No doubt you have heard about Anonymous hacking HBGary and leaking their emails.
The media had a field day: "security company gets hacked", "Black ops: how HBGary wrote backdoors for the government" etc, etc....
HBGary got pwned, but shit happens right? its probably not worth thinking about all the successful hacks which happen against companies such as Micro$oft and Google which are not made public... and whats with the big fuss about writing backdoors for the government??? We are in the age of cyberwar, I bet plenty of defense & security companies are doing the same? (Stuxnet anybody?)
Anyway, to the point of this post:
One of the BIG things I am surprised has not been reported on more, are all the email reports and investigations on APT? A number of the emails are regarding in depth APT investigations, there are also emails about specific APT/Malware variants and how the HBGary tools detect them.
No doubt the APT 'attackers' have read the HBG emails and have probably dramatically changed tactics, and likely have moved to entirely new malware variants. There was one specific HBG customer who I will refer as 'QQ' who appears to have had an on going APT infected for a long time. Reading the emails it would appear a lot of data was stolen (how much that data relates to in real money, I don't know, potentially in the millions?), and now their entire investigation has been published on the Internet, its going to cost them millions more in remediation, let alone the negative image its may have to its customers.
Fortunately none of the HBG apps source code was leaked, if it did, AV companies would be in for a hard time as I believe this would give APT authors an great advantage in staying undetected.
D3ADLiN3
Monday 21 February 2011
Monday 11 October 2010
Malware forces Firefox to save passwords
Whilst reading The Register today I noticed an article on 'Malware forces Firefox to save passwords'.
I was surprised to see these made a article on El'Reg as this is old public technique probably used by thousands of pieces of Malware.
I think Webroot needs to catch on the times...
I was surprised to see these made a article on El'Reg as this is old public technique probably used by thousands of pieces of Malware.
I think Webroot needs to catch on the times...
Friday 14 May 2010
Offline Malware Analysis
In this article I am going to write about analysing static/offline Malware (without actually running and debugging it).
From looking at strings in Malware it is quite often easy to work out what its designed todo.
To find some live Malware samples, I am going to use some known driveby download sites. This will dump a list of URLs to a file:
Now I use WGet to access the pages safely. I spoof the UserAgent so I don't get blacklisted by download kits, and by using a IE6 UserAgent hopefully I will trigger more attacks.
Once WGet has finished downloading, there are a variety of HTML pages and executable left over.
So I have picked a random executable downloaded called 1009.exe.
Now lets take a look at the file:
OK so AV has detected the file as a Anti Virus Killer, and it appears to be unpacked and written in Delphi.
Opening the file in hexeditor, I can confirm the file is not Crypted or Packed because all there strings within the file are clearly visible and not obfuscated in anyway.
So lets dump the all the strings out of the file:
Now couple of things jump out straight away: Av Love Av Av Av Av Av, bluedragonfly, U_GuiHack360, KillAv, upmyself.
A quick Google on some of these come up with some obvious results:
"U_GuiHack360" appears to be a method to kill Norton 360 AV/Firewall GUI.
"Av Love Av Av Av Av Av" links to a website about Malware.
There is list of different AV executables, most probably for process killing.
There are references to Registry Keys:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
These keys are related to display options for Hidden files in Windows Explorer.
We also find references to what appear to be the startup methods:
Software\Microsoft\Windows\CurrentVersion\policies
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\runonce
software\microsoft\windows\currentversion\runonceex
software\microsoft\windows\currentversion\runservices
The Malware author also seems to be using "Image File Execution Options" Debugger method to kill AV (or possibly as a startup method?):
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This lesser known registry key is designed to Debug applications by first launching a Debugger which in turns launches the application to be debugged.
So for example, if you wanted to debug notepad.exe with OllyDbg you would make an entry like so:
This would launch Ollydbg which would then load notepad.exe
If you use a debugger/process which does not redirect it will load the debugger instead of the process. So for example if you changed the Ollydbg to calc.exe instead, each time you tried to load notepad.exe it would launch calc.exe.
This can be used by Malware in 2 ways:
1) Hijacking an existing process which is set to startup (eg: default builtin windows service (eg: Windows Update)) and use this as a startup method.
2) Hijack a legitimate process and set it to load something useless instead. For example, the Malware could add each Anti Virus process to the list and set something like svchost.exe to load instead. This would stop the AV process from loading and instead load svchost.exe which would do nothing.
We also find a reference to "SeDebugPrivilege" which could be used to help killing AV Processes or for Process Injection.
There are references to the following strings: FireWall, Virus, Anti, NOD32, Sniffer, DeBug.
I would suggest this is most probably used as a generic 'Anti-Anti', searching and closing Windows which contains the strings in there window title.
We can also see what I believe are the Delphi Modules used in the file: bluedragonfly, U_GuiHack360, 3Messages, KWindows, UTypes, SysInit, System, KillAv, SysUtils, ImageHlp, SysConst, process, GetIp, ?WinInet, WinSock, HardwareInfo, 0Nb30, anti, upmyself, Jencrypt, @other, TlHelp32.
There are also some URLs in the file:
Going back into the Hexeditor, I search for the xxx.cn and find some other interesting strings next to it: "?mac=" and "&ver=Test&os=Windows". To me, this looks like some sort of tracking system, probably to count the number of infections.
Looking at the next URL in the file, I downloaded the haozi.txt and opened it up:
This appears to be a "Task List" for an Intelligent Downloader. Whats the difference between a Intelligent Downloader and Regular Downloader? A Regular Downloader normally has a URL hardcoded, a Intelligent Downloader will goto a URL to find a task of things to download (in this case 5 other binaries). The benefit of using a Intelligent Downloader is the Malware author can change the location of his Malware files, and his Downloader will keep functioning a lot longer than a Regular Downloader (assuming the Task List URL doesn't die).
So lets download and scan the files:
We can see one of the files is packed with UPX, we can unpack this file and analyse the original file:
(Im not going to reverse these files today).
So without even running and debugging the file, we can see a number of features of this Downloader, and the further Malware its configured to Download.
What did the Malware author do wrong?
The Malware author made no attempt at Crypting, Packing or Obfuscating the Downloader or its settings. To make things more difficult the Malware author should have encrypted the Reg Keys, Process Names, URLs, obfuscated Module Names, encrypted the config file, and Crypted and/or Packed the actual Executable.
From looking at strings in Malware it is quite often easy to work out what its designed todo.
To find some live Malware samples, I am going to use some known driveby download sites. This will dump a list of URLs to a file:
D3ADLiN3@box:~# links2 -dump http://www.malwareurl.com/search.php?domain=\&s=exploits\&match=0\&rp=100\&urls=on\&redirs=on\&ip=on\&reverse=on\&as=on | awk '{print $1}' | sed 's/|//' | egrep "[A-Za-z0-9\/]" | awk '{print "http://"$1}' >> MalURLS.txt
Now I use WGet to access the pages safely. I spoof the UserAgent so I don't get blacklisted by download kits, and by using a IE6 UserAgent hopefully I will trigger more attacks.
D3ADLiN3@box:~# wget -i MalURLS.txt -T 1 -t 3 --user-agent="Mozilla/4.0 (MSIE 6.0; Windows NT 5.1)"
Once WGet has finished downloading, there are a variety of HTML pages and executable left over.
So I have picked a random executable downloaded called 1009.exe.
Now lets take a look at the file:
D3ADLiN3@box:~# packer.py 1009.exe -> Nothing Found D3ADLiN3@box:~# yara rules 1009.exe -> Delphi D3ADLiN3@box:~# clamscan 1009.exe 1009.exe: Trojan.Killav-157 FOUND
OK so AV has detected the file as a Anti Virus Killer, and it appears to be unpacked and written in Delphi.
Opening the file in hexeditor, I can confirm the file is not Crypted or Packed because all there strings within the file are clearly visible and not obfuscated in anyway.
So lets dump the all the strings out of the file:
D3ADLiN3@box:~# strings 1009.exe > strings_1009.exe
Now couple of things jump out straight away: Av Love Av Av Av Av Av, bluedragonfly, U_GuiHack360, KillAv, upmyself.
A quick Google on some of these come up with some obvious results:
"U_GuiHack360" appears to be a method to kill Norton 360 AV/Firewall GUI.
"Av Love Av Av Av Av Av" links to a website about Malware.
There is list of different AV executables, most probably for process killing.
There are references to Registry Keys:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
These keys are related to display options for Hidden files in Windows Explorer.
We also find references to what appear to be the startup methods:
Software\Microsoft\Windows\CurrentVersion\policies
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\runonce
software\microsoft\windows\currentversion\runonceex
software\microsoft\windows\currentversion\runservices
The Malware author also seems to be using "Image File Execution Options" Debugger method to kill AV (or possibly as a startup method?):
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This lesser known registry key is designed to Debug applications by first launching a Debugger which in turns launches the application to be debugged.
So for example, if you wanted to debug notepad.exe with OllyDbg you would make an entry like so:
This would launch Ollydbg which would then load notepad.exe
If you use a debugger/process which does not redirect it will load the debugger instead of the process. So for example if you changed the Ollydbg to calc.exe instead, each time you tried to load notepad.exe it would launch calc.exe.
This can be used by Malware in 2 ways:
1) Hijacking an existing process which is set to startup (eg: default builtin windows service (eg: Windows Update)) and use this as a startup method.
2) Hijack a legitimate process and set it to load something useless instead. For example, the Malware could add each Anti Virus process to the list and set something like svchost.exe to load instead. This would stop the AV process from loading and instead load svchost.exe which would do nothing.
We also find a reference to "SeDebugPrivilege" which could be used to help killing AV Processes or for Process Injection.
There are references to the following strings: FireWall, Virus, Anti, NOD32, Sniffer, DeBug.
I would suggest this is most probably used as a generic 'Anti-Anti', searching and closing Windows which contains the strings in there window title.
We can also see what I believe are the Delphi Modules used in the file: bluedragonfly, U_GuiHack360, 3Messages, KWindows, UTypes, SysInit, System, KillAv, SysUtils, ImageHlp, SysConst, process, GetIp, ?WinInet, WinSock, HardwareInfo, 0Nb30, anti, upmyself, Jencrypt, @other, TlHelp32.
There are also some URLs in the file:
http://www.xxx.cn/Count.asp http://121.11.81.46:88/haozi.txt
Going back into the Hexeditor, I search for the xxx.cn and find some other interesting strings next to it: "?mac=" and "&ver=Test&os=Windows". To me, this looks like some sort of tracking system, probably to count the number of infections.
Looking at the next URL in the file, I downloaded the haozi.txt and opened it up:
http://121.11.81.46:88/1005.exe 105.exe http://121.11.81.46:88/han.exe han.exe http://121.11.81.46:88/dog1.exe dog1.exe http://121.11.81.46:88/dog2.exe dog2.exe http://121.11.81.46:88/dogarp.exe
This appears to be a "Task List" for an Intelligent Downloader. Whats the difference between a Intelligent Downloader and Regular Downloader? A Regular Downloader normally has a URL hardcoded, a Intelligent Downloader will goto a URL to find a task of things to download (in this case 5 other binaries). The benefit of using a Intelligent Downloader is the Malware author can change the location of his Malware files, and his Downloader will keep functioning a lot longer than a Regular Downloader (assuming the Task List URL doesn't die).
So lets download and scan the files:
D3ADLiN3@box:~# clamscan *.exe 1005.exe: OK dog1.exe: OK dog2.exe: Trojan.Downloader-13207 FOUND dogarp.exe: Trojan.Agent-16390 FOUND han.exe: OK D3ADLiN3@box:~# packer.py 1005.exe -> Nothing Found D3ADLiN3@box:~# packer.py dog1.exe -> ['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser'] D3ADLiN3@box:~# packer.py dog2.exe -> ['TASM / MASM'] D3ADLiN3@box:~# packer.py dogarp.exe -> Nothing Found D3ADLiN3@box:~# packer.py han.exe -> ['Microsoft Visual C++'] D3ADLiN3@box:~# yara rules 1005.exe -> Armadillo D3ADLiN3@box:~# yara rules dog1.exe -> UPX D3ADLiN3@box:~# yara rules dog2.exe -> Nothing Found D3ADLiN3@box:~# yara rules dogarp.exe -> DecodedIframe D3ADLiN3@box:~# yara rules han.exe -> Armadillo
We can see one of the files is packed with UPX, we can unpack this file and analyse the original file:
D3ADLiN3@box:~# upx -d dog1.exe -o dog1_unpacked.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2010 UPX 3.05 Markus Oberhumer, Laszlo Molnar & John Reiser Apr 27th 2010 File size Ratio Format Name -------------------- ------ ----------- ----------- 23552 -> 11264 47.83% win32/pe dog1_unpacked.exe Unpacked 1 file. D3ADLiN3@box:~# packer.py dog1_unpacked.exe -> Nothing Found D3ADLiN3@box:~# yara rules dog1_unpacked.exe -> Nothing Found D3ADLiN3@box:~# clamscan dog1_unpacked.exe dog1_unpacked.exe: OK
(Im not going to reverse these files today).
So without even running and debugging the file, we can see a number of features of this Downloader, and the further Malware its configured to Download.
What did the Malware author do wrong?
The Malware author made no attempt at Crypting, Packing or Obfuscating the Downloader or its settings. To make things more difficult the Malware author should have encrypted the Reg Keys, Process Names, URLs, obfuscated Module Names, encrypted the config file, and Crypted and/or Packed the actual Executable.
Wednesday 14 April 2010
Small Update...
Just a quick update, Im not dead just lurking in the shadows occasionally popping out to share some abuse or some of my useless knowledge :]
Been a year since my last update... well its been an interesting year, APT (Advanced Persistent Threat) seems to be the big keyword all the AV/Security Vendors are trying to jump on.
If I get chance I will post some comments (ramblings) about Google, Tibet, and the Chinese.
In the mean time give this a read: Shadows In The Cloud: Investigating Cyber Espionage 2.0, its quite an interesting read!
Been a year since my last update... well its been an interesting year, APT (Advanced Persistent Threat) seems to be the big keyword all the AV/Security Vendors are trying to jump on.
If I get chance I will post some comments (ramblings) about Google, Tibet, and the Chinese.
In the mean time give this a read: Shadows In The Cloud: Investigating Cyber Espionage 2.0, its quite an interesting read!
Monday 11 May 2009
Proxied
Somebody has just committed fraud, and the Feds have traced it to your IP address, they have issue a warrant and are getting ready to kick down your door... but you have done nothing wrong, you have been used as a proxy for an unknown attacker, but do the Feds know this? Do they even know how to check? Do they even care?
Proxies are common place now in Malware: Socks 4, Socks 5, HTTP proxies are found in rxbot to Poison Ivy. Hardware Firewalls can by bypassed via UPnP or by reverse connecting RATs/Proxies (Such as D3XT3R's Reverse VB Proxy RAT).
Its not just PCs which can be used: Routers, Switches, Firewalls, even your Website, could be turned into a Proxy for an attacker; and its not just proxies! VPNs, RDP, VNC, and other Remote Control tools can hide an attackers traces and are traded on the underground daily.Then theres Wireless! There are websites dedicated to teaching how to break into Wireless Access Points (WAP), an attacker can join the WAP and launch an attack from there. "What about there MAC address?" I hear you cry! Its very easy to change your MAC address, and can be done on ANY operating system.
The majority of the above have no logging and no way to trace the attacker, especially if its to late.
You dont even have to infect a victim to be anonymous; theres online webservices which provide anonymous browsing, VPN services which provide anonymous encrypted traffic which can anonymize all kinds of traffic. Then there the TOR network which was designed by the US military/government for its agents abroad to send data anonymously. There are also misconfigured proxies: there are lots of websites dedicated to finding and listing these proxy servers and they generally become victim of multiple attacker using them for a variety of different purposes.
So where is this all going?
Well the whole point of this is that we can no longer look at an IP address as being unique to a user. I do not know if an IP address 'as the source of attack' would stand up in court as being the critical piece of evidence to put somebody away? I dont know if the Prosecutor (Feds) or the Defendant (You) would have to proove if the IP address in mention was compromised (or NOT compromised (based on the theory of "innocent until proven guilty...")).
What happens if somebody uses your WAP HotSpot Username/Password and launches an attack? You could say that your MAC and the Attackers MAC address are not the same, but then again how cheap are USB WLAN devices these days? The Feds could say you brought one, launched the attack and discarded it, then again, you could have just changed your MAC address as above.
But would somebody be stupid enough to use there own registered Hotspot Username/Password to launch an attack? Look at Garry Mckinnon: He purchased 'Remotely Anywhere' with his real name, credit card etc, and then went and installed and register it on NASA & .mil computers using HIS real name & email address... Stupid people make the world go round...
Proxies are common place now in Malware: Socks 4, Socks 5, HTTP proxies are found in rxbot to Poison Ivy. Hardware Firewalls can by bypassed via UPnP or by reverse connecting RATs/Proxies (Such as D3XT3R's Reverse VB Proxy RAT).
Its not just PCs which can be used: Routers, Switches, Firewalls, even your Website, could be turned into a Proxy for an attacker; and its not just proxies! VPNs, RDP, VNC, and other Remote Control tools can hide an attackers traces and are traded on the underground daily.Then theres Wireless! There are websites dedicated to teaching how to break into Wireless Access Points (WAP), an attacker can join the WAP and launch an attack from there. "What about there MAC address?" I hear you cry! Its very easy to change your MAC address, and can be done on ANY operating system.
The majority of the above have no logging and no way to trace the attacker, especially if its to late.
You dont even have to infect a victim to be anonymous; theres online webservices which provide anonymous browsing, VPN services which provide anonymous encrypted traffic which can anonymize all kinds of traffic. Then there the TOR network which was designed by the US military/government for its agents abroad to send data anonymously. There are also misconfigured proxies: there are lots of websites dedicated to finding and listing these proxy servers and they generally become victim of multiple attacker using them for a variety of different purposes.
So where is this all going?
Well the whole point of this is that we can no longer look at an IP address as being unique to a user. I do not know if an IP address 'as the source of attack' would stand up in court as being the critical piece of evidence to put somebody away? I dont know if the Prosecutor (Feds) or the Defendant (You) would have to proove if the IP address in mention was compromised (or NOT compromised (based on the theory of "innocent until proven guilty...")).
What happens if somebody uses your WAP HotSpot Username/Password and launches an attack? You could say that your MAC and the Attackers MAC address are not the same, but then again how cheap are USB WLAN devices these days? The Feds could say you brought one, launched the attack and discarded it, then again, you could have just changed your MAC address as above.
But would somebody be stupid enough to use there own registered Hotspot Username/Password to launch an attack? Look at Garry Mckinnon: He purchased 'Remotely Anywhere' with his real name, credit card etc, and then went and installed and register it on NASA & .mil computers using HIS real name & email address... Stupid people make the world go round...
Friday 1 May 2009
Dynamic Social Engineering Spreading
So what is 'Dynamic Social Engineering Spreading'?
Its simply using social engineering techniques but with dynamic content: The main use of this would be spreading via Email or IM etc.
So how do we get our dynamic content? simple: RSS Feeds.
This is also where our social engineering techniques come into play:
We use popular RSS Feeds on topics such as the News, Sports, etc.
Lets take the BBC: The BBC has a RSS Feed which is updated regularly with new content which gives us constant fresh data to work with. The fact it is stored in XML means it makes it very easy to parse the content and manipulate it to our needs.
Using the News gives us the Social Engineering edge. The victim is more likely to accept something which they have read/heard about on TV, News Paper etc.
IM Example:
Template:
Hey you heard about *NEWS SUBJECT* ?
*NEWS CONTENT*
Look at this *LINK/ZIP*
With Real Data (Taken from BBC News RSS Feed):
Hey you heard about Venezuela army helicopter crashes ?
A military helicopter has crashed in Venezuela killing at least 18 people on board, President Hugo Chavez says.
Look at this http://www.badguy.com/evilwebpage.htm
Its simply using social engineering techniques but with dynamic content: The main use of this would be spreading via Email or IM etc.
So how do we get our dynamic content? simple: RSS Feeds.
This is also where our social engineering techniques come into play:
We use popular RSS Feeds on topics such as the News, Sports, etc.
Lets take the BBC: The BBC has a RSS Feed which is updated regularly with new content which gives us constant fresh data to work with. The fact it is stored in XML means it makes it very easy to parse the content and manipulate it to our needs.
Using the News gives us the Social Engineering edge. The victim is more likely to accept something which they have read/heard about on TV, News Paper etc.
IM Example:
Template:
Hey you heard about *NEWS SUBJECT* ?
*NEWS CONTENT*
Look at this *LINK/ZIP*
With Real Data (Taken from BBC News RSS Feed):
Hey you heard about Venezuela army helicopter crashes ?
A military helicopter has crashed in Venezuela killing at least 18 people on board, President Hugo Chavez says.
Look at this http://www.badguy.com/evilwebpage.htm
Thursday 26 March 2009
AKill "one of the worlds best known hackers" ... lol
Im just posting this in response to the news article about Telstra (New Zealand ISP) hiring convicted botter Owen Thor Walker aka AKill.
Now AKill if your reading this, no offense...
AKill wrote AKBot an IRC DDoS bot written in C++
There are a few variants going around, but chances are it was just another rx rename.
AKill (age 18 at the time) was caught & convicted as a part of the FBIs "Operation Bot Roast".
Now AKill apparently infected an estimated 50k PCs, (Ref) and did an estimated $26 million+ in damages. He also installed Adware and made approx $40k and (accidently) DDoS'd the University of Pennsylvania (see further below) aswell as DDoS'ing some other targets.
AKill managed to get off pretty lite, he had to pay $14.5k (fine & fees) and got NO jail time and NO criminal record.
The reason for this:
To summarise what happened with Digerati:
Digerati (age 22 at the time) was in TeamLoosh, he fell out with "rofles" (TeamLoosh leader?), 'rofles' then started a campaign against Digerati posting his personal info and accusing him of being a pedo (which turned out true) all over the net, mainly anywhere Digerati posted. In revenge Digerati "hired" AKill to launch a DDoS attacks against against a numbber of targets including: TAUNET, and LCIRC (Ref).
Digerati went to the University of Pennsylvania and gained access to another students username & password(s); He then supplied these details to AKill so he could update his bots. When AKill updated all his bots (all 50k of them) this caused an accidental DDoS and alerted staff at University of Pennsylvania who reported the 'attack' to the FBI.
Whilst this was all going on, the feds "Operation Bot Roast" was in full swing, logging all IRC/Forum chatter from known feeds. This chatter also most probably included the conversations between Digerati & AKill (as they quote Digerati a number times).
So... Owen Thor Walker aka AKill, would I describe him as "one of the worlds best known hackers"? I would say hes best known for getting caught and getting away scot free. A number of sources from 'the underground' report he snitched on Digerati and pushed the blame onto him, which obviously worked far better for the FBI: Digerati was a US citizen, and was a "known trouble maker". For his troubles he got 90 days is prison, 90 days in a "half way house" and 180 days house arrest and was banned from using computers for 5 years (unless it was for work or school). Nothing happened in regards to the 1000+ child porno pics he had.
It would have been a very hard case to extradite AKill to the US for conviction:
AKill left school at the age of 14 due to bullying, and was home taught; He had no friends, no social life which caused him to gain Aspergers Syndrome (a disorder in the same family as autism, characterised by very poor social interaction (thx google)), he was also 18 at the time of his conviction, so putting a 'boy' like that into jail would have ended up making him somebodies bitch for the next 7-10 years.
End of the day, AKill & Digearti acted like kids and thats what got them caught.
Would I hire him? Hell no. He is no different to the rest of the script kiddies which argue on the internet.
The best known hackers are the unknown hacker, the ones who dont get caught.
D3ADLiN3
Now AKill if your reading this, no offense...
AKill wrote AKBot an IRC DDoS bot written in C++
There are a few variants going around, but chances are it was just another rx rename.
AKill (age 18 at the time) was caught & convicted as a part of the FBIs "Operation Bot Roast".
Now AKill apparently infected an estimated 50k PCs, (Ref) and did an estimated $26 million+ in damages. He also installed Adware and made approx $40k and (accidently) DDoS'd the University of Pennsylvania (see further below) aswell as DDoS'ing some other targets.
AKill managed to get off pretty lite, he had to pay $14.5k (fine & fees) and got NO jail time and NO criminal record.
The reason for this:
"Judge Judith Potter acknowledged his [AKill] high level of skill and said a conviction could jeopardise his prospects, saying he has a potentially outstanding future ahead of him."Now alot of the above is linked in with Ryan Goldstein aka Digerati.
To summarise what happened with Digerati:
Digerati (age 22 at the time) was in TeamLoosh, he fell out with "rofles" (TeamLoosh leader?), 'rofles' then started a campaign against Digerati posting his personal info and accusing him of being a pedo (which turned out true) all over the net, mainly anywhere Digerati posted. In revenge Digerati "hired" AKill to launch a DDoS attacks against against a numbber of targets including: TAUNET, and LCIRC (Ref).
Digerati went to the University of Pennsylvania and gained access to another students username & password(s); He then supplied these details to AKill so he could update his bots. When AKill updated all his bots (all 50k of them) this caused an accidental DDoS and alerted staff at University of Pennsylvania who reported the 'attack' to the FBI.
Whilst this was all going on, the feds "Operation Bot Roast" was in full swing, logging all IRC/Forum chatter from known feeds. This chatter also most probably included the conversations between Digerati & AKill (as they quote Digerati a number times).
So... Owen Thor Walker aka AKill, would I describe him as "one of the worlds best known hackers"? I would say hes best known for getting caught and getting away scot free. A number of sources from 'the underground' report he snitched on Digerati and pushed the blame onto him, which obviously worked far better for the FBI: Digerati was a US citizen, and was a "known trouble maker". For his troubles he got 90 days is prison, 90 days in a "half way house" and 180 days house arrest and was banned from using computers for 5 years (unless it was for work or school). Nothing happened in regards to the 1000+ child porno pics he had.
It would have been a very hard case to extradite AKill to the US for conviction:
AKill left school at the age of 14 due to bullying, and was home taught; He had no friends, no social life which caused him to gain Aspergers Syndrome (a disorder in the same family as autism, characterised by very poor social interaction (thx google)), he was also 18 at the time of his conviction, so putting a 'boy' like that into jail would have ended up making him somebodies bitch for the next 7-10 years.
End of the day, AKill & Digearti acted like kids and thats what got them caught.
Would I hire him? Hell no. He is no different to the rest of the script kiddies which argue on the internet.
The best known hackers are the unknown hacker, the ones who dont get caught.
D3ADLiN3
Subscribe to:
Posts (Atom)