Akamai on Wednesday reported that in some continued research its team did on the KmsdBot, a syntax error caused the bot to stop sending commands, effectively killing the botnet.
The Akamai researchers had earlier released a blog post about the KmsdBot, a cryptomining botnet with command-and-control capabilities that infected victims via SSH and weak credentials. The Akamai team had analyzed and reported on KmsdBot after it infected one of its honeypots.
“It’s not often we get this kind of story in security,” said the researchers. “In our world of zero-days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story.”
In many cases malware, especially the ones that don’t pose a real danger like miners, are distributed as skidware by non-professional software engineers who are mostly using already existing code, explained Mark Vaitzman, threat lab team leader at Deep Instinct.
Vaitzman added that the XMRig open-source project often gets used for miners. And he cited Venus ransomware as another example.
“I am not sure if KmsdBot is operated by script kiddies or not, but lack of input checking and lack of exception handling resulting in crashes can be found in malware when investigating it in detail and testing unexpected input,” Vaitzman said. “Bugs in malware are pretty common if you get deep into the code. In fact, some time ago I found a bug in an exfiltration tool used by the BlackCat ransom gang, resulting a logical error in the code and a failure of exfiltration of all the required data.ew