KmsdBot botnet is down after operator sends typo in command

2022-12-06 13:30

A botnet operator is kicking themselves and probably hoping no one noticed the typo they transmitted in a command that crashed their whole operation.

Even worse for the operator(s), their Golang-coded KmsdBot lacked persistence, meaning the whole botnet is toast thanks to the apparent decision to forgo error handling.

Akamai set up its own modified version of KmsdBot pointed at an internal IP address to use as a controlled test environment to monitor what commands it was receiving from its C2 server.

"During the testing, we noticed the botnet stopped sending attack commands after observing a single malformed command," Cashdollar said.

After reconstructing the command and tossing it at their internal KmsdBot, the Akamai researchers noticed that lack of space between URL and port number caused the Go binary to crash, throwing up an "Index out of range" error because the wrong number of arguments were supplied.

The command "Likely crashed all the botnet code that was running on infected machines and talking to the C2," Cashdollar said.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/12/06/botnet_kmsdbot_typo_code/

#botnet