Script Kiddie Botnet Operators Ask For Jobs From Security Company That Shut Them Down

from the didn't-work dept

The BBC has a story about how the operators of one of the larger botnets that was recently shut down showed up at the offices of a security researcher who helped bring them down… asking for a job. The article highlights how the researcher, Luis Corrons, basically had figured out who was running the botnet after one of the operators made a mistake and revealed his home computer… which actually was not far from where Corrons worked. It was shut down at the end of last year, but a few months later, Corrons had an interesting experience:

In late March Mr Corrons was preparing for a meeting at Panda’s Bilbao lab with a journalist and took a moment to dodge downstairs to get a drink. On the way down he passed two young men coming up.

One asked if he was Luis Corrons. He said yes while wondering who they were.

They introduced themselves which left him no wiser. Then, one of them said; “I’m Ostiator and this is Netkairo.”

“It was then I realised these guys were the ones that were arrested in the Mariposa case,” he told the BBC. “I thought they wanted to teach me a lesson.”

Instead, they asked him for a job, saying that the shutdown of the botnet had “robbed them of their livelihood.” Apparently, the two guys started following Corrons on Twitter, sending messages his way and commenting on his blog, before asking for work again. They finally brought in one of the guys for an interview, noting that they wouldn’t hire anyone involved in criminal activity. The guy responded that he hadn’t been charged with anything. However, Corrons also quickly realized that the guy barely had any technical skills — pointing out that he didn’t write the bot, he just ran it:

“He got really annoyed at that moment, when we told him he was not good enough,” said Mr Corrons. Subsequent discussion revealed just how poor their skills were.

“They were given the botnet with all the stuff they needed,” said Mr Corrons. “Using it was like using any other program.”

So, for the script kiddies out there, perhaps before asking for a job from the security researchers who bring your botnet down, you do a bit of work to make sure you have the actual skills.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Script Kiddie Botnet Operators Ask For Jobs From Security Company That Shut Them Down”

Subscribe: RSS Leave a comment
grumpy (profile) says:

I would never work with anyone who’d run a botnet. Not because they might be dumb s’kiddies but because they’ve been a**holes. Botnets are for robbing other people or vandalizing. I don’t care about doing time and coming out with a clean slate – if you want to be trusted to work with security you walk the straight and narrow path from the beginning.

LoL says:

Re: Re:

I disagree respectfully. What I see here is a lost opportunity to turn misguided youth into something productive a lost opportunity to educate and train people to do something good. That would bring change in society, that would bring real security to all but it is hard and time consuming.

We all have made mistakes when we were young, it is the age of the dumb and it ends about 35 mostly give it or take some years. Besides most security experts I know and see all started as a scriptkid that wanted to have some fun at some point, One of the founders of Apple put a mock bomb in a locker once, if he did that today he would go to jail and that is a shame.

Somewhere along the line people lost the patience to teach others in the right way, we forgot compassion and start thinking we can force others to do things, that creates a rich environment for destructive behaviour to flourish because it feeds anger and frustration.

Anonymous Coward says:

Re: Re: Re:

I’m pretty sure script kiddies don’t have any talent. In fact, that’s part of the definition of script kiddies. They don’t understand how anything works; they just run scripts. In fact, the article states that it was revealed that the guy had absolutely no skills in security at all.

So at this point, it’s not a lost opportunity at all. Now if he had gone to school for security and then decided to apply for a job, that might be a different thing.

harbingerofdoom (profile) says:

Re: Re: Re:

what you are failing to see here is that companies do not hire people in order to turn misguided youths into something productive. companies hire people that are effective and going to produce in order to add to their bottom line. harsh but true.

yes we all made mistakes, how many of us got a job offer because we made a mistake? i certainly never have. cant recall the last time i caused a collision and was offered a job by the highway patrol involving traffic safety.

we didnt loose the patience to teach eachotehr, parents lost the abiltiy to raise their kids. its not a commune or collective. parents are supposed to be the ones making sure their precious little snowflakes are ready for the big bad world, not society in general.

….and lately parents have been doing a pretty crap job of it in some cases….

LoL says:

Re: Re: Re: Re:

Sorry I failed to be clear, I know how the real world works and you are correct in how companies do business and most of what you said. Its just a shame it is that way.

Now what I disagree.

If to give a job is to give a reward you are correct, but in the case of misguided youth the job granting is not to grant them a reward but schooling on how to be an upstanding citizen, is to give a window into the other side and the opportunity to learn by example, people will copy how others act, if you put them in an good environment they will learn things and will not even realize and it almost doesn’t matter what the home is like which leads me to the other point.

It is not the parents sole responsibility to educate their sons and daughters, it is the entire community responsibility, parents in many ways are not well suited for that job, the environment is also important and in many occasions the home environment is completely irrelevant being supplanted by external environment parameters.

Real world experience, if you grown up in a chantytown your view of the world will be very different from the view of someone raised in Beverly Hills, people act differently and that is a product of the environment, that can be changed but it is hard to change things after they have settled in.

Another example, I was playing a web browser game, moderators in American servers where brutal, inconsiderate and plain control freaks, Americans are control freaks because of their environment they believe in forcing things and they pass that to their government that draws its man power from inside society, the U.S. is not a monarchy, the servers managed by Europeans in contrast where more loose, managers tended to ignore some things, let some things pass if you talked to them and to them it was about trust, for the American managers it was about rules.

In Japan even the criminals believe in trust, if they give you their word that is good as signed agreement and it is enforced inside that culture, to violate that trust have severe consequences.

Another example from real life:

In the U.S. I saw in the streets a couple passing by a group of teenagers and some policemen saw the kids and asked the couple if everything was ok, that is good and fine, but it was a veiled threat to the teenagers, it was about showing of force not solving problems, they could have gone in more stealthy and talked to the kids like nothing was going on while making sure the kids weren’t bothering anyone, they chose confrontation instead of dialogue. In Japan I saw some unruly teenagers hanging out in a game parlour and making noise they were scary to say the least, at one point the manager or owner came down to talk to them, instead of booting the kids out he proposed to them that if they could keep others from bothering the customers those kids would have free pass to play what they wanted, the guy turned evil kids into employee’s and for that case it worked wonders, the kids even had the security call on them to solve problems with other kids.

Make no mistake, Americans have the government they deserve because they taught those values to everyone and enforce those things.

Anonymous Coward says:

Re: Re: grumpy

And it’s a good thing you don’t own a business. Proven lack of ethics, plus a total lack of skills… what job do you give a person like that? True, there are post-incarceration programs that offer training in, say, HVAC or auto mechanics; but this is a business, not a social services agency. Huge corporations can occasionally absorb totally unskilled applicants; not sure about the criminal part. Oh, wait — maybe BP…

LoL says:

Re: Re: Re: grumpy

“Proven lack of ethics, plus a total lack of skills… what job do you give a person like that?”

– Collection of information and tools in the wild.
– Organization of information acquired.
– Testing of tools, give them the toys and let them test it to see how far they go.
– Infiltration, monitoring and reporting of the underground where they already have the knowledge where to find those things.

Anything really that is not important, what is important is showing by example how a human being should view society and how someone can function inside that society, the tech is just and excuse for that. If left alone to themselves they probably will end up worst then what they are now. That is a shame and sad. Do I think the guy who didn’t hire them is wrong or something? No, if he didn’t imagine the scenario he probably is not capable of doing it in the first place and maybe he doesn’t have the time, money or patience to do it either still is sad that we found ourselves in a position were we don’t think about those things.

lostalaska (profile) says:

Re: Re: Re:

Yeah, but your best security guys that may have previously worn black hats were probably the ones that were also writing from scratch those kinds of scripts. So they understood the architecture of both operating systems and networks and had an intimate knowledge of all the hardware and software too. It’s kind of like someone who is a wiz in word and plays around with macros thinking they can program their own OS.

BTW: We have White Hat and Black Hat Hackers. Think of script kiddies as Ass Hat Hackers.

Anonymous Coward says:

Re: Re:

‘Scum of the earth’? Try severing yourself from the computer just once a month or so, it might get you some much-needed perspective. Rapists, murderers, those are ACTUAL scum of the earth. These guys are simple script kiddies. Laugh and point at them? Yes. ‘Shoot the fuckers’? Dude, what the hell.

rather_notsay (profile) says:

Great Reward

instead of booting the kids out he proposed to them that if they could keep others from bothering the customers those kids would have free pass to play what they wanted

So it sounds like, “Behave yourself and we’ll treat you like everyone else. Be a threatening ass and we’ll give you free stuff.” That used to be known as extortion, but maybe I’m such an outdated fossil that I just don’t understand the hip new world.

Rewarding computer intruders for their criminal behavior is the same thing. There’s already this weird romantic notion that an acceptable career path is commit some break ins, get caught, profess remorse, then clean up as security consultant. How much illegal behavior are we supposed to put up with from misunderstood kiddies working on their long term career goals?

Maybe not shoot them, but they certainly shouldn’t be rewarded. I sure wouldn’t want them in my shop.

Gobbledygoop says:

My thoughts?

I once thought these types of attacks were neat… When I was like 12 the only place you could access the internet was at school (i mean, what 12 year old wouldnt go for the opportunity to mess with their school grades?)

Anyway, at about 18 years old i switched from wanting to be a music major to computer science because i had a passion to really know how computers ticked, and an undeniable need to express myself through coding. Not only did i go to school for CS, i also learned much on my own and eventually found myself getting heavily involved with the .net platform. .Net became my hobby and eventually, my career.

My point is, some malicous script-kiddy does not equal a computer scientist or software engineer. If one of these SRJs eventually grows up and discovers they want to actually hone the programming craft, then they will go to school, apply for jobs, and become a respected part of the development community. I see no reason for a private company to offer some punk kid a job because their only hobby was to create a mess using things others developed with no or little understanding of the internal workings. Id be all for a prison program for these guys where they are taught actual computer science, but thats up to the tax paying citizens of that local jurisdiction. My company personally doesnt have any such correctional training program -its simply not our job.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...