Pierluigi Paganini September 05, 2019

Kenneth Currin Schuchman (21) from Vancouver, Washington pleaded guilty to creating and operating multiple DDoS IoT botnet, including Satori.

Kenneth Currin Schuchman (21) from Vancouver, Washington, aka Nexus Zeta, pleaded guilty to creating and operating multiple DDoS IoT botnets.

Court documents revealed that the man suffers from Asperger Syndrome and autism disorder.

Schuchman compromised hundreds of thousands of IoT devices, including home routers and IP cameras, to create multiple DDoS IoT botnets that he rented to carry out the attacks.

On August 2018, Schuchman has been indicted on federal computer hacking charges after rival hackers fingered him as the creator of a Mirai variant dubbed Satori that infected at least 500,000 internet routers around the word.

The initial indictment did not name the malware, but “all signs point to the virulent Satori botnet that surfaced last fall, and has infected at least 500,000 internet routers around the word,” explained the popular expert Kevin Poulsen.

Now Schuchman guilty plea provides additional information about the criminal activity of the man, for example, that he worked with two accomplices, two hackers that have been identified as Vamp and Drake.

Vamp acted as a developer along with Schuchman, while Drake was tasked of the botnet sales and customer support. Schuchman also managed the purchases of new exploits for the botnet.

Schuchman, Vamp, and Drake created the Satori botnet in between July and August 2017. The first version was based on the Mirai bot and extended some of its features, it targeted devices with Telnet vulnerabilities, and leveraged an improved scanning system borrowed from the Remaiten botnet. The first Satori iteration targeted devices running with factory-settings or protected with easy-to-guess passwords, the bot infected over 100,000 devices in its first month. Schuchman claimed that over 32,000 of these devices infected by his bot belonged to a large Canadian ISP. the man also claimed that the botnet was capable of DDoS attacks of 1Tbps.

Between September an October 2017, Schuchman and his accomplices developed a new version of Satori named Okiru.

In November 2017 the trio created a new version named Masuta, that targeted GPON routers. In the same period, Schuchman also created his own separate botnet that used to attack the ProxyPipe DDoS mitigation firm.

In January 2018, Schuchman and Drake create a new botnet that combines combining features from the Mirai and Satori botnets. Schuchman, Vamp, and Drake continued to work on the botnet in March 2018 and infected up to 30,000 devices, most of them were Goahead cameras.

In April 2018, Schuchman develops a new DDoS botnet alone, it was based on the Qbot malware family. Schuchman also entered into a competition with Vamp, the two hackers attempted to destroy each other’s operations.

July 2018, the duo Schuchman and Vamp returned to work together, but authorities identified Schuchman and charged him.

Between August and October 2018, Schuchman violated pre-trial release conditions after accessing the internet and developing a new botnet. He was also responsible for a swatting attack on Drake’s home residence.

October 2018, Schuchman’s carrier stopped after the US authorities decided to detain and keep him in jail. Authorities tracked him because he used his father’s ID and credentials for registering online domains involved in DDoS attacks.

Schuchman faces up to ten years in prison, a fine of up to $250,000, and up to three years of supervised release.

Pierluigi Paganini

(SecurityAffairs – Satori, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]