DDoS Botnet Coder Gets 13 Months In Prison

satori.png

A 22-year-old from Vancouver, Washington was sentenced today to 13 months in prison for creating and operating multiple DDoS botnets made up of home routers and other networking and Internet of Things (IoT) devices.

The US Department of Justice said Kenneth Currin Schuchman, known online under the monicker of Nexus Zeta, created multiple IoT botnets, which he rented online so others could launch DDoS attacks.

The DOJ said it tied Schuchman to botnets known in the cyber-security industry under codenames such as Satori, Okiru, Masuta, and Fbot/Tsunami. His botnets are believed to have infected hundreds of thousands of devices with malware.

US officials said Schuchman had two accomplices, identified only as Vamp and Drake, who also contributed code and features to the botnets.

DOJ officials said that besides renting the botnets to buyers, Schuchman and his associates also used the botnets themselves to attack various online services and companies.

Officials said Schuchman operated his botnets between August 2017 until August 2018, when he was formally charged.

Schuchman was allowed to remain at large but was eventually formally arrested in October 2018 after breaking his pre-trial release conditions.

Below is a summary of Schuchman's actions, as detailed in his guilty plea, which came in September 2019.

July to August 2017 -- Schuchman, Vamp, and Drake create the Satori botnet, based on the public code of the Mirai IoT malware. US authorities said this initial version "extended the Mirai DDoS botnet's capabilities, targeted devices with Telnet vulnerabilities, and utilized an improved scanning system borrowed fiom another DDoS botnet known as Remaiten." Even if this first botnet relied solely on exploiting devices running with factory-set or simple-to-guess passwords, Satori infected over 100,000 devices in its first month of life. Per court documents, Schuchman claimed that over 32,000 of these devices belonged to a large Canadian ISP, and that the botnet was capable of DDoS attacks of 1Tbps [claim remains unproven].

September to October 2017 -- The three hackers improve the original Satori botnet into a new version they start calling Okiru. This version can also use exploits to spread to unpatched devices. A prime target for the Okiru botnet were security cameras manufactured by Goahead.

schuman-mugshot.png

Kenneth Currin Schuchman mugshot

Image: Rapsheets

Image: Rapsheets November 2017 -- Schuchman, Vamp, and Drake evolve on Satori and Okiru. They create a new version named Masuta, which they use to target GPON routers, and infect over 700,000 devices. Their DDOS-for-hire business reaches its peak. Schuchman also creates his separate personal botnet, which he uses to attack the infrastructure of ProxyPipe, a DDoS mitigation firm.

January 2018 -- Schuchman and Drake create a botnet combining features from the Mirai and Satori botnets, focusing on exploiting devices based in Vietnam.

March 2018 -- Schuchman, Vamp, and Drake continue work on this botnet, which later becomes known as Tsunami or Fbot, and infects up to 30,000 devices, mostly Goahead cameras. They later expand the botnet with another 35,000 devices after exploiting vulnerabilities in High Silicon DVR systems. US authorities said the botnet was capable of attacks of up to 100Gbps.

April 2018 -- Schuchman splits from Vamp and Drake and develops another DDoS botnet, this time based on the Qbot malware family. This botnet was primarily focused on exploiting GPON routers from the network of Mexican TV network Telemax. Schuchman also enters into a competition with Vamp, both developing botnets aimed at hindering each other's operations.

July 2018 -- Schuchman reconciles with Vamp, but by this time the FBI has tracked him down. The FBI interviews Schuchman later that month.

August 21, 2018 -- US authorities formally charge Schuchman, but allow him to remain at large, on pre-trial release conditions.

August to October 2018 -- Schuchman breaks pre-trial release conditions by accessing the internet and developing a new botnet (based on the Qbot strain). He also orchestrates a swatting attack on Drake's home residence.

October 2018 -- US authorities detain and imprison Schuchman.

US officials didn't say if they charged Vamp and Drake, but they said they were aware of their real-world identities.

Schuchman pleaded guilty to one count of fraud and related activity in connection with computers. He was sentenced today to 13 months in prison and he was also ordered to serve a term of 18 months of community confinement following his release from prison and a three-year term of supervised release.

Schuchman's Nexus Zeta identity was first linked to the Satori botnet in a December 2017 Check Point report.

The DOJ also thanked today companies like Akamai, Cloudflare, Google, Oracle, Palo Alto Unit 42, and Unit 221B, LLC, as well as the University of Cambridge, for their help in the investigation.

RECENT NEWS

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more

Technology Sector Fuels U.S. Economic Growth In Q2

The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more

Global IT Outage Threatens To Cost Insurers Billions

Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more