Script Kiddie Botnet Operators Ask For Jobs From Security Company That Shut Them Down

from the didn't-work dept

The BBC has a story about how the operators of one of the larger botnets that was recently shut down showed up at the offices of a security researcher who helped bring them down... asking for a job. The article highlights how the researcher, Luis Corrons, basically had figured out who was running the botnet after one of the operators made a mistake and revealed his home computer... which actually was not far from where Corrons worked. It was shut down at the end of last year, but a few months later, Corrons had an interesting experience:
In late March Mr Corrons was preparing for a meeting at Panda's Bilbao lab with a journalist and took a moment to dodge downstairs to get a drink. On the way down he passed two young men coming up.

One asked if he was Luis Corrons. He said yes while wondering who they were.

They introduced themselves which left him no wiser. Then, one of them said; "I'm Ostiator and this is Netkairo."

"It was then I realised these guys were the ones that were arrested in the Mariposa case," he told the BBC. "I thought they wanted to teach me a lesson."
Instead, they asked him for a job, saying that the shutdown of the botnet had "robbed them of their livelihood." Apparently, the two guys started following Corrons on Twitter, sending messages his way and commenting on his blog, before asking for work again. They finally brought in one of the guys for an interview, noting that they wouldn't hire anyone involved in criminal activity. The guy responded that he hadn't been charged with anything. However, Corrons also quickly realized that the guy barely had any technical skills -- pointing out that he didn't write the bot, he just ran it:
"He got really annoyed at that moment, when we told him he was not good enough," said Mr Corrons. Subsequent discussion revealed just how poor their skills were.

"They were given the botnet with all the stuff they needed," said Mr Corrons. "Using it was like using any other program."
So, for the script kiddies out there, perhaps before asking for a job from the security researchers who bring your botnet down, you do a bit of work to make sure you have the actual skills.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    BearGriz72 (profile), Jun 10th, 2010 @ 2:11am

    EPIC FAIL!

    LMAO...

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    LoL, Jun 10th, 2010 @ 2:19am

    I almost feel sorry for the poor schmuck's, almost LoL

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    grumpy (profile), Jun 10th, 2010 @ 2:44am

    I would never work with anyone who'd run a botnet. Not because they might be dumb s'kiddies but because they've been a**holes. Botnets are for robbing other people or vandalizing. I don't care about doing time and coming out with a clean slate - if you want to be trusted to work with security you walk the straight and narrow path from the beginning.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    LoL, Jun 10th, 2010 @ 4:15am

    Re:

    I disagree respectfully. What I see here is a lost opportunity to turn misguided youth into something productive a lost opportunity to educate and train people to do something good. That would bring change in society, that would bring real security to all but it is hard and time consuming.

    We all have made mistakes when we were young, it is the age of the dumb and it ends about 35 mostly give it or take some years. Besides most security experts I know and see all started as a scriptkid that wanted to have some fun at some point, One of the founders of Apple put a mock bomb in a locker once, if he did that today he would go to jail and that is a shame.

    Somewhere along the line people lost the patience to teach others in the right way, we forgot compassion and start thinking we can force others to do things, that creates a rich environment for destructive behaviour to flourish because it feeds anger and frustration.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 4:24am

    Re: Re:

    I'm pretty sure script kiddies don't have any talent. In fact, that's part of the definition of script kiddies. They don't understand how anything works; they just run scripts. In fact, the article states that it was revealed that the guy had absolutely no skills in security at all.

    So at this point, it's not a lost opportunity at all. Now if he had gone to school for security and then decided to apply for a job, that might be a different thing.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 4:27am

    Re: grumpy

    that's a pretty good mindset to have. i mean, obviously there's no way someone could learn from their mistakes, right? it's a really good thing you've never broken any laws!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 4:40am

    Re: Re: grumpy

    And it's a good thing you don't own a business. Proven lack of ethics, plus a total lack of skills... what job do you give a person like that? True, there are post-incarceration programs that offer training in, say, HVAC or auto mechanics; but this is a business, not a social services agency. Huge corporations can occasionally absorb totally unskilled applicants; not sure about the criminal part. Oh, wait -- maybe BP...

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 4:42am

    Re: Re: grumpy

    i don't use my shift key to save electricity. what are you doing to save the earth/

    people may learn from their mistakes, but they never change. if anything, he'll get better at covering his tracks.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    abc gum, Jun 10th, 2010 @ 4:49am

    All those who run bot-nets are nefarious and underhanded?
    I suppose that is true, including some three letter acronym government organisations.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 5:31am

    they hire hackers that are actually dangerous that's all, these kids thought that was them until they were told some truths.

    bit like when corps give the leader of the union a nice fat different job to shut him up.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Dark Helmet (profile), Jun 10th, 2010 @ 6:45am

    Re:

    "I suppose that is true, including some three letter acronym government organisations."

    We call them alphabet agencies. It sounds soooooo much cooler....

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    harbingerofdoom (profile), Jun 10th, 2010 @ 6:48am

    Re: Re:

    what you are failing to see here is that companies do not hire people in order to turn misguided youths into something productive. companies hire people that are effective and going to produce in order to add to their bottom line. harsh but true.

    yes we all made mistakes, how many of us got a job offer because we made a mistake? i certainly never have. cant recall the last time i caused a collision and was offered a job by the highway patrol involving traffic safety.

    we didnt loose the patience to teach eachotehr, parents lost the abiltiy to raise their kids. its not a commune or collective. parents are supposed to be the ones making sure their precious little snowflakes are ready for the big bad world, not society in general.

    ....and lately parents have been doing a pretty crap job of it in some cases....

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    cj (profile), Jun 10th, 2010 @ 7:47am

    They probably thought they were "all that". But in reality... they are the scum of the earth in so many ways. Perhaps someone told them wrong, or they thought that what they were doing, would eventually get them fame and fortune on so many levels.


    Now reality sets in.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 7:59am

    Re:

    Sry dis-agree but from a different point, our best security guys usually started off wearing black hats, not white ones...

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Stuart, Jun 10th, 2010 @ 8:18am

    On Second Though

    Shoot the fuckers.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 8:33am

    bahaha

    They should put this story next to the definition of script-kiddie.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 8:37am

    from united hackers association

    HAHA
    we make the stuff and it gets abused by morons whom get caught doing illegal stuff, and they prolly dont even know how to code in C
    let alone C++ , C# , perl, cgi, php, etc name your languages.

    scruipt kiddy knowledge
    ./configure
    ./make stupid
    ./stupid

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 8:58am

    Re:

    'Scum of the earth'? Try severing yourself from the computer just once a month or so, it might get you some much-needed perspective. Rapists, murderers, those are ACTUAL scum of the earth. These guys are simple script kiddies. Laugh and point at them? Yes. 'Shoot the fuckers'? Dude, what the hell.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    rabbit, Jun 10th, 2010 @ 9:00am

    Re: Re:

    script kiddie does not equal black hat.

    not even in quantum theory.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    lostalaska (profile), Jun 10th, 2010 @ 2:44pm

    Re: Re:

    Yeah, but your best security guys that may have previously worn black hats were probably the ones that were also writing from scratch those kinds of scripts. So they understood the architecture of both operating systems and networks and had an intimate knowledge of all the hardware and software too. It's kind of like someone who is a wiz in word and plays around with macros thinking they can program their own OS.

    BTW: We have White Hat and Black Hat Hackers. Think of script kiddies as Ass Hat Hackers.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    LoL, Jun 10th, 2010 @ 4:36pm

    Re: Re: Re: grumpy

    "Proven lack of ethics, plus a total lack of skills... what job do you give a person like that?"

    - Collection of information and tools in the wild.
    - Organization of information acquired.
    - Testing of tools, give them the toys and let them test it to see how far they go.
    - Infiltration, monitoring and reporting of the underground where they already have the knowledge where to find those things.

    Anything really that is not important, what is important is showing by example how a human being should view society and how someone can function inside that society, the tech is just and excuse for that. If left alone to themselves they probably will end up worst then what they are now. That is a shame and sad. Do I think the guy who didn't hire them is wrong or something? No, if he didn't imagine the scenario he probably is not capable of doing it in the first place and maybe he doesn't have the time, money or patience to do it either still is sad that we found ourselves in a position were we don't think about those things.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    LoL, Jun 10th, 2010 @ 5:25pm

    Re: Re: Re:

    Sorry I failed to be clear, I know how the real world works and you are correct in how companies do business and most of what you said. Its just a shame it is that way.

    Now what I disagree.

    If to give a job is to give a reward you are correct, but in the case of misguided youth the job granting is not to grant them a reward but schooling on how to be an upstanding citizen, is to give a window into the other side and the opportunity to learn by example, people will copy how others act, if you put them in an good environment they will learn things and will not even realize and it almost doesn't matter what the home is like which leads me to the other point.

    It is not the parents sole responsibility to educate their sons and daughters, it is the entire community responsibility, parents in many ways are not well suited for that job, the environment is also important and in many occasions the home environment is completely irrelevant being supplanted by external environment parameters.

    Real world experience, if you grown up in a chantytown your view of the world will be very different from the view of someone raised in Beverly Hills, people act differently and that is a product of the environment, that can be changed but it is hard to change things after they have settled in.

    Another example, I was playing a web browser game, moderators in American servers where brutal, inconsiderate and plain control freaks, Americans are control freaks because of their environment they believe in forcing things and they pass that to their government that draws its man power from inside society, the U.S. is not a monarchy, the servers managed by Europeans in contrast where more loose, managers tended to ignore some things, let some things pass if you talked to them and to them it was about trust, for the American managers it was about rules.

    In Japan even the criminals believe in trust, if they give you their word that is good as signed agreement and it is enforced inside that culture, to violate that trust have severe consequences.

    Another example from real life:

    In the U.S. I saw in the streets a couple passing by a group of teenagers and some policemen saw the kids and asked the couple if everything was ok, that is good and fine, but it was a veiled threat to the teenagers, it was about showing of force not solving problems, they could have gone in more stealthy and talked to the kids like nothing was going on while making sure the kids weren't bothering anyone, they chose confrontation instead of dialogue. In Japan I saw some unruly teenagers hanging out in a game parlour and making noise they were scary to say the least, at one point the manager or owner came down to talk to them, instead of booting the kids out he proposed to them that if they could keep others from bothering the customers those kids would have free pass to play what they wanted, the guy turned evil kids into employee's and for that case it worked wonders, the kids even had the security call on them to solve problems with other kids.



    Make no mistake, Americans have the government they deserve because they taught those values to everyone and enforce those things.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    rather_notsay, Jun 10th, 2010 @ 7:14pm

    Great Reward

    instead of booting the kids out he proposed to them that if they could keep others from bothering the customers those kids would have free pass to play what they wanted

    So it sounds like, "Behave yourself and we'll treat you like everyone else. Be a threatening ass and we'll give you free stuff." That used to be known as extortion, but maybe I'm such an outdated fossil that I just don't understand the hip new world.

    Rewarding computer intruders for their criminal behavior is the same thing. There's already this weird romantic notion that an acceptable career path is commit some break ins, get caught, profess remorse, then clean up as security consultant. How much illegal behavior are we supposed to put up with from misunderstood kiddies working on their long term career goals?

    Maybe not shoot them, but they certainly shouldn't be rewarded. I sure wouldn't want them in my shop.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Jun 11th, 2010 @ 6:33am

    Re: from united hackers association

    If you were a hacker you'd at least know that CGI isn't a programming language...

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Ali Khamenei, Jul 17th, 2010 @ 11:54am

    Such idiot script kiddies.

    LOL. They can't code in c++. Why consider themselves hackers when they can't code shit.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Gobbledygoop, Dec 12th, 2010 @ 9:41am

    My thoughts…

    I once thought these types of attacks were neat... When I was like 12 the only place you could access the internet was at school (i mean, what 12 year old wouldnt go for the opportunity to mess with their school grades?)

    Anyway, at about 18 years old i switched from wanting to be a music major to computer science because i had a passion to really know how computers ticked, and an undeniable need to express myself through coding. Not only did i go to school for CS, i also learned much on my own and eventually found myself getting heavily involved with the .net platform. .Net became my hobby and eventually, my career.

    My point is, some malicous script-kiddy does not equal a computer scientist or software engineer. If one of these SRJs eventually grows up and discovers they want to actually hone the programming craft, then they will go to school, apply for jobs, and become a respected part of the development community. I see no reason for a private company to offer some punk kid a job because their only hobby was to create a mess using things others developed with no or little understanding of the internal workings. Id be all for a prison program for these guys where they are taught actual computer science, but thats up to the tax paying citizens of that local jurisdiction. My company personally doesnt have any such correctional training program -its simply not our job.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Bytesland S.E., Feb 14th, 2011 @ 4:44am

    Re:

    I hope some day everything will be clear. Botnet should be really shut down. I was gald to find some real facts on this topic at last.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This