Stupid hacker tricks, part two: The folly of youth

Tech-savvy delinquents set the Net aflame with boneheaded exploits that earn them the wrong kind of fame

Ah, youth. Ready to take on the world, today's generation of dynamic, tech-immersed youngsters have grown up alongside the Internet. Firsthand, and sometimes single-handedly, they have advanced some of today's hottest technology trends, from peer-to-peer networking, to massively multiplayer online games, to social networks and instant messaging. And along the way, a small, sociopathic number of them have behaved very, very badly.

[ For further tales of bone-headed cyberschnookery, see the original "Stupid hacker tricks" story ]

Even the very definition of poor online behavior has been advanced by these cyberschnooks. Armed with broadband and lots of unsupervised free time in front of the computer, shielded by the relative anonymity of the Web, they've managed to transform themselves from Those Neighborhood Kids Who Set Fires and Torture Small Animals into international menaces who destroy online communities, damage the reputation and utility of online services, and steal anything worth taking from the Net -- all while mangling the English language as thoroughly as possible. 

Fortunately for the rest of us, while using the Net's multiplier effect to their nefarious benefit, most are as sloppy and egotistical as we've come to expect from the young and delinquent, leaving a bread-crumb trail a mile wide for authorities to follow. And when they cross the line, as many of these tech-savvy Nelson Muntzes eventually do, it's with more than a little schadenfreude that white-hat vigilantes posse up to take them down.

It is to these ne'er-do-wells that this latest installment of "Stupid hacker tricks" is dedicated. Call it Portrait of the Stupid Hacker as a Young Man.

[ Stupid juvy hacker trick No. 1: You got Rbot in Mytob, you Zlob ]

You got Rbot in Mytob, you Zlob

Farid "Diab10" Essebar

Currently a guest of the Moroccan prison system. His prison sentence is scheduled to end later this year.

In 2005, at the ripe old age of 18, Farid Essebar probably thought he was untouchable. Working with accomplices in his home country of Morocco and in Turkey, the Russian-born Essebar wrote and distributed the Mytob, Rbot, and Zotob botnet Trojans. The malware infected thousands of computers at large corporations, U.S. government departments, and media companies and was built to log keystrokes and steal financial and personal data.

[ For more IT-related idiocy, check out "Stupid user tricks" and "More stupider user tricks redux" ]

Among the targets reported to have major outbreaks on Aug. 15, 2005, were Daimler Chrysler, ABC News, CNN, The New York Times, the U.S. Senate, the Centers for Disease Control and Prevention, and Immigration and Customs Enforcement. Affected computers typically got into a cycle where they rebooted constantly, spread the malware to other computers on the network, then provided remote access to infected computers to a bot herder. The Zotob variant spread rapidly, taking advantage of unpatched Windows computers using a vulnerability disclosed only days earlier.

Essebar also fell prey to the braggadocio bug, a common ailment. When University of Pennsylvania security researcher David Taylor deliberately infected a computer with Zotob, and stumbled into one of Essebar's botnet IRC channels, he struck up a conversation with him. Surprisingly, Essebar responded, gloating that he earned substantial sums using his bot to install adware on infected computers.

But within seven days, the FBI, working in concert with local law enforcement and Microsoft employees, sent teams of computer experts to Rabat, Morocco, and Ankara, Turkey. On Aug. 25, less than two weeks after the outbreak began, authorities arrested Essebar, as well as then-20-year-old Achraf Bahloul in Rabat. The team in Ankara paid a visit to, and arrested, then-21-year-old Atilla "Coder" Ekici, alleging that he paid Essebar to write the Zotob variant. A bit more than a year after the initial arrest, Moroccan authorities convicted Essebar of illegal access to computer systems, theft, credit card fraud, and conspiracy, and sentenced him to two years in prison.

Authorities were able to clearly identify Essebar as the author of the worm; not only had he signed it with the words "by Diabl0" buried in the source code, but he'd written the worm using Microsoft's Visual Studio, which embeds information about the computer on which the code is written into the compiled program -- in this case, the directory path "C:\Documents and Settings\Farid." D'oh!

When Moroccan cops seized his computer, Essebar had formatted the hard drive. Forensic specialists helped recover the source code, which had not been completely wiped clean from the drive. In contrast, Turkish authorities had a more difficult time establishing evidence against Ekici because he'd physically removed and thrown out his hard drive days earlier.

Lessons learned
If you don't want to draw attention to yourself, avoid targeting major media organizations with your poorly designed malware attacks. Always throw out your hard drive that contains all the source code and evidence of your criminal malware creations before the cops arrive. Name your account on your malware creation computer something innocuous, like "user." Also, neither Turkish nor Moroccan prisons are places you want to be. Ever.

[ Stupid juvy hacker home | Stupid juvy hacker trick No. 2: When the DDoS ain't stoppin' expect the cops to come knockin' ]

When the DDoS ain't stoppin' expect the cops to come knockin'

Ivan Maksakov, Alexander Petrov, and Denis Stepanov

All three are guests of the Russian penal system, sentenced to eight years at hard labor and a 100,000 ruble fine

Looking to make a little extra money while at college in 2003, Ivan Maksakov, then 22, devised an inventive, entrepreneurial scheme that probably sounded good at the time: He created a botnet to engage in DDoS (distributed denial-of-service) attacks and then blackmailed online gambling sites based in the U.K., threatening to take the sites down during major sporting events.

[ Don't think you're a security sieve? Prove it by mastering our Security IQ test ]

However, Maksakov -- a student at the Balakov Institute of Engineering, Technology, and Management -- couldn't anticipate that the Russian government, looking to demonstrate its resolve in dealing with cybercriminals, would make an example of him.

The botnet, based in Houston, was directed to launch DDoS attacks against the U.K.-based bookmaking Web sites and online casinos only if Maksakov's demands weren't met. According to Russian news reports, Maksakov, along with co-conspirators Alexander Petrov and Denis Stepanov, attacked nine Web sites from the fall of 2003 until spring 2004. The sites were initially attacked for a short time, before a ransom demand was e-mailed.

In one example, the attacks crippled a site run by Canbet Sports Bookmakers during the Breeders' Cup horse races, costing the firm $200,000 for each day it was offline. But even when the firm paid a $40,000 ransom to a Western Union account in Riga, Latvia, the attacks continued.

Authorities allege that the attacks for which the trio were convicted cost the U.K.-based Web site operators upward of $4 million, not including an additional $80 million the companies paid out for additional bandwidth and security hardware designed to thwart DDoS attacks. Charges weren't filed for 54 similar attacks the group is alleged to have engaged in, affecting companies in 30 other countries.

Britain's intelligence services tracked the IP address used to send commands to the botnet to Maksakov's home computer. When the British government provided the information to the Russian Federation's Interior Ministry, the three were arrested. Authorities say at least 13 others who have not been arrested were involved in the scheme, including 10 people working as "money mules" in Riga, two other cyberattackers in Kazakhstan, and one more in Russia.

Lessons learned
Russia's a terrible place to base your operations for a criminal enterprise, unless you like taking long vacations in Siberia. Kazakhstan and Latvia seem to be much more agreeable. Also, if someone sends you 40 large, don't wait: Turn off the damn DDoS before MI-5 gets involved.

[ Stupid juvy hacker home | Stupid juvy hacker trick No. 3: Punked over a prank ]

Punked over a prank

Shawn Nematbakhsh

Currently employed as a software engineer with a medical data company.

One of the hottest technology topics of 2003 was how election systems were vulnerable. With the first presidential election since the Bush v. Gore fiasco coming up the following year, technologists were up in arms about the unreliability and untrustworthiness of electronic balloting systems, and were eager to prove their point.

[ Learn how to guard your network against social engineering hacks by thinking like an online con-artist ]

Enter Shawn Nematbakhsh, computer science undergraduate at the University of California, Riverside. Was he eager -- perhaps a bit too eager -- to make a point about the electronic balloting system that the university employed to hold student council elections, when he cast 800 votes for a fictitious candidate named American Ninja? Sadly, no.

"I really wasn't making any point at all," Nematbakhsh admits, debunking news reports to the contrary. "It was a senior prank, a silly thing."

The student council elections were held over the Web. Students could log in to a special page and cast their ballots for student council members and student body president. Unfortunately, the election system suffered from a serious internal weakness: "There was some input that was not bounds-checked, so using certain input you could vote as anyone," Nematbakhsh explains. "I wrote a script that would log in, cast a vote, log out, then log in again, cast another vote, and so on."

But seriously, American Ninja? "That year I remember watching that really stupid movie and talking about it with my friends, and it was the first thing that came [to mind]," he said.

Nematbakhsh says the jig was up when campus police called him in to discuss the incident. He'd told some friends about the vulnerability he had discovered in the voting system, and his name had eventually surfaced in the investigation. When asked, Nematbakhsh immediately admitted his involvement in the prank.

"I confessed to doing it, thinking it wasn't such a big deal. I thought they might fine me, or suspend me for a quarter or something," he says. That did happen, but a month later, he also faced criminal charges that could have landed him prison time.

In the end, he arranged a deal to accept a misdemeanor charge. His sentence: "I had to pick up trash on the weekends for three or four months, and pay back the cost of the election -- a couple thousand dollars."

Lessons learned
"Getting caught was kind of a wake-up call, that the Internet was not some kind of playground and I couldn't do what I wanted to all the time. I had to obey the law. The prank was not well received by a lot of people at the school."

Nematbakhsh's advice to potential election pranksters: "Things like that seem funny when you're doing them, but when you get caught, it's not much fun. I'd caution against silly pranks like the one I did."

[ Stupid juvy hacker home | Stupid juvy hacker trick No. 4: The worst paid cybercriminal in federal prison ]

The worst paid cybercriminal in federal prison

Robert Moore

Moore is currently a guest of the federal prison system and will remain so until 2009.

As one of the oldest members of this youthful brigade of miscreants, Robert Moore, 23, was involved in crimes that caused among the greatest financial losses to his victims of anyone featured in this rogue roundup -- though he didn't reap many financial rewards himself.

[ Prove your tech chops by acing our fun-filled IT IQ test ]

Federal agents claim in court papers that Moore, and the ringleader of the scheme Edwin Pena, defrauded at least 15 VoIP phone companies to the tune of more than $300,000 each in broadband service charges by hacking into the VoIP companies' networks and then reselling stolen phone call minutes at a deep discount.

Pena, who lacked the technical skills to pull off the scam alone, recruited Moore to do his hacker thing, which he accomplished with aplomb. But while Moore did manage to pull off the scam for nearly two years before getting caught, his success wasn't due to any superior hacking skills on his part.

In an interview Moore gave just before his incarceration began, he explained that his job was made all the easier by system administrators who never changed the passwords on their Cisco routers and Quintum Tenor VoIP gateways from the default factory settings. Moore threw together an application that scanned IP address ranges for vulnerable boxes and then used those routers to send the call traffic through the busiest hacked networks, which masked the large amounts of data.

Pena made well over $1 million reselling the more than 10 million stolen minutes; Moore was reported to have been paid just $20,000 by Pena for his part in the scheme. With his ill-gotten proceeds, Pena bought houses in six states, luxury cars (including two BMWs and a Cadillac Escalade), and a 40-foot Sea Ray MerCruiser yacht. Moore reportedly is more annoyed that he cannot use a computer than the fact that he was sentenced to two years in federal pokey.

1 2 Page 1
Page 1 of 2
How to choose a low-code development platform