Tech

Newbie Hacker Fingered for Monster Botnet

DISCONNECT

Federal prosecutors quietly indicted this 20-year-old, and rival hackers say he’s behind a king-sized botnet. But did he really have the skills to pull it off?

exclusive
180829-poulsen-chinese-hacker-tease_smd2i1
Photo illustration by Sarah Rogers/The Daily Beast

A 20-year-old Washington man was indicted last week on federal computer hacking charges after rival hackers fingered him as the creator of a notorious botnet tearing through routers around the world.

But despite the havoc he supposedly wreaked, the accused hacker doesn’t seem to have been terribly knowledgeable about hacking.

Kenneth Currin Schuchman is charged in U.S. District Court in Anchorage, Alaska with two counts of violating the Computer Fraud and Abuse Act by using malware to damage computers between August and November 2017.

ADVERTISEMENT

The indictment doesn’t name the malware, but all signs point to the virulent Satori botnet that surfaced last fall, and has infected at least 500,000 internet routers around the world.

Last December, researchers at  at the Check Point cybersecurity firm traced Satori to an amateur known as “Nexus Zeta” who frequented a web forum for untrained and wannabe malicious hackers. Two months later, a little-noticed Pastebin post by rival hackers purported to reveal Nexus Zeta’s real identity, naming the same Kenneth Schuchman indicted last week.

Schuchman lives in Vancouver, Washington with his father, according to court records, where he’s unemployed and drawing disability. As a child he was diagnosed with Asperger syndrome, according to a 2015 missing child alert, a form of autism that makes social interactions difficult, and can lead to obsessive, highly focused behavior. The alert came when a then-15 year old Schuchman slipped away from a family vacation in Bend, Oregon, and briefly vanished. He turned up safe the next day back home in Vancouver.

Later in 2015, the user “Nexus Zeta” joined the amateur hacking community HackForums. The next year, Schuchman alluded to a secret life in a Facebook post mocking the Pokemon Go craze. “This is seriously beginning to make me wonder about the intelligence and maturity level of adults in this country these days,” he wrote. “I do blackhat hacking all the time and I haven't even downloaded this game let alone played it.”

Schuchman is set for arraignment in Anchorage on Friday. Under a court order issued Tuesday, he’ll be permitted to appear by teleconference, rather than flying to Alaska.

The Satori botnet first came to notoriety in November, when Check Point  detected a supercharged version of the notorious “Internet-of-Things” (IoT) malware Mirai. This new strain of  malware exploited a remote execution vulnerability in routers made by the Chinese company Huawei, allowing Satori to gain complete control of the vulnerable routers. By one analysis, the bot was able to infect 280,000 routers around the world in its first 12 hours using the exploit.

Significantly, the security hole had never been seen before. It was a “zero-day”—a previously-unknown bug with no ready fix. The vulnerability was rated critical, and Huawei quickly issued a patch.

Zero-day exploits are typically a sign of a sophisticated, well-resourced hacking campaign, such as a national government or an organized cybercrime gang. But when Check Point analyst Lotem Finklesteen and his colleagues went hunting for the source of the Satori outbreak, the trail led them to a very different type of suspect—a hacker calling himself “Nexus Zeta” who peppered the denizens of HackForums with basic questions about botnet development.

Zero-day exploits are typically a sign of a sophisticated hacking campaign. But when the analysts went hunting, the trail led them to a hacker who peppered forums with basic questions about botnet development.

In one HackForums post that appeared right before Satori’s launch, Nexus Zeta appeared to struggle to get a Mirai-clone running. “hello, im looking for someone to help me compile the mirai botnet, i heard all you have to do is compile it and you have access to 1 terabit per second so please help me setup a mirai tel-net botnet.”

From clues in Nexus Zeta’s social media footprint, Check Point concluded they were dealing with a very young man who was interested in music and botnets. “When zero-days are involved, we attribute them to very advanced threat actors,” said Finklesteen. “So we were very surprised… He asked for much guidance to help him establish this botnet.”

Satori is the most intractable of a slew of botnets that hackers have created by tweaking the Mirai. The original Mirai infected routers and other equipment by logging on with default passwords. (Schuchman’s case is being handled by the prosecutors who won guilty pleas from Mirai’s authors in December.)

Beginning with the Huawei exploit, Satori’s handlers consistently armed the code with secure routers by exploiting bugs in the device’s software – no password required.

“These guys seem to hunt for remote code execution vulnerabilities,” said Christiaan Beek, lead scientist at McAfee. “Several different brands of routers were targeted.”

That makes Satori harder to combat, and new variants of the malware have appeared regularly since December, when Satori’s source code appeared online, allowing anyone to roll their own version. In May, a version of Satori made headlines when it began targeting computers mining crypto currency, and successful diverted about $600 worth of Ethereum into a private wallet. But like most botnets, Satori’s primary purpose is launching distributed denial-of-service attacks against victim websites, crippling a target with junk Internet traffic that arrives simultaneously from thousands of hacked routers.

“People pay a lot of money to take down websites,” said Finklesteen.

The poor state of security of routers, and other devices like web cameras, TVs and major appliances, makes the Internet of Things a perfect training ground for beginning bug hunters, said Peter Arzamendi, a security expert at NETSCOUT Arbor. “We’re seeing the same kind of vulnerabilities in IoT we saw in the late 1990s and early 2000s everywhere else,” said Arzamendi. “Security in IoT is in its young stages right now, so we’re going to see that exploited.”

Finklesteen agrees. “Anyone who’s familiar with programming languages is able to find a new vulnerability in seven days, tops.”