Script Kiddie Botnet Operators Ask For Jobs From Security Company That Shut Them Down

from the didn't-work dept

The BBC has a story about how the operators of one of the larger botnets that was recently shut down showed up at the offices of a security researcher who helped bring them down... asking for a job. The article highlights how the researcher, Luis Corrons, basically had figured out who was running the botnet after one of the operators made a mistake and revealed his home computer... which actually was not far from where Corrons worked. It was shut down at the end of last year, but a few months later, Corrons had an interesting experience:
In late March Mr Corrons was preparing for a meeting at Panda's Bilbao lab with a journalist and took a moment to dodge downstairs to get a drink. On the way down he passed two young men coming up.

One asked if he was Luis Corrons. He said yes while wondering who they were.

They introduced themselves which left him no wiser. Then, one of them said; "I'm Ostiator and this is Netkairo."

"It was then I realised these guys were the ones that were arrested in the Mariposa case," he told the BBC. "I thought they wanted to teach me a lesson."
Instead, they asked him for a job, saying that the shutdown of the botnet had "robbed them of their livelihood." Apparently, the two guys started following Corrons on Twitter, sending messages his way and commenting on his blog, before asking for work again. They finally brought in one of the guys for an interview, noting that they wouldn't hire anyone involved in criminal activity. The guy responded that he hadn't been charged with anything. However, Corrons also quickly realized that the guy barely had any technical skills -- pointing out that he didn't write the bot, he just ran it:
"He got really annoyed at that moment, when we told him he was not good enough," said Mr Corrons. Subsequent discussion revealed just how poor their skills were.

"They were given the botnet with all the stuff they needed," said Mr Corrons. "Using it was like using any other program."
So, for the script kiddies out there, perhaps before asking for a job from the security researchers who bring your botnet down, you do a bit of work to make sure you have the actual skills.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, jobs, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    BearGriz72 (profile), 10 Jun 2010 @ 2:11am

    EPIC FAIL!

    LMAO...

    link to this | view in chronology ]

  • identicon
    LoL, 10 Jun 2010 @ 2:19am

    I almost feel sorry for the poor schmuck's, almost LoL

    link to this | view in chronology ]

  • icon
    grumpy (profile), 10 Jun 2010 @ 2:44am

    I would never work with anyone who'd run a botnet. Not because they might be dumb s'kiddies but because they've been a**holes. Botnets are for robbing other people or vandalizing. I don't care about doing time and coming out with a clean slate - if you want to be trusted to work with security you walk the straight and narrow path from the beginning.

    link to this | view in chronology ]

    • identicon
      LoL, 10 Jun 2010 @ 4:15am

      Re:

      I disagree respectfully. What I see here is a lost opportunity to turn misguided youth into something productive a lost opportunity to educate and train people to do something good. That would bring change in society, that would bring real security to all but it is hard and time consuming.

      We all have made mistakes when we were young, it is the age of the dumb and it ends about 35 mostly give it or take some years. Besides most security experts I know and see all started as a scriptkid that wanted to have some fun at some point, One of the founders of Apple put a mock bomb in a locker once, if he did that today he would go to jail and that is a shame.

      Somewhere along the line people lost the patience to teach others in the right way, we forgot compassion and start thinking we can force others to do things, that creates a rich environment for destructive behaviour to flourish because it feeds anger and frustration.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Jun 2010 @ 4:24am

        Re: Re:

        I'm pretty sure script kiddies don't have any talent. In fact, that's part of the definition of script kiddies. They don't understand how anything works; they just run scripts. In fact, the article states that it was revealed that the guy had absolutely no skills in security at all.

        So at this point, it's not a lost opportunity at all. Now if he had gone to school for security and then decided to apply for a job, that might be a different thing.

        link to this | view in chronology ]

      • icon
        harbingerofdoom (profile), 10 Jun 2010 @ 6:48am

        Re: Re:

        what you are failing to see here is that companies do not hire people in order to turn misguided youths into something productive. companies hire people that are effective and going to produce in order to add to their bottom line. harsh but true.

        yes we all made mistakes, how many of us got a job offer because we made a mistake? i certainly never have. cant recall the last time i caused a collision and was offered a job by the highway patrol involving traffic safety.

        we didnt loose the patience to teach eachotehr, parents lost the abiltiy to raise their kids. its not a commune or collective. parents are supposed to be the ones making sure their precious little snowflakes are ready for the big bad world, not society in general.

        ....and lately parents have been doing a pretty crap job of it in some cases....

        link to this | view in chronology ]

        • identicon
          LoL, 10 Jun 2010 @ 5:25pm

          Re: Re: Re:

          Sorry I failed to be clear, I know how the real world works and you are correct in how companies do business and most of what you said. Its just a shame it is that way.

          Now what I disagree.

          If to give a job is to give a reward you are correct, but in the case of misguided youth the job granting is not to grant them a reward but schooling on how to be an upstanding citizen, is to give a window into the other side and the opportunity to learn by example, people will copy how others act, if you put them in an good environment they will learn things and will not even realize and it almost doesn't matter what the home is like which leads me to the other point.

          It is not the parents sole responsibility to educate their sons and daughters, it is the entire community responsibility, parents in many ways are not well suited for that job, the environment is also important and in many occasions the home environment is completely irrelevant being supplanted by external environment parameters.

          Real world experience, if you grown up in a chantytown your view of the world will be very different from the view of someone raised in Beverly Hills, people act differently and that is a product of the environment, that can be changed but it is hard to change things after they have settled in.

          Another example, I was playing a web browser game, moderators in American servers where brutal, inconsiderate and plain control freaks, Americans are control freaks because of their environment they believe in forcing things and they pass that to their government that draws its man power from inside society, the U.S. is not a monarchy, the servers managed by Europeans in contrast where more loose, managers tended to ignore some things, let some things pass if you talked to them and to them it was about trust, for the American managers it was about rules.

          In Japan even the criminals believe in trust, if they give you their word that is good as signed agreement and it is enforced inside that culture, to violate that trust have severe consequences.

          Another example from real life:

          In the U.S. I saw in the streets a couple passing by a group of teenagers and some policemen saw the kids and asked the couple if everything was ok, that is good and fine, but it was a veiled threat to the teenagers, it was about showing of force not solving problems, they could have gone in more stealthy and talked to the kids like nothing was going on while making sure the kids weren't bothering anyone, they chose confrontation instead of dialogue. In Japan I saw some unruly teenagers hanging out in a game parlour and making noise they were scary to say the least, at one point the manager or owner came down to talk to them, instead of booting the kids out he proposed to them that if they could keep others from bothering the customers those kids would have free pass to play what they wanted, the guy turned evil kids into employee's and for that case it worked wonders, the kids even had the security call on them to solve problems with other kids.



          Make no mistake, Americans have the government they deserve because they taught those values to everyone and enforce those things.

          link to this | view in chronology ]

      • identicon
        Stuart, 10 Jun 2010 @ 8:18am

        On Second Though

        Shoot the fuckers.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jun 2010 @ 4:27am

      Re: grumpy

      that's a pretty good mindset to have. i mean, obviously there's no way someone could learn from their mistakes, right? it's a really good thing you've never broken any laws!

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Jun 2010 @ 4:40am

        Re: Re: grumpy

        And it's a good thing you don't own a business. Proven lack of ethics, plus a total lack of skills... what job do you give a person like that? True, there are post-incarceration programs that offer training in, say, HVAC or auto mechanics; but this is a business, not a social services agency. Huge corporations can occasionally absorb totally unskilled applicants; not sure about the criminal part. Oh, wait -- maybe BP...

        link to this | view in chronology ]

        • identicon
          LoL, 10 Jun 2010 @ 4:36pm

          Re: Re: Re: grumpy

          "Proven lack of ethics, plus a total lack of skills... what job do you give a person like that?"

          - Collection of information and tools in the wild.
          - Organization of information acquired.
          - Testing of tools, give them the toys and let them test it to see how far they go.
          - Infiltration, monitoring and reporting of the underground where they already have the knowledge where to find those things.

          Anything really that is not important, what is important is showing by example how a human being should view society and how someone can function inside that society, the tech is just and excuse for that. If left alone to themselves they probably will end up worst then what they are now. That is a shame and sad. Do I think the guy who didn't hire them is wrong or something? No, if he didn't imagine the scenario he probably is not capable of doing it in the first place and maybe he doesn't have the time, money or patience to do it either still is sad that we found ourselves in a position were we don't think about those things.

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Jun 2010 @ 4:42am

        Re: Re: grumpy

        i don't use my shift key to save electricity. what are you doing to save the earth/

        people may learn from their mistakes, but they never change. if anything, he'll get better at covering his tracks.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jun 2010 @ 7:59am

      Re:

      Sry dis-agree but from a different point, our best security guys usually started off wearing black hats, not white ones...

      link to this | view in chronology ]

      • identicon
        rabbit, 10 Jun 2010 @ 9:00am

        Re: Re:

        script kiddie does not equal black hat.

        not even in quantum theory.

        link to this | view in chronology ]

      • icon
        lostalaska (profile), 10 Jun 2010 @ 2:44pm

        Re: Re:

        Yeah, but your best security guys that may have previously worn black hats were probably the ones that were also writing from scratch those kinds of scripts. So they understood the architecture of both operating systems and networks and had an intimate knowledge of all the hardware and software too. It's kind of like someone who is a wiz in word and plays around with macros thinking they can program their own OS.

        BTW: We have White Hat and Black Hat Hackers. Think of script kiddies as Ass Hat Hackers.

        link to this | view in chronology ]

  • identicon
    abc gum, 10 Jun 2010 @ 4:49am

    All those who run bot-nets are nefarious and underhanded?
    I suppose that is true, including some three letter acronym government organisations.

    link to this | view in chronology ]

    • icon
      Dark Helmet (profile), 10 Jun 2010 @ 6:45am

      Re:

      "I suppose that is true, including some three letter acronym government organisations."

      We call them alphabet agencies. It sounds soooooo much cooler....

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2010 @ 5:31am

    they hire hackers that are actually dangerous that's all, these kids thought that was them until they were told some truths.

    bit like when corps give the leader of the union a nice fat different job to shut him up.

    link to this | view in chronology ]

  • icon
    cj (profile), 10 Jun 2010 @ 7:47am

    They probably thought they were "all that". But in reality... they are the scum of the earth in so many ways. Perhaps someone told them wrong, or they thought that what they were doing, would eventually get them fame and fortune on so many levels.


    Now reality sets in.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jun 2010 @ 8:58am

      Re:

      'Scum of the earth'? Try severing yourself from the computer just once a month or so, it might get you some much-needed perspective. Rapists, murderers, those are ACTUAL scum of the earth. These guys are simple script kiddies. Laugh and point at them? Yes. 'Shoot the fuckers'? Dude, what the hell.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2010 @ 8:33am

    bahaha

    They should put this story next to the definition of script-kiddie.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2010 @ 8:37am

    from united hackers association

    HAHA
    we make the stuff and it gets abused by morons whom get caught doing illegal stuff, and they prolly dont even know how to code in C
    let alone C++ , C# , perl, cgi, php, etc name your languages.

    scruipt kiddy knowledge
    ./configure
    ./make stupid
    ./stupid

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2010 @ 6:33am

      Re: from united hackers association

      If you were a hacker you'd at least know that CGI isn't a programming language...

      link to this | view in chronology ]

  • identicon
    rather_notsay, 10 Jun 2010 @ 7:14pm

    Great Reward

    instead of booting the kids out he proposed to them that if they could keep others from bothering the customers those kids would have free pass to play what they wanted

    So it sounds like, "Behave yourself and we'll treat you like everyone else. Be a threatening ass and we'll give you free stuff." That used to be known as extortion, but maybe I'm such an outdated fossil that I just don't understand the hip new world.

    Rewarding computer intruders for their criminal behavior is the same thing. There's already this weird romantic notion that an acceptable career path is commit some break ins, get caught, profess remorse, then clean up as security consultant. How much illegal behavior are we supposed to put up with from misunderstood kiddies working on their long term career goals?

    Maybe not shoot them, but they certainly shouldn't be rewarded. I sure wouldn't want them in my shop.

    link to this | view in chronology ]

  • identicon
    Ali Khamenei, 17 Jul 2010 @ 11:54am

    Such idiot script kiddies.

    LOL. They can't code in c++. Why consider themselves hackers when they can't code shit.

    link to this | view in chronology ]

  • identicon
    Gobbledygoop, 12 Dec 2010 @ 9:41am

    My thoughts…

    I once thought these types of attacks were neat... When I was like 12 the only place you could access the internet was at school (i mean, what 12 year old wouldnt go for the opportunity to mess with their school grades?)

    Anyway, at about 18 years old i switched from wanting to be a music major to computer science because i had a passion to really know how computers ticked, and an undeniable need to express myself through coding. Not only did i go to school for CS, i also learned much on my own and eventually found myself getting heavily involved with the .net platform. .Net became my hobby and eventually, my career.

    My point is, some malicous script-kiddy does not equal a computer scientist or software engineer. If one of these SRJs eventually grows up and discovers they want to actually hone the programming craft, then they will go to school, apply for jobs, and become a respected part of the development community. I see no reason for a private company to offer some punk kid a job because their only hobby was to create a mess using things others developed with no or little understanding of the internal workings. Id be all for a prison program for these guys where they are taught actual computer science, but thats up to the tax paying citizens of that local jurisdiction. My company personally doesnt have any such correctional training program -its simply not our job.

    link to this | view in chronology ]

  • identicon
    Bytesland S.E., 14 Feb 2011 @ 4:44am

    Re:

    I hope some day everything will be clear. Botnet should be really shut down. I was gald to find some real facts on this topic at last.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.