02
Sep 18

Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted

A 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly operating the “Satori” botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless routers and other “Internet of Things” (IoT) devices. This outcome is hardly surprising given that the accused’s alleged alter ego has been relentless in seeking media attention for this global crime machine.

Schuchman, in an undated photo posted online and referenced in a “dox,” which alleged in Feb. 2018 that Schuchman was Nexus Zeta.

The Daily Beast‘s Kevin Poulsen broke the news last week that federal authorities in Alaska indicted Kenneth Currin Schuchman of Washington on two counts of violating the Computer Fraud and Abuse Act by using malware to damage computers between August and November 2017.

The 3-page indictment (PDF) is incredibly sparse, and includes few details about the meat of the charges against Schuchman. But according to Poulsen, the charges are related to Schuchman’s alleged authorship and use of the Satori botnet. Satori, also known as “Masuta,” is a variant of the Mirai botnet, a powerful IoT malware strain that first came online in July 2016.

“Despite the havoc he supposedly wreaked, the accused hacker doesn’t seem to have been terribly knowledgeable about hacking,” Poulsen notes.

Schuchman reportedly went by the handle “Nexus Zeta,” the nickname used by a fairly inexperienced and clumsy ne’er-do-well who has tried on multiple occasions to get KrebsOnSecurity to write about the Satori botnet. In January 2018, Nexus Zeta changed the login page for his botnet control panel that he used to remotely control his hacked routers to include a friendly backhanded reference to this author:

The login prompt for Nexus Zeta’s IoT botnet included the message “Masuta is powered and hosted on Brian Kreb’s [sic] 4head.” To be precise, it’s a 5head.

This wasn’t the first time Nexus Zeta said hello. In late November 2017, he chatted me up on on Twitter and Jabber instant message for several days. Most of the communications came from two accounts: “9gigs_ProxyPipe” on Twitter, and ogmemes123@jabber.ru (9gigs_ProxyPipe would later change its Twitter alias to Nexus Zeta, and Nexus Zeta himself admitted that 9gigs_ProxyPipe was his Twitter account.)

In each case, this person wanted to talk about a new IoT botnet that he was “researching” and that he thought deserved special attention for its size and potential disruptive impact should it be used in a massive Distributed Denial-of-Service (DDoS) attack aimed at knocking a Web site offline — something for which Satori would soon become known.

A Jabber instant message conversation with Nexus Zeta on Nov. 29, 2017.

Nexus Zeta’s Twitter nickname initially confused me because both 9gigs and ProxyPipe are names claimed by Robert Coelho, owner of ProxyPipe hosting (9gigs is a bit from one of Coelho’s Skype account names). Coelho’s sleuthing was quite instrumental in helping to unmask 21-year-old New Jersey resident Paras Jha as the author of the original Mirai IoT botnet (Jha later pleaded guilty to co-authoring and using Mirai and is due to be sentenced this month in Alaska and New Jersey). “Ogmemes” is from a nickname used by Jha and his Mirai botnet co-author.

On Nov. 28, 2017, 9gigs_ProxyPipe sent a message to the KrebsOnSecurity Twitter account:

“I have some information in regards to an incredibly dangerous IoT botnet you may find interesting,” the Twitter message read. “Let me know how you would prefer to communicate assuming you are interested.”

We connected on Jabber instant message. In our chats, Ogmemes123 said he couldn’t understand why nobody had noticed a botnet powered by a Mirai variant that had infected hundreds of thousands of IoT devices (he estimated the size of the botnet to be about 300,000-500,000 at the time). He also talked a lot about how close he was with Jha. Nexus Zeta’s Twitter account profile photo is a picture of Paras Jha. He also said he knew this new botnet was being used to attack ProxyPipe.

Less than 24 hours after that tweet from Nexus Zeta, I heard from ProxyPipe’s Coelho. They were under attack from a new Mirai variant.

“We’ve been mitigating attacks recently that are about 270 gigabits [in volume],” Coelho wrote in an email. “Looks like somebody tagged you on Twitter pretending to be from ProxyPipe — likely the attacker? Just wanted to give you a heads up since that is not us, or anyone that works with ProxyPipe.”

From reviewing Nexus Zeta’s myriad postings on the newbie-friendly hacker forum Hackforums-dot-net, it was clear that Nexus Zeta was an inexperienced, impressionable young man who wanted to associate himself with people closely tied to the 2017 whodunnit over the original Mirai IoT botnet variant. He also asked other Hackforums members for assistance in assembling his Mirai botnet:

Some of Nexus Zeta’s posts on Hackforums, where he asks for help in setting up a Mirai botnet variant. Click to enlarge.

In one conversation with Ogmemes123, I lost my cool and told him to quit running botnets or else go bore somebody else with his quest for publicity. He mostly stopped bugging me after that. That same day, Nexus Zeta spotted a tweet from security researcher Troy Mursch about the rapid growth of a new Mirai-like botnet.

“This is an all-time record for the most new unique IP addresses that I’ve seen added to the botnet in one day,” Mursch tweeted of the speed with which this new Mirai strain was infecting devices.

For weeks after that tweet, Nexus Zeta exchanged private twitter messages with Mursch and his team of botnet hunters at Bad Packets LLC in a bid to get them to Tweet or write about Satori/Masuta.

The following screenshots from their private Twitter discussions, republished with Mursch’s permission, showed that Nexus Zeta kept up the fiction about his merely “researching” the activities of Satori. Mursch played along, and asked gently probing questions about the size, makeup and activities of a rapidly growing Satori botnet.

9gigs_ProxyPipe (a.k.a. Nexus Zeta allegedly a.k.a Kenneth Schuchman) reaches out to security researcher Troy Mursch of Bad Packets LLC.

Early in their conversations, Nexus Zeta says he is merely following the visible daily Internet scanning that Satori generated in a constant search for newly infectable IoT devices. But as their conversations continue over several weeks, Nexus Zeta intimates that he has much deeper access to Satori.

In this conversation from Nov. 29, 2017 between Nexus Zeta/9gigs_Proxypipe and Troy Mursch, the former says he is seeing lots of Satori victims from Argentina, Colombia and Egypt.

Although it long ago would have been easy to write a series of stories about this individual and his exploits, I had zero interest in giving him the attention he clearly craved. But thanks to naivete and apparently zero sense of self-preservation, Nexus Zeta didn’t have to wait long for others to start connecting his online identities to his offline world.

On Dec. 5, Chinese cybersecurity firm Netlab360 released a report on Satori noting that the IoT malware was spreading rapidly to Chinese-made Huawei routers with the help of two security vulnerabilities, including one “zero day” flaw that was unknown to researchers at the time. The report said a quarter million infected devices were seen scanning for vulnerable systems, and that much of the scanning activity traced back to infected systems in Argentina, Colombia and Egypt, the same hotspots that Nexus Zeta cited in his Nov. 29 Twitter chat with Troy Mursch (see screen shot directly above).

In a taunting post published Dec. 29, 2017 titled “Good Zero Day Kiddie,” researchers at Israeli security firm CheckPoint pointed out that the domain name used as a control server to synchronize the activities of the Satori botnet — nexusiotsolutions-dot-net — was registered in 2016 to the email address nexuszeta1337@gmail.com. The CheckPoint report noted the name supplied in the original registration records for that domain was a “Caleb Wilson,” although the researchers correctly noted that this could be a pseudonym.

Perhaps the CheckPoint folks also knew the following tidbit, but chose not to publish it in their report: The email address nexuszeta1337@gmail.com was only ever used to register a single domain name (nexusiotsolutions-dot-net), according to a historic WHOIS record search at Domaintools.com [full disclosure: DomainTools is an advertiser on this site.] But the phone number in that original domain name record was used to register one other domain: zetastress-dot-net (a “stresser” is another name for a DDoS-for-hire-service). The registrant name listed in that original record? You guessed it:

Registrant Name: kenny Schuchman
Registrant Organization: ZetaSec Inc.
Registrant Street: 8709 Ne Mason Dr, No. 4
Registrant City: Vancouver
Registrant State/Province: Washington
Registrant Postal Code: 98662
Registrant Country: US
Registrant Phone: +1.3607267966
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: kenny.windwmx79@outlook.com

In April 2018 I heard from a source who said he engaged Nexus Zeta in a chat about his router-ravaging botnet and asked what kind of router Nexus Zeta trusted. According to my source, Nexus Zeta shared a screen shot of the output from his wireless modem’s Web interface, which revealed that he was connecting from an Internet service provider in Vancouver, Wash., where Schuchman lives.

The Satori botnet author shared this screen shot of his desktop, which indicated he was using an Internet connection in Vancouver, Washington — where Schuchman currently lives with his father.

“During our discussions, I learned we have the same model of router,” the source said. “He asked me my router model, and I told him. He shared that his router was also an ActionTec model, and sent a picture. This picture contains his home internet address.”

This matched a comprehensive “dox” that someone published on Pastebin in Feb. 2018, declaring Nexus Zeta to be 20-year-old Kenneth Currin Schuchman from Vancouver, Washington. The dox said Schuchman used the aliases Nexus Zeta and Caleb Wilson, and listed all of the email addresses tied to Nexus Zeta above, plus his financial data and physical address.

“Nexus is known by many to be autistic and a compulsive liar,” the dox begins.

“He refused to acknowledge that he was wrong or apologize, and since he has extremely poor opsec (uses home IP on everything), we have decided to dox him.

He was only hung around by few for the servers he had access to.
He lies about writing exploits that were made before his time, and faking bot counts on botnets he made.
He’s lied about having physical contact with Anna Senpai (Author of Mirai Botnet).”

As detailed in the Daily Beast story and Nexus Zeta’s dox, Schuchman was diagnosed with Asperger Syndrome and autism disorder, and at one point when he was 15 Schuchman reportedly wandered off while visiting a friend in Bend, Ore., briefly prompting a police search before he was found near his mother’s home in Vancouver, Wash.

Nexus Zeta clearly had limited hacking skills initially and almost no operational security. Indeed, his efforts to gain notoriety for his illegal hacking activities eventually earned him just that, as it usually does.

But it’s clear he was a quick learner; in the span of about a year, Nexus Zeta was able to progress from a relatively clueless newbie to the helm of an international menace that launched powerful DDoS attacks while ravaging hundreds of thousands of systems.

Tags: , , , , , , , , , , , , , , , , ,

39 comments

  1. The Sunshine State

    Looks like another 20 year script kiddie with autism
    (Asperger) , a real bad haircut and also a compulsive liar , gets nailed by federal authorities.

    Not to mention also the bad OpSec with him revealing his real I.P. address ! LOL

  2. Hahaha. Brian, did he really send you a screenshot of his desktop with his public IP in it?

  3. Clearly a kid who needed to prove something. Every time a read something like that I keep wondering: isn’t it possible to be more preventive here? Wouldn’t there be a way to help bright troubled teens *before* they commit a crime?

    • Readership1 (previously just Reader)

      Exactly correct!

    • Many socially illiterate people find it increasingly difficult to fit in among general populous and therefore have a drive to stand out.

      Add that to the fact that teenagers and young adults haven’t developed proper ethics and have an inability to understand consequences of their actions (especially over a computer), due to a combination of undeveloped prefrontal lobe and lack of life experience (directly out of high school) and you have a recipe for disaster among those intelligent enough to stand out. It happens far too often and is the reason why many people posted about on here are young adults or teenagers.

      • The culture of the Internet in general is one based on fame, followers, ‘influencers’, etc. It’s a big advertising machine now. The end game is notoriety, instead of whatever it was 25 years ago when us old guys were surfing Usenet. Buying books for cheap? My memory is a bit faded but I feel like that was the main thrust of the Internet in the mid-90’s. 🙂

        • Perhaps, but I would extend this concept well beyond the internet. Content on the internet is an extension of our self and humanity. I often phrase social medias as our concentrated insanity.

          We humans are naturally inclined to crave attention, fame, status, wealth, and power. This is because these aspects help one in natural selection and are a product of evolution. Having status/wealth can help one spread their genes onto the next generation. People’s behaviors can almost always be explained based upon survival & reproduction, since that’s what we are programmed to do.

        • Readership1 (previously just Reader)

          Matty,

          You’re right about notoriety.

          Episodes of mass violence, especially terrorism, tend to follow one another based on news coverage of the perpetrators.

          Copycat crimes exist largely on the notoriety of those who did crimes first and got attention.

          Humans are wired by evolution and culture to perform in ways that increase visibility among potential mates and gain peer approval.

          The challenge for young adults in a first world environment of ubiquitous news and social media is to stand out for positive achievements, rather than fall into a hole of narcissism, nihilism, criminality, or negative notoriety.

  4. Readership1 (previously just Reader)

    The real story here is how many intelligent adults working as researchers and journalists failed a socially retarded youth who’d reached out for help and friendship.

    Not one person is described in this, or Poulsen’s, article as having made a bit of effort to suggest, cajole, or steer this wayward soul into following a path of light and goodness.

    Both articles are devoid of examples of empathy by people who could have made a difference.

    No one said, “Hey, kid, there’s a better way to use your time and energy.”

    Shame on them all.

    • Please do not refer to people as retarded.

      • Yes, please don’t refer to people as retarded as it demonstrates an unusually high degree of ignorance and lack of knowledge.

        OTOH, I wholly agree an opportunity was lost in that no one sought to redirect this bright young man into a constructive direction. Individuals on the autism spectrum have much to offer that neurotypicals in their own prejudice and short-sightedness too often miss.

        • Think you might need a dictionary…

          re·tard
          verb
          riˈtärd/Submit
          1.
          delay or hold back in terms of progress, development, or accomplishment.

          “Socially retarded” sounds about right.

      • Readership1 (previously just Reader)

        Your priorities are out of order.

      • What’s newspeak approved word for retard?

    • Have YOU ever tried to reason with a cybercriminal? It doesn’t fucking work. They will keep doing what they are doing, and nothing will make them stop except a knock on their door. I’ve tried, and I know many others have as well.

      For your troubles, they might just harass you and your family. If reason worked on them, they would have stopped a long time ago.

      These people are ill and need help, but the only effective form of help for them, and or all the people they harm, is the police, or real immediate real life consequences in some way.

      • Readership1 (previously just Reader)

        Un,

        Kindness and generosity of spirit can have remarkable effects on people with defects of the mind and/or body.

        I know this because I’ve been blessed with some in my life.

        Throw off your cynicism and put a little love in your heart.

        😉
        http://www.dollyon-line.com/archives/lyrics/palliyh.shtml

        • When 100’s of thousands of people, or millions, are affected by a botnet, as far as they can be concerned, it’s just some Internet jerk. It’s the spectrum stories that always come out later.

          I’m wrestling between feeling rage and sympathy for this dude. People on the spectrum do not lose the ability to tell right from wrong, there’s a conscious decision to do damage in there that I’m having a hard time dismissing.

      • Its not like he was cold calling old ladies and telling them their computers were totally infected and the only way to save their house from burning down was to give them remote access to their network and their life savings. THAT is a cyber criminal… and how often do you read stories of them being caught? Never, cuz its boring. This kid is dumb, not inherently malicious. I feel bad for him.

  5. I believe krebs told him more than once to stop running bot nets. Was krebs supposed to offer Amazon gift cards as sugar to sweeten the offer?

  6. My sugary sweet comment was in reply to Readership1

    • Readership1 (previously just Reader)

      I read it. Thanks. I see no harm in trying a bit of sugar once in a while.

  7. Thanks for the humorous article! I’ve had a good chuckle reading it.

    Keep up the good work (as always).

  8. I just got the satori source code. Ima Release it to the Community @Spookster @UNKNOWN… Os S 20 Fan.cc.88 echo null 88☠️

  9. I hope the owners of the IPs listed in the router screen shot have changed their usernames and passwords. Because they’re pretty visible in that!

  10. Is it same botnet internet got hysterical about last year talking about “Reaper”?

  11. Jingle-Heimer Schmidt

    Your name is my name too

  12. Thanks for another goodie, Brian!

    I think you did the right thing in ignoring him: If an intervention via IM had worked, I’d be very surprised.

    That said, it’s a shame no person *in his life* helped him turn his script-kiddie powers to better purposes.

    There’s only so much you can do with people by long distance chat.

  13. Kenny/Nexus took the blame for Satori, even though it was Aaron Sterritt AKA Vamp who originally created and ran the botnet. Ask around, and you will confirm that this is true.

    • 100% True nexus was not the author of satori. Nexus only pulled the bots because he paid for the goahead and gpon exploit that was soon to be leaked weeks later. He didnt actually make anything other then getting vamp to spoonfeed him code for an improved selfrep.

  14. Brian, it seems you’ve had an invasion of some real d-bags in the comments as of late.

    Autistic people can do amazing things, and in terms of mental disorders I would not place anywhere near the same category of Downs Syndrome, or similar mental disorders. Autistic people see the world in a different way than others do, which is part of the reason why they struggle to understand boundaries and norms. This different way of seeing the world is exactly what makes them extremely talented and useful in certain areas. Read about 4chan users locating Shia LeBeouf’s HWNDU flag in Tennessee using airplane contrails and a car horn, among other things. Wladimir Palant said it right in his comment above, they need to be guided on a path that uses their talent for good.

    I’ve often thought if some “criminals” (autistic or non) put forth the same level of effort they use in doing evil to do good they would probably do quite well for themselves in life, as well as helping society as a whole. What prevents that is when they get set on a bad path with nobody to guide them in the right direction.

    The world needs more mentors, people willing to take others under their wings and be a force for change and good. Imagine how much more rapidly mankind can progress if more people took it upon themselves to be those mentors?

    • We’re just not idiots, maybe a bit obsessive.

      Go on then, save the world from home behind a PC screen, what do you expect us to do? Make prosthetics from recycled tin cans?

      Actually… Nah. Only an idiot would do that.

      I’ll denominate to a life of staring at stock market graphs, even though gambling is illogical … I now realize all we need is a problem we can’t solve.

      Can’t someone utilize these IoT devices for a cryptocurrency, or like, the end of all humans?

    • “The world needs more mentors, people willing to take others under their wings and be a force for change and good. Imagine how much more rapidly mankind can progress if more people took it upon themselves to be those mentors?”

      Have you ever tried to “mentor” someone with a deficiency, such as Autism/Asbergers? It’s not possible. You cannot force a change of good (or bad) on those with moderate to severe affliction. His parent/s probably were like “oh crap, he’s got a talent for something, lets let him prosper in IT” not realizing that he was seeking fame and fortune through ‘his’ botnet. Puppy dogs and Unicorns.

  15. On a positive note, he could always get a job as a bellboy with zero chance of his hat ever blowing off.

  16. Sounds like people don’t know how to recognise a meme (Zetas Hf posts) and Also, UPnP 0Days Dont require much more than halfway competent research skills to to discover. Also Satori/Okiru’s actual origins are so far from what everyone thinks it is almost laughable.

  17. So…to recap: a mentally disabled kid with a yearning to be recognized for something he accomplished in a relatively short amount of time, considering, is arrested for being foolish, ill-advised & at most, slightly anti social. Awesome?
    This kid didnt do this for money, it appears he even PAID money to get access to the program: hes not a hacker, he can not program- the ss of him repeatedly asking for help in an open forum (that everyone knows is monitored by feds) with pretty basic stuff is proof of that, and yet the DA is trying to get him convicted of creating an off shoot of a very advanced computer program that in reality was probably made by a state actor.
    This is not justice. Arresting him isnt keeping people safe. As far as i read, he hadnt caused any real damage, i doubt he even comprehends the power this has as a cyber weapon… and still does, cause whoever really wants this still has access to it.
    Theres just no logic in the American judicial system. Hope his parents get him a good attorney.

    • Not a state actor, Satori was written by another person named Vamp (responsible for TalkTalk hack) who also has the same disability.