Confessed Botnet Master Is a Security Professional 278
An anonymous reader writes "John Schiefer, the Los Angeles security consultant who in last 2007 admitted wielding a 250,000-node botnet to steal bank passwords, sometimes from work, says he's spent the past 15 months working as a professional in the security scene while awaiting sentencing. Prosecutors are pushing for a five-year sentence, noting the exceptional threat he represented to society."
BURN HIM! (Score:5, Interesting)
He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment. My opinions are on the far extreme though... not likely to happen, but it does call for a good old fashioned lynching.
Jail him. Now. (Score:4, Interesting)
There should be 250,000 litigants, one each for the number of botted machines out there filing suit against him in addition to being behind bars with his hands cuffed (can one type in cuffs? might be interesting).
This guy is a poster boy for how due process ought to work for computer criminals. The trust factor should be zero. This isn't a hero, this is a master thief.
Re:Substantial Threat to Society? (Score:5, Interesting)
What about the woman that gets raped on the street? Isn't she partly responsible for the rapists behavior?
Come on people, quit blaming the victim; especially when the victim is an average person (as is evidence by the sheer size that many botnets reach).
Re:BURN HIM! (Score:5, Interesting)
He is one of those people who, in my opinion, qualifies for MUCH more harsh punishment.
Well, the US prosecutor could just allege that he's capable of starting World War III if given an opportunity to whistle into a telephone to get him thrown into solitary confinement. It might even be more believable than the last time they used it successfully.
Re:BURN HIM! (Score:5, Interesting)
you were modded troll probably because many of the It security guys here don't want to be lynched when they get caught for their dirty deeds.
I dont want to kill anyone, but I am a big supporter of public humiliation. part of his sentence needs to be 5 days in public stockades where people can throw non sharp objects at his face. and or take a few whacks with a switch to his body.
Re:Substantial Threat to Society? (Score:5, Interesting)
What about the individuals who's computers were compromised by him? Are they not themselves partially culpable for his actions? Shouldn't people feel compelled to not let themselves become zombies?
Sure, I should probably lock the door of my house when I leave for work... It's probably a good idea to lock my car in the parking lot, too... But that doesn't mean it isn't a criminal act if you walk into my house and steal something.
Yes, from an insurance standpoint not locking the door will likely have an effect. If my insurance company knows that I didn't lock my car they probably won't pay for any repairs it may need after being recovered. But the guy who steals it is still a criminal, still goes on trial, and still goes to jail.
Just because someone didn't patch their computer doesn't mean it's OK to exploit those vulnerabilities. It's a weak point in the computer's security, not an open invitation. Are you suggesting that it's OK to break into someone's house because the windows are fragile?
Creating a botnet from zombied computers is no trivial act. Simply exploiting a vulnerability takes some time and effort. It isn't as if this guy just kind of tripped over a botnet and accidentally stole some identities. This was an intentional criminal act.
70 years for MacKinnon? (Score:5, Interesting)
Re:BURN HIM! (Score:3, Interesting)
Maybe public stockades in some alley in San Fransisco. For 5 nights.
Re:Disgraceful (Score:3, Interesting)
Why? ANYONE with a working brain can become a security professional. You are not in any way responsible for his actions (or for the actions of any other security professional), but by saying you feel 'ashamed' for his actions you suggest you somehow are (and that security professionals are incapable of independent thought...). Why do you feel shame?
Re:It's not shoe salesman vs IT, it's "one of us" (Score:1, Interesting)
You should see some of the dual personality people that code for spam filtering projects. They double dip both for the prevention of spam and by getting paid to circumvent spam filters. You wouldn't believe how tempted some security "professionals" get when money gets tight.
Re:Smart People (Score:3, Interesting)
What a load of crap.
They guy is a painter that lives in a world where paint has been banned. Of COURSE he is a criminal.
Yeah, if only this guy had lived in a world where it's OK to steal from other people's bank accounts. That would be a great world, wouldn't it? Just think how much would get done if nobody could trust a bank! Why, it would be a grand new society! And people who desparately need the "outlet" of stealing things from other people in order to feel good about themselves would finally be able to live a more peaceful, happy life.
Um, unless the fact that there's no risk, and no longer any chance to be the guy weilding technology with malice makes it no fun anymore, right? How many vandals would there be if there was no cultural care about destruction of property? Without the thrill of screwing someone else out of their time, property, and efforts, what's the point? Right. The point is the power trip and the pleasure from destruction and getting away with something. That's why guys like this would still be rotten even if there weren't computers and networks. You think he's highly intelligent and just being kept by his evil school from using it? Are you really one of these people that thinks it's up to the schools to amuse everybody according to their own individual tastes, level of boredom, and lack of enough imagination to do something outside of school to keep busy and interested?
Devil's advocacy... (Score:3, Interesting)
Indeed. Many moons ago (back in the early 1980s, when "IBM PCs" were still new and beginning to be affordable) I was a security consultant to a certain large technology company not far west of London. Part of my brief was to write aggressive self-replicating routines in an attempt to disrupt crackers' activities. Thus I might claim credit for a few of the earliest viruses, but that's not really my point, which is that in those days work like this was done in assembly code, and as such was reasonably challenging. I was quite proud of it for that reason.
I haven't kept up with this particular technology, but I gather viruses such as these are a lot easier to craft now, particularly since users don't typically notice small (or even large) drains on resources any more.
Regardless of whether or not one admires botmasters' motives (and I don't) crafting botnets on a large scale has a certain "cool" factor, since there is quite a lot of work, skill and even artistry involved in setting them up.
Re:Substantial Threat to Society? (Score:3, Interesting)
It might be slightly trickier than that (Score:5, Interesting)
Not generally. When you see a run of the mill buffer-overflow-execute-anything-you-want exploit, it usually only takes changing values of a few variables to get it to deliver your payload vs. what the example was doing.
Well, you can arm a PoC Exploit and crack a few PCs that way. Then you have only access to the box. Typically this might get detected quite fast by AV vendors, so you better have to obfuscate that code some more.
So by then you have a working sploit but you are not somewhere near to a botnet. First, you need code that stays on the box meaning it should start itself when the machine gets booted up. And if you want to be successful you should not choose HKLM/local...entVersion/run/ but something more subtle. The easy way to go here would be another less known registry value but this means executing a process that can be seen and thus be dealt with in your task manager. So, ideally you inject a dll into another process. Now that already takes quite some knowledge.
Now you still do not have a botnet, still far from it but closer.
No, you need a mechanism to distribute that code. That could be using the armed PoC exploit, brute forcing shares in the net, infecting files, copying to other devices or inclusion in Zip files etc. or just emailing itself in a combination with social engineering techniques so the recipient will execute that malware of yours.
And writing your own SMTP engine in assembly might not be that easy anymore. But for the sake of the argument, let's say you want to exploit a Windows SMB vulnerability. Then you have to think about algorithms for finding an IP address in an effective manner. And you have to make sure that it does not spread to fast because then you create a lot of noise that will get peoples attention and you even might cause enough scanning/exploitation attempts to clog the very pipes you need to spread.
That having said, you will want to disturb the work of antivirus companies. That means you have to identify the net ranges used by these AV companies and design your spreaing algorythm in a way that excludes those ranges. Then you will want to block AV software on infected hosts from getting signature updates, so you have to identify those IPs/DNS names as well in order to block the hosts access to them. As you can enter your victims through an exploit you even have the chance to avoid AV detection as a whole which means that you have to cleverly hide your presence form the AV or you (try to) disable the AV software altogether without the user and the host OS noticing. Not so easy at all! And you want to avoid to be dissected all to fast, so will want to implement some more obfuscation: assembly level anti-debugging features, self written executable packers, maybe virtual machine detection etc.
Congratulations, you now have written a worm. Of course you better test it with various OSses, languages, releases and AV systems, right?
Now, you still do not have a botnet!
For a botnet, you need some command and control structures. You need to communicate with your victims. Now that makes you easily traceable, so you might want to make your botnet a double-fast flux peer-to-peer network. Easy, isn't it?
And then you just have to find a way so that the money you are trying to make off of that botnet does not get easily traced back to you.
But yes, I agree, all it needs is a script kiddie that can exchange some NOP and 0xEB 0xFE code with a working payload, right? As easy as winking.
Clearly that guy neither must have any real knowledge about IT security nor can he be intelligent or skilled in any way.
Which, BTW, does not mean that I do not condone this, in fact I do. But if you happen to have those skills and you probably have invested significant time into learning everything about it and you are being paid just a bit over minimum wage (e.g. because you were on parole or for some other reason) and you are told every second day that your skills are
Re:It's not shoe salesman vs IT, it's "one of us" (Score:3, Interesting)
think about it. it's job security.
specifically code a flaw in the code that's hard to find. a few months later, sell out the exploit. go back to the client and say "wow, these guys are smart, i didn't even think they could do that." then make more money fixing the flaw.
lather, rinse, repeat, and most importnatly in these troubled economic times, stay in business.
it's like a window company driving around at night and putting bricks through shop windows.
Re:It might be slightly trickier than that (Score:3, Interesting)
You know what it takes to create a botnet? Throwing a torrent up on thepiratebay.org something along the lines of "Windows XP SP3 Corporate Edition WGA cracked" or "Adobe Photoshop CS4 Keygen". What is even sicker about this vector is, you might actually deliver what you are saying they would be downloading. Hell, you don't even need to be programming savvy. Hide your code in DLLMain of any random DLL on the machine (MFC or VB6 virtual machine DLLs are possibly a good choice). SIMPLE stuff. It may sound complicated until you actually do a Google search and see the code. And that "DLL Injection" you swore was "so hard"... you can either use "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs"/CreateRemoteThread/SetWindowsHook(Ex) and/or a Browser Helper Object that has become ever so popular. All easy-to-understand Google-search-away crap. Coordinate over IRC/Usenet/Tor/web forum/comprimised ftp site/already exploited zombie pc/whatever.
I could go on and on, but I think I said what needs said. If you think it takes "writing your own SMTP engine in assembly", may $GOD$ help your children.
How do you propose to do that? (Score:3, Interesting)
Actually, here's a fun thought:
1. The people in prisons score on the average over 20 on the antisocial personality disorder scale, which is to say you have a spectrum ranging from borderline sociopathic to outright psychopaths. A normal person scores 2-3.
2. There is no known way to turn a sociopath into a normal person. Trying to psychanalyze them just teaches them to fake the answers that will hide their callousness better.
3. Showing one the damage he's done and the people whose life he's destroyed... does nothing whatsoever, since a sociopath doesn't give a fuck about other people in the first place. They live in a single-player world, with them as the player and the rest being about as important or empathy-worthy as the NPCs in <insert MMO or RPG>. You can lie to them, manipulate them, cause all the harm you can get away with, whatever advances your quest or keeps you entertained. It doesn't matter, they're just NPCs. That's the kind of world a sociopath lives in. It includes even their own children, not just strangers who downloaded a virus.
4. They have a tendency to not have a sense of personal responsibility. They'll just shift the blame to someone else (e.g., the victim for being too stupid to download a virus) or rationalize it in any other way.
So, seriously, if you know some way to "undo" sociopathy, by all means, we'd all be very interested to hear it. But otherwise let's bury the retarded idiocy already that prisons should be some touchy feely school in respecting other people's feelings. These guys just can't do that.
The only thing they do understand is, basically, "let's not do something that will get me locked up for good". Well, some of them. Turning it all in just a slap on the wrist and some pouty "you've been a meanie and upset people" lesson will just remove that deterrent too.