Script Kiddie Botnet Operators Ask For Jobs From Security Company That Shut Them Down
from the didn't-work dept
The BBC has a story about how the operators of one of the larger botnets that was recently shut down showed up at the offices of a security researcher who helped bring them down... asking for a job. The article highlights how the researcher, Luis Corrons, basically had figured out who was running the botnet after one of the operators made a mistake and revealed his home computer... which actually was not far from where Corrons worked. It was shut down at the end of last year, but a few months later, Corrons had an interesting experience:In late March Mr Corrons was preparing for a meeting at Panda's Bilbao lab with a journalist and took a moment to dodge downstairs to get a drink. On the way down he passed two young men coming up.Instead, they asked him for a job, saying that the shutdown of the botnet had "robbed them of their livelihood." Apparently, the two guys started following Corrons on Twitter, sending messages his way and commenting on his blog, before asking for work again. They finally brought in one of the guys for an interview, noting that they wouldn't hire anyone involved in criminal activity. The guy responded that he hadn't been charged with anything. However, Corrons also quickly realized that the guy barely had any technical skills -- pointing out that he didn't write the bot, he just ran it:
One asked if he was Luis Corrons. He said yes while wondering who they were.
They introduced themselves which left him no wiser. Then, one of them said; "I'm Ostiator and this is Netkairo."
"It was then I realised these guys were the ones that were arrested in the Mariposa case," he told the BBC. "I thought they wanted to teach me a lesson."
"He got really annoyed at that moment, when we told him he was not good enough," said Mr Corrons. Subsequent discussion revealed just how poor their skills were.So, for the script kiddies out there, perhaps before asking for a job from the security researchers who bring your botnet down, you do a bit of work to make sure you have the actual skills.
"They were given the botnet with all the stuff they needed," said Mr Corrons. "Using it was like using any other program."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
EPIC FAIL!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
We all have made mistakes when we were young, it is the age of the dumb and it ends about 35 mostly give it or take some years. Besides most security experts I know and see all started as a scriptkid that wanted to have some fun at some point, One of the founders of Apple put a mock bomb in a locker once, if he did that today he would go to jail and that is a shame.
Somewhere along the line people lost the patience to teach others in the right way, we forgot compassion and start thinking we can force others to do things, that creates a rich environment for destructive behaviour to flourish because it feeds anger and frustration.
[ link to this | view in chronology ]
Re: Re:
So at this point, it's not a lost opportunity at all. Now if he had gone to school for security and then decided to apply for a job, that might be a different thing.
[ link to this | view in chronology ]
Re: Re:
yes we all made mistakes, how many of us got a job offer because we made a mistake? i certainly never have. cant recall the last time i caused a collision and was offered a job by the highway patrol involving traffic safety.
we didnt loose the patience to teach eachotehr, parents lost the abiltiy to raise their kids. its not a commune or collective. parents are supposed to be the ones making sure their precious little snowflakes are ready for the big bad world, not society in general.
....and lately parents have been doing a pretty crap job of it in some cases....
[ link to this | view in chronology ]
Re: Re: Re:
Now what I disagree.
If to give a job is to give a reward you are correct, but in the case of misguided youth the job granting is not to grant them a reward but schooling on how to be an upstanding citizen, is to give a window into the other side and the opportunity to learn by example, people will copy how others act, if you put them in an good environment they will learn things and will not even realize and it almost doesn't matter what the home is like which leads me to the other point.
It is not the parents sole responsibility to educate their sons and daughters, it is the entire community responsibility, parents in many ways are not well suited for that job, the environment is also important and in many occasions the home environment is completely irrelevant being supplanted by external environment parameters.
Real world experience, if you grown up in a chantytown your view of the world will be very different from the view of someone raised in Beverly Hills, people act differently and that is a product of the environment, that can be changed but it is hard to change things after they have settled in.
Another example, I was playing a web browser game, moderators in American servers where brutal, inconsiderate and plain control freaks, Americans are control freaks because of their environment they believe in forcing things and they pass that to their government that draws its man power from inside society, the U.S. is not a monarchy, the servers managed by Europeans in contrast where more loose, managers tended to ignore some things, let some things pass if you talked to them and to them it was about trust, for the American managers it was about rules.
In Japan even the criminals believe in trust, if they give you their word that is good as signed agreement and it is enforced inside that culture, to violate that trust have severe consequences.
Another example from real life:
In the U.S. I saw in the streets a couple passing by a group of teenagers and some policemen saw the kids and asked the couple if everything was ok, that is good and fine, but it was a veiled threat to the teenagers, it was about showing of force not solving problems, they could have gone in more stealthy and talked to the kids like nothing was going on while making sure the kids weren't bothering anyone, they chose confrontation instead of dialogue. In Japan I saw some unruly teenagers hanging out in a game parlour and making noise they were scary to say the least, at one point the manager or owner came down to talk to them, instead of booting the kids out he proposed to them that if they could keep others from bothering the customers those kids would have free pass to play what they wanted, the guy turned evil kids into employee's and for that case it worked wonders, the kids even had the security call on them to solve problems with other kids.
Make no mistake, Americans have the government they deserve because they taught those values to everyone and enforce those things.
[ link to this | view in chronology ]
On Second Though
[ link to this | view in chronology ]
Re: grumpy
[ link to this | view in chronology ]
Re: Re: grumpy
[ link to this | view in chronology ]
Re: Re: Re: grumpy
- Collection of information and tools in the wild.
- Organization of information acquired.
- Testing of tools, give them the toys and let them test it to see how far they go.
- Infiltration, monitoring and reporting of the underground where they already have the knowledge where to find those things.
Anything really that is not important, what is important is showing by example how a human being should view society and how someone can function inside that society, the tech is just and excuse for that. If left alone to themselves they probably will end up worst then what they are now. That is a shame and sad. Do I think the guy who didn't hire them is wrong or something? No, if he didn't imagine the scenario he probably is not capable of doing it in the first place and maybe he doesn't have the time, money or patience to do it either still is sad that we found ourselves in a position were we don't think about those things.
[ link to this | view in chronology ]
Re: Re: grumpy
people may learn from their mistakes, but they never change. if anything, he'll get better at covering his tracks.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
not even in quantum theory.
[ link to this | view in chronology ]
Re: Re:
BTW: We have White Hat and Black Hat Hackers. Think of script kiddies as Ass Hat Hackers.
[ link to this | view in chronology ]
I suppose that is true, including some three letter acronym government organisations.
[ link to this | view in chronology ]
Re:
We call them alphabet agencies. It sounds soooooo much cooler....
[ link to this | view in chronology ]
bit like when corps give the leader of the union a nice fat different job to shut him up.
[ link to this | view in chronology ]
Now reality sets in.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
bahaha
[ link to this | view in chronology ]
from united hackers association
we make the stuff and it gets abused by morons whom get caught doing illegal stuff, and they prolly dont even know how to code in C
let alone C++ , C# , perl, cgi, php, etc name your languages.
scruipt kiddy knowledge
./configure
./make stupid
./stupid
[ link to this | view in chronology ]
Re: from united hackers association
[ link to this | view in chronology ]
Great Reward
So it sounds like, "Behave yourself and we'll treat you like everyone else. Be a threatening ass and we'll give you free stuff." That used to be known as extortion, but maybe I'm such an outdated fossil that I just don't understand the hip new world.
Rewarding computer intruders for their criminal behavior is the same thing. There's already this weird romantic notion that an acceptable career path is commit some break ins, get caught, profess remorse, then clean up as security consultant. How much illegal behavior are we supposed to put up with from misunderstood kiddies working on their long term career goals?
Maybe not shoot them, but they certainly shouldn't be rewarded. I sure wouldn't want them in my shop.
[ link to this | view in chronology ]
Such idiot script kiddies.
[ link to this | view in chronology ]
My thoughts…
Anyway, at about 18 years old i switched from wanting to be a music major to computer science because i had a passion to really know how computers ticked, and an undeniable need to express myself through coding. Not only did i go to school for CS, i also learned much on my own and eventually found myself getting heavily involved with the .net platform. .Net became my hobby and eventually, my career.
My point is, some malicous script-kiddy does not equal a computer scientist or software engineer. If one of these SRJs eventually grows up and discovers they want to actually hone the programming craft, then they will go to school, apply for jobs, and become a respected part of the development community. I see no reason for a private company to offer some punk kid a job because their only hobby was to create a mess using things others developed with no or little understanding of the internal workings. Id be all for a prison program for these guys where they are taught actual computer science, but thats up to the tax paying citizens of that local jurisdiction. My company personally doesnt have any such correctional training program -its simply not our job.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]