Developer of DDoS Mirai based botnets sentenced to prison

Pierluigi Paganini June 26, 2020

A man accused to have developed distributed denial of service (DDoS) botnets based on the Mirai botnet was sentenced to 13 months in federal prison.

Kenneth Currin Schuchman, 22, of Vancouver, Washington, was sentenced to 13 months in federal prison because it has developed distributed denial of service (DDoS) botnets based on the source code of Mirai botnet.

Schuchman, who used the online moniker of Nexus Zeta, was involved in the development of multiple botnets, including, Masuta, Okiru, Satori, and Tsunami.

“Kenneth Currin Schuchman, 22, of Vancouver, WA, was sentenced today by Chief U.S. District Judge Timothy M. Burgess to serve 13 months in prison, after previously pleading guilty to one count of fraud and related activity in connection with computers, in violation of the Computer Fraud & Abuse Act.  As part of his sentence, Schuchman was also ordered to serve a term of 18 months of community confinement following his release from prison and a three year term of supervised release.” reads the DoJ.

“According to court documents, the botnets were initially based largely on the source code previously developed by other individuals to create the Mirai botnet;”

In September 2019, Schuchman pleaded guilty to creating and operating multiple DDoS IoT botnets. Court documents revealed that the man suffers from Asperger Syndrome and autism disorder.

Schuchman satori botnet

Schuchman compromised hundreds of thousands of IoT devices, including home routers and IP cameras, to create multiple DDoS IoT botnets that he rented to carry out the attacks.

On August 2018, Schuchman has been indicted on federal computer hacking charges after rival hackers fingered him as the creator of a Mirai variant dubbed Satori that infected at least 500,000 internet routers around the word.

Schuchman worked with two accomplices, two hackers that have been identified Aaron Sterritt, aka Vamp, and Logan Shwydiuk, aka Drake.

Vamp acted as a developer along with Schuchman, while Drake was tasked of the botnet sales and customer support. Schuchman also managed the purchases of new exploits for the botnet.

Schuchman, Vamp, and Drake created the Satori botnet in between July and August 2017. The first version was based on the Mirai bot and extended some of its features, it targeted devices with Telnet vulnerabilities, and leveraged an improved scanning system borrowed from the Remaiten botnet. The first Satori iteration targeted devices running with factory-settings or protected with easy-to-guess passwords, the bot infected over 100,000 devices in its first month. Schuchman claimed that over 32,000 of these devices infected by his bot belonged to a large Canadian ISP. the man also claimed that the botnet was capable of DDoS attacks of 1Tbps.

Between September an October 2017, Schuchman and his accomplices developed a new version of Satori named Okiru.

In November 2017 the trio created a new version named Masuta, that targeted GPON routers. In the same period, Schuchman also created his own separate botnet that used to attack the ProxyPipe DDoS mitigation firm.

In January 2018, Schuchman and Drake create a new botnet that combines combining features from the Mirai and Satori botnets. Schuchman, Vamp, and Drake continued to work on the botnet in March 2018 and infected up to 30,000 devices, most of them were Goahead cameras.

In April 2018, Schuchman develops a new DDoS botnet alone, it was based on the Qbot malware family. Schuchman also entered into a competition with Vamp, the two hackers attempted to destroy each other’s operations.

July 2018, the duo Schuchman and Vamp returned to work together, but authorities identified Schuchman and charged him.

Between August and October 2018, Schuchman violated pre-trial release conditions after accessing the internet and developing a new botnet. He was also responsible for a swatting attack on Drake’s home residence.

In October 2018, Schuchman’s carrier stopped after the US authorities decided to detain and keep him in jail. Authorities tracked him because he used his father’s ID and credentials for registering online domains involved in DDoS attacks.

“The investigation revealed that Schuchman had been engaging in criminal botnet activity since at least August 2017, ultimately compromising hundreds of thousands of devices worldwide, including devices in the District of Alaska.” continues the DoJ.

“Schuchman continued to engage in criminal botnet activity, and violated several other conditions of his pretrial release, following his arrest in August 2018.”

Schuchman, who pleaded guilty to one count of fraud and related activity in connection with computers, worked with two associates: Aaron Sterritt, also known as “Vamp” or “Viktor,” a national of the United Kingdom, and Logan Shwydiuk, also known as “Drake,” a Canadian national.

“In a recently unsealed indictment, Schuchman’s criminal associates Aaron Sterritt, a/k/a “Vamp,” or “Viktor” a national of the United Kingdom; and Logan Shwydiuk, a/k/a “Drake,” a Canadian national, have also been charged for their roles in developing and operating these botnets to conduct DDoS attacks, following an investigation by the FBI with the assistance of other law enforcement partners.” the DoJ concludes.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mirai)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment