Stupid hacker tricks, part two: The folly of youth

Sociopathic youngsters who have behaved very, very badly -- and paid for it

Ah, youth. Ready to take on the world, today's generation of dynamic, tech-immersed youngsters have grown up alongside the Internet. Firsthand, and sometimes single-handedly, they have advanced some of today's hottest technology trends, from peer-to-peer networking, to massively multiplayer online games, to social networks and instant messaging. And along the way, a small, sociopathic number of them have behaved very, very badly.

Even the very definition of poor online behavior has been advanced by these cyberschnooks. Armed with broadband and lots of unsupervised free time in front of the computer, shielded by the relative anonymity of the Web, they've managed to transform themselves from Those Neighborhood Kids Who Set Fires and Torture Small Animals into international menaces who destroy online communities, damage the reputation and utility of online services, and steal anything worth taking from the Net -- all while mangling the English language as thoroughly as possible.

Fortunately for the rest of us, while using the Net's multiplier effect to their nefarious benefit, most are as sloppy and egotistical as we've come to expect from the young and delinquent, leaving a bread-crumb trail a mile wide for authorities to follow. And when they cross the line, as many of these tech-savvy Nelson Muntzes eventually do, it's with more than a little schadenfreude that white-hat vigilantes posse up to take them down.

It is to these ne'er-do-wells that this latest installment of "Stupid hacker tricks" is dedicated. Call it Portrait of the Stupid Hacker as a Young Man.

You got Rbot in Mytob, you Zlob

Perp Farid "Diab10" Essebar

Status Currently a guest of the Moroccan prison system. His prison sentence is scheduled to end later this year.

Dossier In 2005, at the ripe old age of 18, Farid Essebar probably thought he was untouchable. Working with accomplices in his home country of Morocco and in Turkey, the Russian-born Essebar wrote and distributed the Mytob, Rbot and Zotob botnet Trojan horses. The malware infected thousands of computers at large corporations, U.S. government departments and media companies, and was built to log keystrokes and steal financial and personal data.

Among the targets reported to have major outbreaks on Aug. 15, 2005, were Daimler Chrysler, ABC News, CNN, The New York Times, the U.S. Senate, the Centers for Disease Control and Prevention, and Immigration and Customs Enforcement. Affected computers typically got into a cycle where they rebooted constantly, spread the malware to other computers on the network, then provided remote access to infected computers to a bot herder. The Zotob variant spread rapidly, taking advantage of unpatched Windows computers using a vulnerability disclosed only days earlier.

Essebar also fell prey to the braggadocio bug, a common ailment. When University of Pennsylvania security researcher David Taylor deliberately infected a computer with Zotob, and stumbled into one of Essebar's botnet IRC channels, he struck up a conversation with him. Surprisingly, Essebar responded, gloating that he earned substantial sums using his bot to install adware on infected computers.

But within seven days, the FBI, working in concert with local law enforcement and Microsoft employees, sent teams of computer experts to Rabat, Morocco, and Ankara, Turkey. On Aug. 25, less than two weeks after the outbreak began, authorities arrested Essebar, as well as then-20-year-old Achraf Bahloul in Rabat. The team in Ankara paid a visit to, and arrested, then-21-year-old Atilla "Coder" Ekici, alleging that he paid Essebar to write the Zotob variant. A bit more than a year after the initial arrest, Moroccan authorities convicted Essebar of illegal access to computer systems, theft, credit card fraud and conspiracy, and sentenced him to two years in prison.

Authorities were able to clearly identify Essebar as the author of the worm; not only had he signed it with the words "by Diabl0" buried in the source code, but he'd written the worm using Microsoft's Visual Studio, which embeds information about the computer on which the code is written into the compiled program -- in this case, the directory path "C:\Documents and Settings\Farid." D'oh!

When Moroccan cops seized his computer, Essebar had formatted the hard drive. Forensic specialists helped recover the source code, which had not been completely wiped clean from the drive. In contrast, Turkish authorities had a more difficult time establishing evidence against Ekici because he'd physically removed and thrown out his hard drive days earlier.

Lessons learned If you don't want to draw attention to yourself, avoid targeting major media organizations with your poorly designed malware attacks. Always throw out your hard drive that contains all the source code and evidence of your criminal malware creations before the cops arrive. Name your account on your malware creation computer something innocuous, like "user." Also, neither Turkish nor Moroccan prisons are places you want to be. Ever.

When the DDoS ain't stoppin', expect the cops to come knockin'

Perps Ivan Maksakov, Alexander Petrov and Denis Stepanov

Status All three are guests of the Russian penal system, sentenced to eight years at hard labor and a 100,000 ruble fine.

Dossier Looking to make a little extra money while at college in 2003, Ivan Maksakov, then 22, devised an inventive, entrepreneurial scheme that probably sounded good at the time. He created a botnet to engage in distributed denial-of-service (DDoS) attacks and then blackmailed online gambling sites based in the U.K., threatening to take the sites down during major sporting events.

However, Maksakov -- a student at the Balakov Institute of Engineering, Technology and Management -- couldn't anticipate that the Russian government, looking to demonstrate its resolve in dealing with cybercriminals, would make an example of him.

The botnet, based in Houston, was directed to launch DDoS attacks against the U.K.-based bookmaking Web sites and online casinos only if Maksakov's demands weren't met. According to Russian news reports, Maksakov, along with co-conspirators Alexander Petrov and Denis Stepanov, attacked nine Web sites from fall 2003 until spring 2004. The sites were initially attacked for a short time, before a ransom demand was e-mailed.

In one example, the attacks crippled a site run by Canbet Sports Bookmakers during the Breeders' Cup horse races, costing the firm $200,000 for each day it was offline. But even when the firm paid a $40,000 ransom to a Western Union account in Riga, Latvia, the attacks continued.

Authorities allege that the attacks for which the trio were convicted cost the U.K.-based Web site operators upward of $4 million, not including an additional $80 million the companies paid out for additional bandwidth and security hardware designed to thwart DDoS attacks. Charges weren't filed for 54 similar attacks that the group is alleged to have engaged in, affecting companies in 30 other countries.

Britain's intelligence services tracked the IP address used to send commands to the botnet to Maksakov's home computer. When the British government provided the information to the Russian Federation's Interior Ministry, the three were arrested. Authorities say at least 13 others who have not been arrested were involved in the scheme, including 10 people working as "money mules" in Riga, two other cyberattackers in Kazakhstan and one more in Russia.

Lessons learned Russia's a terrible place to base your operations for a criminal enterprise, unless you like taking long vacations in Siberia. Kazakhstan and Latvia seem to be much more agreeable. Also, if someone sends you 40 large, don't wait: Turn off the damn DDoS before MI-5 gets involved.

Punked over a prank

Perp Shawn Nematbakhsh

Status Currently employed as a software engineer at a medical data company.

Dossier One of the hottest technology topics of 2003 was how election systems were vulnerable. With the first presidential election since the Bush v. Gore fiasco coming up the following year, technologists were up in arms about the unreliability and untrustworthiness of electronic balloting systems, and were eager to prove their point.

Enter Shawn Nematbakhsh, computer science undergraduate at the University of California, Riverside. Was he eager -- perhaps a bit too eager -- to make a point about the electronic balloting system that the university employed to hold student council elections, when he cast 800 votes for a fictitious candidate named American Ninja? Sadly, no.

"I really wasn't making any point at all," Nematbakhsh admits, debunking news reports to the contrary. "It was a senior prank, a silly thing."

The student council elections were held over the Web. Students could log into a special page and cast their ballots for student council members and student body president. Unfortunately, the election system suffered from a serious internal weakness. "There was some input that was not bounds-checked, so using certain input you could vote as anyone," Nematbakhsh explains. "I wrote a script that would log in, cast a vote, log out, then log in again, cast another vote and so on."

But seriously, American Ninja? "That year I remember watching that really stupid movie and talking about it with my friends, and it was the first thing that came [to mind]," he said.

Nematbakhsh said the jig was up when campus police called him in to discuss the incident. He'd told some friends about the vulnerability he had discovered in the voting system, and his name had eventually surfaced in the investigation. When asked, Nematbakhsh immediately admitted his involvement in the prank.

"I confessed to doing it, thinking it wasn't such a big deal. I thought they might fine me, or suspend me for a quarter or something," he said. That did happen, but a month later, he also faced criminal charges that could have landed him prison time.

In the end, he arranged a deal to accept a misdemeanor charge. His sentence: "I had to pick up trash on the weekends for three or four months, and pay back the cost of the election -- a couple thousand dollars."

Lessons learned "Getting caught was kind of a wake-up call, that the Internet was not some kind of playground and I couldn't do what I wanted to all the time. I had to obey the law. The prank was not well received by a lot of people at the school."

Nematbakhsh's advice to potential election pranksters: "Things like that seem funny when you're doing them, but when you get caught, it's not much fun. I'd caution against silly pranks like the one I did."

The worst paid cybercriminal in federal prison

Perp Robert Moore

Status Moore is currently a guest of the federal prison system and will remain so until 2009.

Dossier As one of the oldest members of this youthful brigade of miscreants, Robert Moore, 23, was involved in crimes that caused among the greatest financial losses to his victims of anyone featured in this rogue roundup -- though he didn't reap many financial rewards himself.

Federal agents claim in court papers that Moore, and the ringleader of the scheme, Edwin Pena, defrauded at least 15 VoIP phone companies to the tune of more than $300,000 each in broadband service charges by hacking into the VoIP companies' networks and then reselling stolen phone call minutes at a deep discount.

Pena, who lacked the technical skills to pull off the scam alone, recruited Moore to do his hacker thing, which he accomplished with aplomb. But even though Moore did manage to pull off the scam for nearly two years before getting caught, his success wasn't because of any superior hacking skills on his part.

In an interview Moore gave just before his incarceration began, he explained that his job was made all the easier by system administrators who never changed the passwords on their Cisco routers and Quintum Tenor VoIP gateways from the default factory settings. Moore threw together an application that scanned IP address ranges for vulnerable boxes and then used those routers to send the call traffic through the busiest hacked networks, which masked the large amounts of data.

Pena made well over $1 million reselling the more than 10 million stolen minutes; Moore was reported to have been paid just $20,000 by Pena for his part in the scheme. With his ill-gotten proceeds, Pena bought houses in six states, luxury cars (including two BMWs and a Cadillac Escalade), and a 40-foot Sea Ray MerCruiser yacht. Moore reportedly is more annoyed that he cannot use a computer than the fact that he was sentenced to two years in federal pokey.

"It's so easy, a caveman can do it," Moore said in the interview. Cavemen were reportedly pissed at, once again, being presented in a negative light by a guy who himself got shafted -- twice -- by his partner in crime.

Moore ended up surrendering when federal agents showed up at his door. When Pena was arrested, the mother of Pena's girlfriend put up two of her properties as collateral on Pena's bail; once out of jail, Pena promptly fled the country and is believed to be in Venezuela, leaving everyone high and dry.

Lessons learned If your partner in your massive criminal enterprise is making 50 times what you're making, but you're both sharing an equal risk of prosecution, look for a better-paying job in another criminal enterprise. Also, if you're the mastermind's girlfriend (or her mom), and you've paid for his bail with your house, for the love of god hide his passport.

1 2 Page 1
Page 1 of 2
  
Shop Tech Products at Amazon