[ISN] Portrait of an (alleged) cyber bully as a young man

From: InfoSec News (alerts@private)
Date: Mon Oct 08 2007 - 01:04:27 PDT


http://www.theregister.co.uk/2007/10/04/bot_herder_profile/

By Dan Goodin in San Francisco
4th October 2007

Late in the evening of February 13, Paul and Robin Laudanski were 
planning the following day's Valentine's celebration when they received 
word that CastleCops, the volunteer security website they run, was under 
assault.

At its peak, the five-day attack flooded CastleCops with close to 1 
gigabyte of data every second. The distributed-denial-of-service deluge 
was so severe that the husband-and-wife team were forced to take their 
site offline 15 minutes after it started. It also knocked CastleCops' 
webhost offline for two days, causing more than $160,000 worth of damage 
to the company and its customers.

"We were planning on having a family Valentine's event," said Paul 
Laudanski, who along with Robin was forced to spend the next several 
days migrating to a new hosting provider. "Then, of course, the DDoS 
started, which ruined those plans."

The attack, according to federal prosecutors, was the handiwork of Greg 
C. King, a 21-year-old California resident who at one point maintained a 
7,000-node botnet. On Monday, he was publicly charged with four counts 
of illegal hacking, charges that carry a maximum penalty of 40 years in 
prison and a $1m fine.

King has pleaded not guilty, and he reiterated his claims of innocence 
in a telephone interview with The Register. He said he was released on 
$25,000 bond and is under orders not to use computers outside of his 
job, which he declined to identify.

The indictment comes three weeks after a yearly report from Arbor 
Networks found for the first time that internet service providers rated 
botnets as the top operational threat to their infrastructure.


Revenge of the King

While more and more of today's cyber criminals are driven by financial 
gain, King's four-year DDoS spree was motivated by revenge for perceived 
slights, according to court documents and interviews. King's need to 
lash out ran so deep that his crippling attacks continued even after 
federal authorities raided his parents' Fairfield, California home in 
2004, prosecutors allege. Even a conviction for attempted armed robbery, 
for which King served seven months jail time earlier this year, didn't 
weaken his resolve.

King "just continued on and on and on and on," said Tami Quiring, owner 
of KillaNet Technologies, a British Columbia-based website for high 
school students preparing for careers in online media. "He would make 
appearances on IRC and just taunt the kids and threaten them and post 
links to some really disgusting porn sites."

Quiring says one of her first brushes with King dated back to 2003, 
before the suspect had even turned 18. A chat server she maintained was 
subjected to a smurf attack, a particularly powerful type of DDoS that 
bounces spoofed ping requests off thousands of vulnerable routers and, 
in the process, significantly amplifies the amount of traffic directed 
at a victim. As a result, she said, she was forced to pull the plug on 
her site.

Over the years, Quiring says, she tried all kinds of evasive maneuvers. 
She repeatedly changed servers. She blacklisted his IP address. She and 
her employees engaged him in chat dialogs. None of it had any effect. 
She said the attacks continued through last year, when a site she set up 
to host a large video game tournament was taken offline, preventing 
Nvidia, ATI and other partners from accessing the site at a crucial 
moment.

"We withstood attacks that took Yahoo! down," Quiring said. "For a long 
time, our servers were locked up like Fort Knox."


The SilenZ Treatment

A key element in the vengeance allegedly meted out by King was 
acknowledgment from his victims that they were being punished. And as a 
result, he took few steps to cover his tracks. He frequently taunted his 
victims in chat rooms before and during his attacks, and on several of 
those occasions, he dropped hints about his real-life identity, 
according to court documents.

He went by the same handful of online monikers, including SilenZ, 
SilenZ420 and Gregk707, and he also used the same several email 
addresses - including gregk707@private and silenz420@private - to 
establish accounts on the systems he attacked. He frequently used his 
parents' SBC DSL line to log in to the accounts and read email. He was 
partial to using the passwords "1fuckhead" and "1fuckhead1" on many of 
those accounts.

"My good friend's ISP shut him over this fucking post," a user by the 
name of SilenZ wrote in a CastleCops forum shortly before the February 
13 attack began. "I have the right to be angry. If you edit my post once 
more, you will be sorry."

SilenZ was banned from the boards at 10:40 that night. About four 
minutes later, the DDoS started.


Alias: The Belgian Bean Farmer

According to CastleCops logs, the SilenZ account was activated by 
someone who used the email address silenz420@private and the MD5 value 
for his password matched the encryption string for "1fuckhead." 
CastleCops located the command and control for the offending botnet to 
an IP address that resolved to the domain name beanfarmer.be, a site 
that is registered to a Greg King, according to DNS records.

Previous IP addresses for the domain resolved to SBC IP addresses 
beginning with "71.132," the same initial digits for addresses 
frequently assigned to King when he was using his parents' DSL service.

Beginning in August of 2004, according to court documents, someone using 
the name Greg began a series of chats via IRC with people responsible 
for running Myg0t, which bills itself as an online gaming authority. 
Greg said he was responsible for prior attacks on the Myg0t website and 
then announced he would initiate new attacks on Myg0t's IRC board as 
well.

Eventually, Greg said he would suspend the DDoS assault if officials 
posted an apology for "Myg0t being the asses we are." Greg listed his 
email address as gregk707@private


Big Mac, Filet-O-Fish, Quarter Pounder, Botnet

After authorities seized King's computers in December 2004, he began 
using computers at the Solano County Library and a Best Buy store. 
According to evidence Quiring provided authorities, six of the attacks 
on KillaNet were carried out by someone accessing the library computers.

Someone using the alias SilenZ who chatted via MSN messenger with a 
KillaNet administrator later admitted to using McDonald's for an 
internet connection, then began discussing the FBI raid on his parents' 
house.

"I denied dong the attacks but told them where my botnets were," 
according to a log of the session. "I dont see what they expect, not 
like i robbed their house, i just took their server offline for a few 
hrs."

The web is also rife with posts, some of them abusive, from an 
individual who goes by the handle gregk707. This thread from the 
Fairfield High School AP Calculus Homepage, for example, contains a 
comment that repeats itself 13 times.

"My ip does happen to be logged, And u wont do shit," the May, 2005 post 
reads. "Can u ban me from posting? NOPE and do u know why? BECAUSE IT IS 
DYNAMIC, anytime i get off the internet it changes. SO ALL I HAVE TO SAY 
IS FUCK YOU HAVE A NICE DAY."


Herd Mentality

King acknowledged to The Reg that several years ago he maintained a 
botnet, which he says he stole after discovering the command and control 
center used by a bot herder. While the zombie network originally 
contained about 30,000 nodes, he only managed to take control of 
somewhere between 7,000 and 12,000 of them, he said. He surrendered the 
botnet when authorities searched his parents house in 2004, he said.

He confirmed that the email address gregk707@private is his and also 
admitted to using the computers at the Solano County Library and Best 
Buy. But he declined to say exactly what he did with them, under advice 
from his attorney. He also declined to say if he's ever carried out a 
DDoS attack or discuss specific allegations contained in court 
documents.

"A lot of this was so long ago, I don't even remember it," he said.

Indeed, many of the alleged attacks occurred more than three years ago. 
But with signs that botnet herding and other types of cybercrime are 
only getting worse - the FBI, for example, recently logged its millionth 
bot-infected IP address - federal law enforcers want to send a message 
that online miscreants will be sought out and prosecuted.

"What bot herders or potential bot herders need to worry about is that 
even years after they do a DDoS attack they may wind up under arrest, 
long after they thought it was all over," said Matthew Segal, the 
assistant US attorney who is prosecuting King. "We do this to deter this 
kind of conduct and also because we believe in retributive justice." ®

If you have tips, story ideas or inside scuttlebutt about this or any 
other security-related story, please send them to Dan Goodin using this 
link [1].

[1] http://forms.theregister.co.uk/mail_author/?story_url=/2007/10/04/bot_herder_profile/



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Mon Oct 08 2007 - 01:18:49 PDT