The anatomy of the MyKings botnet, and why it matters for security

The MyKings botnet, also known as Smominru, is a mash-up of recent security trends.
botnet, attack, ddos, red team, mykings
(Getty Images)

Deconstructing a zombie army of comprised computers — commonly known as a botnet — can tell you a lot about the security weaknesses over a range of digital infrastructure. The unpatched machines the botnet preys on, the protocols it uses, and the malicious code it distributes come into sharp focus.

A new study of the MyKings botnet — a notorious horde of computers that has netted crooks some $3 million — by antivirus firm Sophos highlights how Windows servers are vulnerable to a range of attacks from the botnet.

The MyKings botnet, also known as Smominru, is like a mash-up of recent security trends: it has been used to mine cryptocurrency, it has taken advantage of users’ failure to patch their systems, and it has employed a software exploit released by the Shadow Brokers.

MyKings’ authors have also started experimenting with steganography — an increasingly popular technique in which hackers hide their malware in a benign-looking image. In MyKings’ case, they disguised their code in a photo of musical artist Taylor Swift, and used it to update the botnet, according to Sophos.


Whoever is behind MyKings knows that retaining access to a network requires a subtlety not associated with botnets. And so they added a component to the botnet known as a “bootkit” that launches a malicious program whenever a computer is rebooted.

The MyKings botnet also has the regenerative powers of a cockroach.

“Even if most of the components of the botnet are removed from the computer, the remaining ones have the capability to restore it to full strength simply by updating themselves,” Sophos researchers Gabor Szappanos and Andrew Brandt wrote in a blog post Wednesday.

Since researchers began tracking it in 2017, the MyKings botnet has infected well over 43,000 unique, public-facing IP addresses, according to Sophos. If the internet is ever be to rid of the scourge, understanding how and why the botnet continues to be effective is key.

“For the past couple of years, this botnet has been a persistent source of nuisance-grade opportunistic attacks against the under-patched, low-hanging fruit of the internet,” Szappanos and Brandt wrote.


“It’s worth noting the amount of work that has gone into building this large botnet simply to run cryptominers,” Brandt told CyberScoop. “The cybercriminals’ approach is working and they’re making money, but the cryptominer is ultimately a quaint, anticlimactic result after significant build up and effort on their end.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts