Satori Botnet's Alleged Developer RearrestedPotential Coincidence: IoT Botnet Reawakened After Suspect's Release on Bail
The alleged author of a supercharged variant of Mirai malware called Satori has been rearrested for violating his bail conditions.
Kenneth Currin Schuchman, 20, was indicted in federal court in Alaska on Aug. 21 on two counts of using malware to violate the Computer Fraud and Abuse Act, and subsequently released on bail. But he was rearrested on Oct. 19 for violating a condition of his bail, is now being held in the SeaTac detention center in Seattle, and is due to be transported to Anchorage, Alaska, for a Nov. 8 hearing, ZDNet first reported.
The three-page indictment naming Schuchman is sparse on details, saying that the alleged fraud and computer misuse occurred from August through November 2017.
The Justice Department declined to comment on the malware that Schuchman is accused of using. A spokeswoman tells Information Security Media Group: "There are no new charges to report."
But The Daily Beast first reported on Aug. 30 that authorities accused Schuchman of being "Nexus Zeta," the hacker handle of the individual who claims to have built the virulent Mirai-derived Satori botnet.
Schuchman's case is also being handled by the same prosecutors who last December successfully prosecuted the three authors of Mirai in a federal court in Alaska (see: Mirai Co-Author Gets House Arrest, $8.6 Million Fine).
Mirai malware, which first appeared in 2016, targeted 64 default or hard-coded credentials built into dozens of internet of things devices, including inexpensive, widely used digital video recorders, wireless cameras and routers, to build a powerful botnet. After its developers leaked the source code in September 2016, it was widely adapted into malware that continues to target an expanding number of internet-connected devices (see: Botnets Keep Brute-Forcing Internet of Things Devices).
The Rise of Satori
In November 2017, researchers at the security firm Check Point Software Technologies identified a new botnet, based on Mirai, known both as Satori and Okiru. The malware was targeting a zero-day flaw - designated CVE-2017-17215 - in some Huawei devices. Check Point tied Satori to infections of at least 260,000 internet-connected devices in just its first 12 hours of life.
Check Point said the malware appeared to be the work of an amateur who used the handle "Nexus Zeta" and who since 2015 had frequented Hack Forums, aka HackForums, a cybercrime site favored by script kiddies and hacker wannabes. Based on posts tied to the account, "his most recent focus was on an initiative to establish a Mirai-like IoT botnet," Check Point researchers wrote (see: Hacker Exploits Huawei Zero-Day Flaw to Build Mirai Botnet).
"We also came across his Skype and SoundCloud accounts which are in the name of Caleb Wilson (caleb.wilson37 / Caleb Wilson 37), though it cannot be determined whether this is his real name," the researchers said.
On Dec. 25, 2017, someone posted code for exploiting CVE-2017-17215 to text-sharing site Pastebin, NewSky Security reported. It said the vulnerability had been exploited by Satori as well as earlier that month by another strain of malware called Brickerbot - built by someone using the handle "Janitor" - which was designed to target internet of things devices.
Satori Modified to Target Cryptocurrency
While Satori initially continued Mirai's focus on using infected endpoints to launch massive distributed denial-of-service attacks, by January, new versions included the ability to target Claymore cryptocurrency mining software, giving the attacker the ability to make infected systems mine for Ethereum cryptocurrency, according to researchers at China-based Netlab 360.
"Once a Claymore mining machine was found, it hijacked the miner's wallet address to point to the Satori operator's wallet by modifying the miner configuration file, thus stealing the mined currency that the rig produces," say researchers at the Threat Research Labs at U.S. telecommunications giant CenturyLink.
In February, a Pastebin post by rival hackers calling themselves T0rnado and Disciple claimed that Nexus Zeta was Kenneth Schuchman, aka Caleb Wilson.
"Nexus ... refused to acknowledge that he was wrong or apologize, and since he has extremely poor opsec (uses home IP on everything), we have decided to dox him," T0rnado and Disciple wrote.
They posted an allegedly recent photograph of "Caleb" as well as a link to an authentic news story about Schuchman, tied to a missing child alert in 2014, when he was 15 years old. Schuchman vanished during a family trip to Bend, Oregon, before returning home safely the next day. The news report said Schuchman had been diagnosed with Asperger syndrome and autism.
Schuchman would hardly be the first alleged hacker to have been diagnosed with Asperger syndrome, one sign of which can be a prevalence for repetitive patterns and activities (see Teen Hacker Sentenced Over 'Titanium Stresser' Attacks).
There are further signs that Schuchman may have had a secret hacking life, as revealed in a 2016 Facebook post he made denigrating the Pokemon Go craze. "This is seriously beginning to make me wonder about the intelligence and maturity level of adults in this country these days," he wrote in the Facebook post, The Daily Beast reported. "I do blackhat hacking all the time and I haven't even downloaded this game let alone played it."
Court Approves Video Link
Schuchman, an unemployed resident of Vancouver, Washington, has been living with his father and is drawing disability, according to court documents.
Citing a lack of financial means following his initial arrest, Schuchman said he could not travel from Washington to Alaska, and he received permission to address the court via teleconference.
Using a video link, he was arraigned on Aug. 31 and entered a plea of not guilty before U.S. Magistrate Judge Deborah M. Smith. She ordered him to be released on bail.
It's not clear what Schuchman may have done to violate his bail conditions, leading to his arrest again on Oct. 19. Bryan Francesconi, Schuchman's public defender, couldn't be immediately reached for comment.
The conditions of Schuchman's release state: "The defendant shall not violate federal, state or local law while on release." He was prohibited from directly or indirectly contacting anyone who might be a victim or witness in the investigation or prosecution, and also prohibited from possessing a firearm or using any alcohol. And he was required to submit to an inpatient or outpatient substance abuse therapy and counseling program, if ordered to do so. He was also subject to home detention, meaning he was to remain at home except when going to work or for education or religious attendance, legal meetings or other approved outings.
Schuchman was also prohibited from using any computer with internet access except under the supervision of his father, Robert Schuchman.
Satori Reawakened in September
In what may be a coincidence, CenturyLink Threat Research Labs has been tracking a pool of devices infected with Satori, and it says the botnet went dormant following Schuchman's arrest, only to be reawakened later.
To be clear: It's not clear who operates the Satori botnet. But CenturyLink notes that some Satori bots scan for TCP port 5555 in an attempt to infect Android devices that have Android Debug Bridge enabled via that port. "The ADB service is an Android capability, typically disabled by default, which is used by developers or support personnel to access advanced Android OS features," the CenturyLink researchers say.
In late August, CenturyLink says it was monitoring a Satori command-and-control - aka C2 - server that was scanning for ADB on port 5555, and it found that connections from bots to the C2 server suddenly declined.
"On Aug. 30, the number of TCP connections from the bots to the C2 dropped by more than 99 percent, eventually registering zero by Sept. 9," it says. "This was just days after the news broke that the actor rumored to be responsible for the Satori botnet was indicted. It was logical to assume that this shift in operation of the botnet was due to the botnet control infrastructure being shut down as a result of this legal action."
In mid-September, however, the researchers said that the C2 server appeared to have been reactivated or re-established.
"After identifying hosts which were scanning the Internet on port TCP/5555, we could confirm that they were indeed largely from the same infected device pool that existed before the shutdown," CenturyLink says.