MalwareTech @MalwareTechBlog Malware Researcher, Programmer, WannaCry Killer, Sort of US Resident. Follow @MalwareTechLab for research. Patreon: Sep. 08, 2018 3 min read

Couple of people are asking me to tell the story, and it looks like all the details are public now so I can. Thread:

A friend and I developed an automated platform for finding botnets based on the Mirai source code and extracting their control server address. We'd feed the information into a system which would monitor their control servers and notify us of any DDoS attacks they launched.

We started noticing a particular botnet which had much more sophisticated infrastructure than the others, and it was spreading at a significantly higher rate. Whoever was operating it wasn't your average scriptkiddie, so we did some digging into him.

Based on attack patterns it looked as if the owner was running a DDoS-for-Hire service, but the high price point meant it appealed to more sophisticated attackers, rather than scriptkiddies.

I was able to get traffic stats from a couple of the victim's ISPs and the attacks ranged from 100 to 600 Gbps, with some attacks exceeding 200m pps. This botnet was no joke, it was the kind capable of knocking offline entire datacenters.

One day we got a notification that a DDoS attack had been launched at one of the largest banks in the UK. We check their website and sure enough, it was toast. There was little we could do to take out the botnet itself, due to its complex infrastructure, so we waited.

2 days passed and we'd heard they'd been given a ransom demand (pay or the attacks continue), and their site was still toast. There's now reports of real world consequences, such as people getting stuck abroad due to no access to online banking.

I already knew the botnet operator's contact info from my digging into him, so I thought to myself "what if I can just ask him nicely to stop?". I reached out and explained that i knew he's not launching attacks himself, only selling access to customers.

I then explained that this specific attack was having serious real world consequences, and provide a list of tweets from people complaining they're stuck abroad without money, then I ask him nicely to stop. He thinks about it, then agrees to block the domain from being attacked.

Next day I notice more attacks against the same bank and message him to ask wtf. He tells me that the customer had bypassed the block by hitting another domain owned by the same bank, and is also paying him a lot of money for said attacks.

I explain to him that the attacks trace back to his botnet, not the customer. I further explain that financial institutions are designated critical infrastructure in the UK, so attacks against them are considered less of a criminal issues and more a national security one.

I then strongly suggest that unless he wants to have to deal with intelligence agencies coming after him, as well as law enforcement, that he completely cuts off whichever customer is launching these attacks. There were no attacks after that.

I wasn't actually surprised that he agreed to stop the attacks either time. In my career I've found few people are truly evil, most are just too far disconnected from the effects of their actions, until someone reconnects them.

At the time I figured he'd probably already crossed the point of no return, and i imagine deep down he knew it too, but he still ceased the attacks. Unsurprisingly, less than a month later he was arrested by UK police (despite having operated as a cybercriminal for 8+ years). END

You can follow @MalwareTechBlog.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.