DDoS Botnet Coder Gets 13 Months In Prison

A 22-year-old from Vancouver, Washington was sentenced today to 13 months in prison for creating and operating multiple DDoS botnets made up of home routers and other networking and Internet of Things (IoT) devices.

The US Department of Justice said Kenneth Currin Schuchman, known online under the monicker of Nexus Zeta, created multiple IoT botnets, which he rented online so others could launch DDoS attacks.

The DOJ said it tied Schuchman to botnets known in the cyber-security industry under codenames such as Satori, Okiru, Masuta, and Fbot/Tsunami. His botnets are believed to have infected hundreds of thousands of devices with malware.

US officials said Schuchman had two accomplices, identified only as Vamp and Drake, who also contributed code and features to the botnets.

DOJ officials said that besides renting the botnets to buyers, Schuchman and his associates also used the botnets themselves to attack various online services and companies.

Officials said Schuchman operated his botnets between August 2017 until August 2018, when he was formally charged.

Schuchman was allowed to remain at large but was eventually formally arrested in October 2018 after breaking his pre-trial release conditions.

Below is a summary of Schuchman's actions, as detailed in his guilty plea, which came in September 2019.

July to August 2017 -- Schuchman, Vamp, and Drake create the Satori botnet, based on the public code of the Mirai IoT malware. US authorities said this initial version "extended the Mirai DDoS botnet's capabilities, targeted devices with Telnet vulnerabilities, and utilized an improved scanning system borrowed fiom another DDoS botnet known as Remaiten." Even if this first botnet relied solely on exploiting devices running with factory-set or simple-to-guess passwords, Satori infected over 100,000 devices in its first month of life. Per court documents, Schuchman claimed that over 32,000 of these devices belonged to a large Canadian ISP, and that the botnet was capable of DDoS attacks of 1Tbps [claim remains unproven].

September to October 2017 -- The three hackers improve the original Satori botnet into a new version they start calling Okiru. This version can also use exploits to spread to unpatched devices. A prime target for the Okiru botnet were security cameras manufactured by Goahead.

Image: Rapsheets November 2017 -- Schuchman, Vamp, and Drake evolve on Satori and Okiru. They create a new version named Masuta, which they use to target GPON routers, and infect over 700,000 devices. Their DDOS-for-hire business reaches its peak. Schuchman also creates his separate personal botnet, which he uses to attack the infrastructure of ProxyPipe, a DDoS mitigation firm.

January 2018 -- Schuchman and Drake create a botnet combining features from the Mirai and Satori botnets, focusing on exploiting devices based in Vietnam.

March 2018 -- Schuchman, Vamp, and Drake continue work on this botnet, which later becomes known as Tsunami or Fbot, and infects up to 30,000 devices, mostly Goahead cameras. They later expand the botnet with another 35,000 devices after exploiting vulnerabilities in High Silicon DVR systems. US authorities said the botnet was capable of attacks of up to 100Gbps.

April 2018 -- Schuchman splits from Vamp and Drake and develops another DDoS botnet, this time based on the Qbot malware family. This botnet was primarily focused on exploiting GPON routers from the network of Mexican TV network Telemax. Schuchman also enters into a competition with Vamp, both developing botnets aimed at hindering each other's operations.

July 2018 -- Schuchman reconciles with Vamp, but by this time the FBI has tracked him down. The FBI interviews Schuchman later that month.

August 21, 2018 -- US authorities formally charge Schuchman, but allow him to remain at large, on pre-trial release conditions.

August to October 2018 -- Schuchman breaks pre-trial release conditions by accessing the internet and developing a new botnet (based on the Qbot strain). He also orchestrates a swatting attack on Drake's home residence.

October 2018 -- US authorities detain and imprison Schuchman.

US officials didn't say if they charged Vamp and Drake, but they said they were aware of their real-world identities.

Schuchman pleaded guilty to one count of fraud and related activity in connection with computers. He was sentenced today to 13 months in prison and he was also ordered to serve a term of 18 months of community confinement following his release from prison and a three-year term of supervised release.

Schuchman's Nexus Zeta identity was first linked to the Satori botnet in a December 2017 Check Point report.

The DOJ also thanked today companies like Akamai, Cloudflare, Google, Oracle, Palo Alto Unit 42, and Unit 221B, LLC, as well as the University of Cambridge, for their help in the investigation.