Syntax Errors Are the Doom of Us All, Including Botnet Authors

An anonymous reader shares a report: KmsdBot, a cryptomining botnet that could also be used for denial-of-service (DDOS) attacks, broke into systems through weak secure shell credentials. It could remotely control a system, it was hard to reverse-engineer, didn't stay persistent, and could target multiple architectures. KmsdBot was a complex malware with no easy fix. That was the case until researchers at Akamai Security Research witnessed a novel solution: forgetting to put a space between an IP address and a port in a command. And it came from whoever was controlling the botnet.

With no error-checking built in, sending KmsdBot a malformed command -- like its controllers did one day while Akamai was watching -- created a panic crash with an "index out of range" error. Because there's no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot's functions. It is, as Akamai notes, "a nice story" and "a strong example of the fickle nature of technology." KmsdBot is an intriguing modern malware. It's written in Golang, partly because Golang is difficult to reverse-engineer. When Akamai's honeypot caught the malware, it defaulted to targeting a company that created private Grand Theft Auto Online servers. It has a cryptomining ability, though it was latent while the DDOS activity was running. At times, it wanted to attack other security companies or luxury car brands.

Re:"index out of range"

[The MAZZTer]

The syntax error in the command sent to the botnet was not detected resulting in the runtime error.

Re:

[Tablizer]

It's possible a typo got misinterpreted as an over-large index range? Although that's usually called a "typo", as syntax errors are typically considered something the machine itself issues. I doubt there's a canonical tech dictionary to check so that we don't bicker over definitions like the pedantic nerds we are.

It reminds me of the saying, "Perl has no syntax errors, just unintended behavior" as just about anything you type is interpreted as a command of some sort. (I don't think the article is about Perl

Re: "index out of range"

[ArmoredDragon]

In compiled languages, syntax errors are always caught at compile time. Golang is a compiled language. This is strictly a runtime error caused by somebody not sanity checking their inputs for syntactical errors.

If you put incorrect syntax into a scripted language that caused the scripting engine to crash, then that by definition becomes a runtime error.

Re:

[Tablizer]

True, but that's not necessarily a "syntax error" itself but rather probably an error-handling-error.

Re:

[nasch]

In compiled languages, syntax errors are always caught at compile time. Golang is a compiled language. This is strictly a runtime error caused by somebody not sanity checking their inputs for syntactical errors.

So what is the difference between a syntax error and a syntactical error?

Re:"index out of range"

[znrt]

you read at least until "index out of range" (2nd paragraph) and yet you missed "forgetting to put a space between an IP address and a port" (1st paragraph), being the smart ass you think you are you somehow sensed a disturbance in the force but instead of rereading a short sentence to verify you didn't pick up something wrong, you simply blamed it on a mistake on the article and immediately succumbed to the urge to finger point, thus showing your appalling reading comprehension difficulties to the entire world. you are a true new age internet user! bravo!

Eggzajurashun

[Tablizer]

Nonsence, I maik tieping errs all thu tiem, and nevur got fieard.

Re:

[fahrbot-bot]

Eggzajurashun

Looks like the name of a city, or volcano, in Iceland -- except it's not long enough. :-)

What's Coming...

[0xG]

AI - designed malware will be a real game-changer.

Re: What's Coming...

[dowhileor]

You can write patches fast enough to halt an ai virus I'm sure.

Is that really his name?

[aitikin]

FTA:

Larry Cashdollar, principal security intelligence response engineer at Akamai, told DarkReading that almost all KmsdBot activity his firm was tracking has ceased, though the authors may be trying to reinfect systems again.

Is that truly his name?

Re:

[smooth wombat]

Yes. Yes [infosecuri...gazine.com], it is [thecyberwire.com].

Re:

[nasch]

Reminds me of the poker player named Chris Moneymaker.

Error checking?

[opps sorry my bad]

I'm l337! I don't need no stinking error checking.

Re:Error checking?

[techno-vampire]

Or, as I once heart a PHB tell a suit during a presentation of some new software, "We don't do any error checking because in a perfect world, people would check their input before hitting Enter." Alas, I wasn't in a position to ask if we were, in fact, living in a perfect world.

Re:

[dissy]

I'd be more interested to know if the PHBs home world was issuing visitor visas

Re:What is "Golang"?

[dargaud]

Most people call it that, otherwise it's impossible to look for forum info/help about it because of the stupid short name which is found in thousands of other contexts (like 'R', 'C'...)

Re:

[dargaud]

I'm sure that google treats the C letter differently than other letters when it can guess a programming context in the query. What was fine in choosing a short language name in the 70s is not so much anymore.

SyntaxErrorsAretheDoomofUsAll,IncludingBotnetAutho

[davidwr]

There,fixedthatforyou.

Re:

[Rockoon]

since when is missing a space in a terminal command a "syntax error"

since never

Re:

[kmoser]

If the software expects no space and your input contains a space, then by definition your input has a "syntax error." For example if instead of typing "ls" you type "l s", then you have made a syntax error.

Saved from hackers by syntax errors twice

[MobyDisk]

I have had 2 instances of being saved from a hack by a syntax error:

I setup my first Linux box around Y2K so that my roommates could share a single internet connection. It sat unmodified for almost a year before we noticed that we couldn't SSH into it. When we connected a monitor we saw that the SSH service failed due to a syntax error in the configuration file. It turns out that a hacker had installed a rootkit, but their script changed the SSH config file in a way that wasn't supported by the version of SSH we had. So SSH failed to start and everyone, including the hacker, was locked out of the box. But ipchains continued to work so nobody noticed.

In another case, I wrote my own HTTP server that ran on Windows 98/ME. It supported a cgi-bin gateway [wikipedia.org] and I had a script for a web counter [wikipedia.org]. I had a web counter that was written in PERL, intended for Linux, but I made it work on Windows. The web counter had an admin tool that I should not have put in the cgi-bin folder, because otherwise someone can run the admin script remotely. So of course, someone did. The admin tool had a vulnerability that let you run arbitrary commands. :-( So a hacker scanned my site, ran the admin tool, and used it to deface the web site. But they couldn't go any further because nobody in their right senses would expect a cgi-bin gateway running PERL on Windows '98. The bastardized configuration meant the command-shell was slightly different from what the expected, so the scripts didn't work.

The lesson here is that overcomplicated, bastardized, customized, niche software is the key to security!

Re:

[Ed Tice]

The lesson here is that overcomplicated, bastardized, customized, niche software is the key to security!

Having such software likely increases the attack surface and will be a bonanza for skilled attackers. However, low-skill mischief makers ("Script kiddies" might be too nice of a term) will quickly move on to targets for which they can find pre-built exploits that will work unmodified.

Also, I should point out that you've been hacked twice that you know about or at leas twice. Maybe more.

The solution IMO

[buck-yar]

Write it all in one language (my choice would be C). Do it the same way every time and there'll be fewer mistakers.