Satori IoT botnet author sentenced to 13 months in prison
Kenneth Currin Schuchman, 22, from Vancouver, Wash., spent years developing distributed denial-of-service (DDoS) botnets. In September 2019, he pleaded guilty to operating the Satori botnet, made up of IoT devices, and at least two other botnets; to running a DDoS-for-hire service; to cooking up one of the evolving line of botnets while he was indicted and under supervised release; and to swatting one of his former chums, also while on supervised release.
Satori did massive damage: it and its iterations would be unleashed in record-setting DDoS attacks that enslaved more than 800,000 devices – things like home routers, security cameras and webcams – and flattened ISPs, online gaming platforms and web hosting companies.
Schuchman was indicted in September 2018 on two counts of fraud and related activity in connection with a computer, but in the plea agreement he struck with prosecution, he pleaded guilty to just one count of fraud and related activity in connection with computers, in violation of the Computer Fraud & Abuse Act (CFAA).
Schuchman worked with two criminal colleagues: “Vamp”, also known as “Viktor,” and “Drake”. The recently unsealed indictment reveals the names and locations of the two men who were sometimes his friends, sometimes his competitors and targets. Vamp is actually Aaron Sterritt, a national from the UK, while Drake turns out to be Logan Shwydiuk, a Canadian national.
They initially lifted code from the Mirai botnet to cook up their botnets, but over time, they added additional features, making the botnets ever more complicated and devastating. The botnets they spawned out of Mirai were known over time as Satori, Okiru, Masuta, and Tsunami/Fbot. Schuchman and his pals not only used this line of increasingly devilish botnets themselves; they also rented them out to customers as a DDoS-for-hire service.
DDoS-for-hire, also known as stressers or booters, are publicly available, web-based services that launch server-clogger-upper attacks for a small fee … or, sometimes, for nothing at all.
Such services have included ExoStresser, QuezStresser, Betabooter, Databooter, Instabooter, Polystress, and Zstress. DDoS-for-hire sites sell high-bandwidth internet attack services, sometimes under the guise of “stress testing” – hence the name stresser. Some of these services also try to pass as legitimate by calling themselves a “penetration testing service”.
DDoS attacks are blunt instruments that work by overwhelming targeted sites with so much traffic that nobody can reach them. They can be used to render competitor or enemy websites temporarily inoperable out of malice, lulz or profit: as in, some attackers extort site owners into paying for attacks to stop.
One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service. LizardStresser was given a dose of its own medicine when it was hacked in 2015.
Of the trio, Schuchman specialized in finding vulnerabilities in IoT devices that could be exploited at scale. “Specialize” might be a bit too fancy a term: “run an online search” might be more like it. According to the plea agreement, the vulnerabilities often included default usernames and passwords, for example.
They’re all too easy to find, since researchers have found that the manufacturers of off-the-shelf IoT gadgets often post default passwords online in order to aid in quick device setup.
Using such default credential pairs, Schuchman and his buddies managed to compromise not only individual devices but entire categories of devices that shared the same vulnerability, as the plea agreement described.
From at least July 2017 until at least July 2018, Schuchman and his co-conspirators, who aren’t named in the indictment, rented out access to an evolving series of DDoS botnets. They were initially based on source code from Mirai – the botnet that was the subject of Schuchman’s previous prosecution in Alaska and which, in 2016, targeted security journalist Brian Krebs in what experts said at the time was the biggest DDoS attack in public internet history.
Over the course of that year, Vamp was the primary developer and coder, while Drake managed sales and customer support. Schuchman, besides researching new vulnerabilities, also helped out with botnet development.
In August 2018, the trio named one of their botnets Satori. That one built on Mirai by targeting devices with Telnet vulnerabilities. It also used an improved scanning system that was borrowed from another DDoS botnet, Remaiten. Mirai would go on to compromise 100,000 devices.
The conspirators unleashed this version of Satori on a range of victims in the US, including a large ISP, popular online gaming services, prominent internet hosting companies, and hosting companies specializing in DDoS mitigation.
At the same time, Schuchman bragged about compromising another 32,000 devices belonging to a large Canadian ISP. He used the added might of those devices to attack targets with bandwidth of about 1TB per second. He also bragged about causing a dramatic increase to internet latency on a national level with a test attack.
In late 2017, the trio, along with other co-conspirators, made yet more improvements to Satori, which they rechristened “Okiru.” They used Okiru to compromise vulnerable devices, including exploiting flaws in customized versions of GoAhead web servers embedded in wireless surveillance cameras.
The next botnet version, which arrived in November 2017, was dubbed Masuta. It targeted vulnerable Huawei and Gigabit Passive Optical Network (GPON) fiber-optic networking devices. That one infected up to 700,000 compromised nodes.
At the same time that Masuta was being launched in a large number of attacks, Schuchman was also operating his own, distinct DDoS botnet, which he used against IP addresses associated with ProxyPipe, a DDoS mitigation network.
He was quite busy at that point: he was also scanning for more vulnerable Telnet devices to suck up into the botnets. When he got complaints about the scanning, he’d respond using his father’s identity. That was part of his modus operandi: he frequently hid behind his father’s identity throughout his criminal career. According to his plea agreement, after he’d been indicted, he kept committing new crimes from his father’s apartment.
Around January 2018, Schuchman, Drake and others merged elements of Mirai with those of Satori in order to target devices largely based in Vietnam, in order to expand the merged botnet further still.
The refinement of the botnet continued: by March 2018, the improved botnet came to be called by the names Tsunami and Fbot. Mostly comprised of GoAhead cameras, the botnet infected up to 30,000 more devices and was used to attack gaming servers, including gaming server provider Nuclear Fallout.
During this time, Schuchman et al. also discovered vulnerabilities in about 650,000 High Silicon DVR systems. Schuchman managed to pwn at least 35,000 of the DVRs and dragged them into the Tsunami/Fbot botnet. He and his co-conspirators ran test attacks using about 10,000 of the hijacked DVR systems – attacks that attained estimated bandwidths of more than 100Gbps.
By April 2018, having moved on from Drake and Vamp to work with others, Schuchman developed another, unnamed DDoS botnet based on the Qbot financial malware. To create it, he exploited devices that included high-bandwidth GPON devices at the Mexican broadcast TV network Telemax.
By that point, Vamp had become a competitor: he and Schuchman were using the same credentials to go after the same universe of botnet nodes. They tried to block each other from getting at the infected nodes by changing configurations. Schuchman employed tactics including using the IPTables tool to kill all the open ports on the devices: a technique that, court documents say, is a good way to cause “substantial damage” to a victimized device.
Schuchman was first interviewed by the FBI in July 2018. He and Vamp were getting along again at that time, and they resumed working “in earnest” to keep buffing up their DDoS botnet iterations.
Schuchman, who was going by the aliases Nexus and Nexus-Zeta, was indicted on 21 August 2018, but that didn’t slow him down. Around October 2018, he created a new Qbot DDoS botnet variant – while he was on supervised release, and after he’d already been indicted for creating and deploying botnets.
Also in October, he used some of the data that turned up in a legal discovery to figure out where Drake was located so that he could swat him. The swatting involved a fake 911 call about a purported hostage situation at Drake’s house, triggering a “substantial law enforcement response,” according to court documents.
Schuchman was facing a maximum penalty of 10 years in prison and $250,000 in fines, but it’s not surprising that he’s only looking at 13 months: the recommended sentence agreed to by prosecutors called for penalties “at the low end of the guideline range.”
According to The Daily Beast, Schuchman has Asperger’s syndrome, which might also have been taken into account during his sentencing.