22-year-old Kenneth Currin Schuchman from Vancouver, Washington, has been sentenced to 13 months in prison for creating and operating multiple DDoS botnets. router and others IoT devices and networking devices. According to the US Department of Justice, Kenneth Currin Schuchman, who is known in Internet with the pseudonym Neickus Zeta, created multiple IoT botnets, which it rented online so that others could launch DDoS attacks. Schuchman seems to be associated with botnets known in the cybersecurity industry by code names such as Satori, Okiru, Masuta and Fbot / Tsunami. His botnets are estimated to have infected hundreds of thousands of devices malware until today. According to US officials, Schuchman appears to have had two accomplices who helped him create and operate the botnets. The two accomplices are known as Vamp and Drake. In addition, officials said Schuchman and his associates not only rented botnets but also used botnets to attack the Internet. services and companies. It is estimated that Schuchman used the botnets he and his associates created from August 2017 to August 2018.
Schuchman, who was not initially sentenced to prison but was released on parole, was formally arrested in October 2018 for violating the terms of his pre-trial detention. According to what Schuchman said in court in September 2019, he took a series of actions, which are described in more detail below. The actions mentioned cover the period from July 2017 to October 2018.
July - August 2017: The three accomplices Schuchman, Vamp and Drake created Satori botnet, based on the public code of Mirai IoT malware. U.S. authorities say the original version boosted the capabilities of the Mirai DDoS botnet, targeting devices with vulnerabilities in Telnet and used an improved scanning system borrowed from another DDoS botnet, known as Remaiten. Even if this first botnet was based solely on operating devices that work with factory or simple passwords, Satori infected more than 100.000 devices during the first month of operation. Schuchman claimed in court that more than 30.000 of these devices belonged to a large Canadian ISP and that the botnet could run DDoS. attacks of 1Tbps.
September - October 2017: The three partners improved the original Satori botnet with a new version called Okiru. This version could be used to spread on devices. Okiru botnet's main target was security cameras made by Goahead.
November 2017: The three hackers Satori and Okiru evolved. Specifically, they created a new version codenamed Masuta, which they used to target GPON routers and infected more than 700.000 devices. At the same time, the DDOS rental company reached its peak. Schuchman also created his own personal botnet, which he used to attack the infrastructure of ProxyPipe, a DDoS attack mitigation company.
January 2018: Schuchman and Drake created a botnet that featured both Mirai and Satori botnet, with the goal of exploiting Vietnam-based devices.
March 2018: The hackers continued to work on the specific botnet, which later became known as Tsunami or Fbot and infected about 30.000 devices, most of which were Goahead cameras. They later expanded the botnet with another 35.000 devices, taking advantage of High Silicon DVR vulnerabilities. systems.
April 2018: Schuchman developed another DDoS botnet on his own, which was based on the Qbot malware family. This botnet focused on the exploitation of GPON routers by the Mexican television network Telemax. Schuchman also competed with Vamp, developing botnets to block each other's functions.
July 2018: Schuchman reconciled with Vamp, but that was the moment the FBI located him. The FBI spoke to Schuchman later that month.
August 21, 2018: U.S. authorities have formally charged Schuchman with creating and operating botnets, but have not sentenced him to prison, but have allowed him to remain free, subject to conditions.
August - October 2018: Schuchman violated traffic conditions and developed a new Qbot-based botnet.
October 2018: U.S. authorities have arrested and sentenced Schuchman to prison for creating and operating botnets.
As for Vamp and Drake, US officials said they knew their real names. Schuchman pleaded guilty to botnets and was sentenced to 13 months in prison, while he was also sentenced to 18 months in community service after his release, while he would be under three-year supervision after his release. Schuchman's “Nexus Zeta” identity was first linked to the Satori botnet in a December 2017 checkpoint report. DOJ thanked companies such as Akamai, Cloudflare, Google, Oracle, Palo Alto Unit 42, Unit 221B and LLC, as well as the University of Cambridge, for their research assistance.