’s first right-to-repair bill in New York

Riffusion’s AI generates music from text using visual sonograms

Stable Diffusion-powered music generator processes sound in the visual space.

View more: Riffusion’s AI generates music from text using visual sonograms

Stability AI plans to let artists opt out of Stable Diffusion 3 image training

Artists must register and manually flag matched images in the LAION database.

View more: Stability AI plans to let artists opt out of Stable Diffusion 3 image training

Artists stage mass protest against AI-generated artwork on ArtStation

Users of popular portfolio site seek to castigate and disrupt AI-generated art.

View more: Artists stage mass protest against AI-generated artwork on ArtStation

Microsoft discovers Windows/Linux botnet used in DDoS attacks

MCCrash is specially designed to take down Minecraft servers and performs other DDoSes.

View more: Microsoft discovers Windows/Linux botnet used in DDoS attacks

FuboTV goes kaput during World Cup semifinals, blames “criminal cyber attack”

Streaming service goes dark during one of the most anticipated sporting matches.

View more: FuboTV goes kaput during World Cup semifinals, blames “criminal cyber attack”

ArtStation artists stage mass protest against AI-generated artwork

Users of popular portfolio site seek to castigate and disrupt AI-generated art.

View more: ArtStation artists stage mass protest against AI-generated artwork

Prosecutors charge 6 people for allegedly waging massive DDoS attacks

Meet Ghostwriter, a haunted AI-powered typewriter that talks to you

Lensa AI app causes a stir with sexy “Magic Avatar” images no one wanted

Only iPhones that can’t run iOS 16 are getting new iOS 15 updates

Microsoft digital certificates have once again been abused to sign malware

Effective, fast, and unrecoverable: Wiper malware is popping up everywhere

China bans AI-generated media without watermarks

North Korean hackers once again exploit Internet Explorer’s leftover bits

Adobe Stock begins selling AI-generated artwork

No Linux? No problem. Just get AI to hallucinate it for you

Darknet markets generate millions in revenue selling stolen personal data

Apple slices its AI image synthesis times in half with new Stable Diffusion fix

OTHER TECH NEWS

Top Car News Car News