A 21-year-old Washington man has pleaded guilty to creating botnets that converted hundreds of thousands of routers, cameras, and other Internet-facing devices into money-making denial-of-service fleets that could knock out entire Web hosting companies.
Kenneth Currin Schuchman of Vancouver, Washington, admitted in federal court documents on Tuesday that he and two other co-conspirators operated Sartori and at least two other botnets that collectively enslaved more than 800,000 Internet-of-Things devices. They then used those botnets to sell denial-of-service attacks that customers could order. Last October, while on supervisory release after being indicted for those crimes, Schuchman created a new botnet and also arranged a swatting attack on one of his co-conspirators, the plea agreement, which is signed by the hacker, said.
The crime outlined in the court documents started with the advent in late 2016 of Mirai, a botnet that changed the DDoS paradigm by capitalizing on two salient features of IoT devices: their sheer numbers and their notoriously bad security. Mirai scanned the Internet for devices that were protected by an easy-to-guess default password. When the botnet found one, it corralled it into a botnet that could overwhelm even large targets with more junk traffic than they could handle.
Within a few weeks, Mirai was producing record-setting DDoS attacks, one of which took out security site KrebsOnSecurity for days. In short order, the Mirai source code was openly published in an act that made it easy to spin up DIY clones of Mirai.
Schuchman used the Mirai source code to create a new botnet that quickly infected 100,000 routers. Schuchman, the plea deal said, bragged that the botnet allowed him and his co-conspirators to compromise 32,000 devices belonging to a large Canadian ISP, a feat he claimed allowed him to DDoS targets with bandwidth of an astounding 1 terabit per second. The secret to its success: Sartori, as the botnet was christened, exploited security vulnerabilities—some of which were zero-days—in infected devices, even when they were protected by strong passwords.
According to Tuesdays plea deal, Schuchman used the monikers "Nexus" and "NexusZeta" to converse with co-conspirators using the handles Vamp and Drake. The trio's goal was to improve upon Satori and build their own DDoS franchise. The results were Okiru, which exploited vulnerabilities in the Goahead family of surveillance cameras, and Masuta, which infected as many as 700,000 nodes by exploiting vulnerable Huawei and Gigabit Passive Optical Network (GPON) fiber-optic networking devices.
The plea agreement stated:
Logs during the Masuta time period depict a large number of attacks launched at the end of November by SCHUCHMAN, Drake, and others, including paying customers of the criminal botnet scheme. At this time, SCHUCHMAN also operated his own distinct DDoS botnet which he utilized to attack IP addresses associated with ProxyPipe. At the same time, SCHUCHMAN was also actively scanning the internet for vulnerable telnet devices for the purpose of identifying additional devices to incorporate into hRead More – Source