Updated on 2022-12-01: KmsdBot goes down
Akamai researchers said they found a bug in the C&C communication system used by the KmsdBot cryptomining botnet that allowed them to crash the malware on all infected systems worldwide. Read more: Accidentally Crashing a Botnet
Updated on 2022-11-30: Akamai Researchers Inadvertently Crash Botnet
While monitoring the KmsdBot cryptomining botnet, Akamai researchers accidentally discovered its Achilles heel. The researchers write that they “modif[ied] a recent sample of KmsdBot to talk to an IP address in RFC 1918 address space. This allowed us to have a controlled environment to play around in — and, as a result, we were able to send the bot our own commands to test its functionality and attack signatures.” A simple syntax error cause the botnet to crash.
Note
- This botnet operates on Windows and Linux systems, and is targeted towards gaming firms, technology companies, and luxury car manufacturers. Systems are infected using SSH to account with default or weak connections. As it’s not persistent, a crash or other interruption to the process means that nodes have to be re-acquired. While the crash resulted because of a lack of error handling, don’t assume malware operators aren’t including error handling, most do. Making sure that default passwords are changed, and passwords, where they remain, are sufficiently strong, has to be SOP. Make sure that you’re checking for re-introduction of these after updates or upgrades.
Read more in
- Accidentally Crashing a Botnet
- Researchers ‘Accidentally’ Crash KmsdBot Cryptocurrency Mining Botnet Network
- A syntax error took down the KmsdBot cryptomining botnet, effectively killing it
- Cybersecurity researchers take down DDoS botnet by accident
Updated on 2022-11-29
Akamai researchers accidentally took down the KmsdBot cryptomining botnet that was used for DDoS attacks. Read more: Accidentally Crashing a Botnet
Overview
Akamai’s security team said it discovered a new botnet named KmsdBot. The company said this new botnet is written in the Go programming language, spreads by targeting systems that use weak SSH login credentials, and currently focuses on mining the Monero cryptocurrency. Read more: KmsdBot: The Attack and Mine Malware