Malware Authors Inadvertently Take Down Own Botnet

A single improperly formatted command has effectively killed KmsdBot botnet, security vendor says.

Its not often that malware authors go through the effort of creating a malicious tool for assembling a botnet, only to then find a way to effectively sabotage it themselves.
But that appears to be precisely the case with KmsdBot, a distributed denial-of-service (DDoS) and cryptomining botnet that researchers from Akamai found infecting systems
across multiple industries
last month. Now, it has since gone largely silent because of a
single improperly formatted command
on the part of its author.
The malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and uses UDP, TCP, and HTTP POST and GET commands in DDoS attacks. Kaspersky found the malware is designed to target multiple architectures such as Windows, Arm64, and mips64 systems. Among those the malware has affected are luxury car makers,
gaming companies,
and IT firms.
In all the attacks that Akamai observed, the threat actors used KmsdBot to execute DDoS attacks, though the malware also contains cryptomining functionality.
Following Akamais initial disclosure in November, researchers from the company continued to monitor and analyze the threat. As part of the exercise, they modified a recent sample of KmsdBot and decided to test various scenarios related to the malwares command and control (C2) functionality.
The Akamai researchers found the spot in the malwares code that contained the IP address and port for KmsdBots C2 server and modified it, so the address pointed to Akamais IP space. The goal was to have a controlled environment from where the researchers could send their own commands to the bot sample to see how it worked.
During the testing, the Akamai researchers discovered the bot suddenly stopped working after receiving a command to send a bunch of junk data to bitcoin.com, in an apparent bid to DDoS the website.
A closer look showed the command to be malformed. The guys running the botnet crashed it by accident, Larry Cashdollar, principal security intelligence response engineer at Akamai, tells Dark Reading. They sent in a command that was missing a space between the target URL and port number.
The bot does not contain any error-checking functionality to verify if the commands it receives are properly formatted, Cashdollar says. As a result, the Go binary crashes with an index out of range error message.
He also says that Akamai was able to replicate the issue by sending the bot it had modified an improperly formatted command of its own.
This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet, Akamai noted in its update on the malware this week.
Importantly, the bot does not support any persistence mechanism. So, the only way for the malware authors to rebuild the KmsdBot botnet is to reinfect systems from scratch.
Cashdollar says almost all of the KmsdBot-related activity that Akamai was tracking over the past several weeks has ceased. But there are signs that the threat actors have begun attempting to infect systems again, he notes.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Malware Authors Inadvertently Take Down Own Botnet