The incident occurred during testing of a botnet built on the KmsdBot malware. While exploring the possibilities of the botnet, Akamai researchers accidentally sent a command with a syntax error to the bots, which led to the shutdown of the botnet.
The botnet was reported by Akamai Security Research in the middle of last month. It is based on KmsdBot, a malware written in the Go language that uses SSH to infiltrate victims' systems. After gaining a foothold in the victim's system, the malware connects the user to the botnet and uses their device to mine the Monero cryptocurrency and carry out DDoS attacks. Among the main targets of KmsdBot were game companies, information security firms, and even luxury car manufacturers.
But why did the botnet manage to be disabled with one command? According to Akamai researchers, there are only two reasons:
- The lack of a mechanism for fixing in the infected system. This means that the victim's system will have to be infected first if it has been deleted or has lost contact with the C&C server for some reason.
- The absence of a mechanism that checks commands for errors. In the case of Akamai, the failure of the entire botnet was caused by the execution of an attacking command in which there was a syntax error - a space was missing between the address of the target site and the port.
The botnet had no mechanism to gain a foothold in the victim's system. And since all the bots have lost contact with the C&C server, the operators will have to re-infect the victims and set up a botnet.