‘Security Consultant’ Caught for Running Large Bot Network

Apparently he stopped his naughty activities back in 2006, but still…a guy that is supposed to securing machines was installing malware and had a bot totaling about a quarter of a million zombies.

Most used for info gathering, Paypal accounts and installing Malware for comission, he claims to have made $19,000 in a week installing TopConverting (read more).

A Los Angeles security professional has admitted to infecting more than a quarter million computers with malicious software and installing spyware that was used to steal personal data and serve victims with online advertisements.

John Kenneth Schiefer, 26, variously known online as “acid” and “acidstorm,” agreed to plead guilty to at least four felony charges of fraud and wiretapping, charges punishable by $1.75 million in fines and nearly 60 years in prison.

Investigators say Schiefer and two minors — identified in the complaint only by their online screen names “pr1me” and “dynamic” — broke into about 250,000 PCs. On at least 137,000 of those infected systems, Schiefer and his cohorts installed programs that allowed them to control the machines remotely.

That’s a pretty reasonable sized network, enough to rent out for some serious DDoS attacks, and certainly enough Paypal accounts to earn some good money.

Schiefer said he and his friends spread the bot programs mainly over AOL Instant Messenger (AIM). By using malicious “spreader” programs such as Niteaim and AIM Exploiter, Schiefer and his co-conspirators spammed out messages inviting recipients to click on a link. Anyone who took the bait had a “Trojan horse” program downloaded to their machine, an invader that then tried to fetch the malicious bot program.

Schiefer admits he and friends used several hjacked PayPal accounts to purchase Web hosting that helped facilitate the spreading of their bot programs.

Pretty lame, but most of the infections were done with pre-built AIM tools. This is ultimate script kiddy stuff, but hey I guess it works right.

Source: Washington Post

Posted in: Legal Issues, Malware

, , , , , , ,

Latest Posts:

APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.

19 Responses to ‘Security Consultant’ Caught for Running Large Bot Network

  1. Pantagruel November 13, 2007 at 3:38 pm #

    Well atleast he knew what he was talking about and had first hand knowledge of the potential threat of a botnet ;)

    Ofcourse quite lame posing as a ‘security professional’while being nothing short of a plain script kiddo/botnet masta

  2. cpj November 13, 2007 at 3:47 pm #

    well i suppose he could always say you have to intimately know what you are fighting against … it probably gives him more experience than all of the security personnel who have NOT run their own botnets …

  3. normalsecrecy November 13, 2007 at 8:13 pm #

    cpj-good point. but who’s going to (knowingly) hire a liar to protect their networks and data? he might’ve had a better shot at legit security work if he just ran the botnet as a pure criminal and hadn’t posed as a security professional.

    people are funny that way. we’ll forgive a guy screwing around on his wife as long as he doesn’t first go on an innocence campaign and say he “did not have sex with that woman” only to get busted down the line.

  4. Goodpeople November 13, 2007 at 9:45 pm #

    One botnet down, x to go.

    Being a security professional and CEH myself, I can only hope that this guy never sees daylight again. They should bury him so deep that the heat radiating from the core of the earth scourns his feet.

    So far for my not so politically correct opinion. A couple of years ago here in The Netherlands, some scriptkiddie who wrote a virus using some virus construction kit got offered a high paying job at a local gouvernment after he did his time in jail.

    That is why I became an IT professional. Computers make sense, people don’t….

  5. Nobody_Holme November 13, 2007 at 10:04 pm #

    No… People make perfect sense, management dont. Thats how the world works, it seems…
    Also, If he sells this kind of stuff he is a security proffesional… just like someone who sets explosives and someone who disarms them are both explosives experts.

  6. dirty November 14, 2007 at 6:24 pm #

    Just briefed some customers on this (part of job is infosec news) anyway its sad because there is already so much distrust in this line of work….it takes years of working on relationships in order to build confidence in customers and something like this can shock them so much it can destroy or hurt even the most honest sompnay/person’s reputation.

  7. Goodpeople November 15, 2007 at 12:15 am #


    That is exactly why I hope that they hit him hard. Our work is difficult enough as it is. We don’t need this kind of incidents.

  8. CG November 15, 2007 at 4:28 am #

    Just briefed some customers on this (part of job is infosec news) anyway its sad because there is already so much distrust in this line of work

  9. Pantagruel November 15, 2007 at 9:36 pm #

    @ -CG-
    It’s less fun if you come across the auction for the ClamAV vuln they are running. Quite sick to sell an exploit instead of diclosing it to the ClamAV people. It’s not making you look more ‘pro’ if you want to sell an exploit to the highest bidder.

  10. CG November 16, 2007 at 5:28 am #

    i’m actually a supporter of 0day and full-disclosure (but not really a supporter of their business model). 0days keep sysadmins, network admins, security consultants, people that write exploits, security companies, AV, etc in business, busy, and getting paid. it also keeps the technoidiots in fear mode which is also good for the above.

    Now, if i was actively writing 0day i might feel different but since i am in the “i wish people would release more exploits for these vulns” camp i like people releasing exploits but not necessarily selling them (that’s a whole other issue)

  11. Nobody_Holme November 16, 2007 at 5:49 pm #

    I have the dodgy philosophy of not having a problem if its yet another hole in a microsuck program, but getting pissed off if they do shit like this against open-source stuff. I do want them to get owned by a vuln they themselves sell at some point, mind…

  12. dirty November 16, 2007 at 8:00 pm #

    Background checks will only reveal if theyve been caught before. Even NSA’s and CIA’s checks and security clearances miss some people. Think of all the spies that are found out.

  13. Goodpeople November 18, 2007 at 6:26 pm #

    Checking people’s online behavior is a good place to start. But then again.. I use different nicknames on different sites. The name Goodpeople is only a few months old…

  14. Nobody_Holme November 19, 2007 at 7:45 pm #

    Thats kind of a bad thing… because people would check and would find you have no history, and say “hm, he must be hiding something”

    On another note, I use this nick waaaaay too much. I dont have any others… I should go fix that some time.

  15. Goodpeople November 19, 2007 at 10:41 pm #

    > On another note, I use this nick waaaaay too much. I dont have
    > any others

  16. Sir Henry December 14, 2007 at 6:36 pm #


    I am in agreement with Dirty on this. Background checks are only as efficient as the technical abilities of the person performing them. In any environment, people will hire someone who has technical expertise unrivaled by anyone else in the environment. That leads to situations like this. Not sure what the solution is other than to beef up the technical knowledge of those hiring and those performing the background checks.

  17. J. Lion March 6, 2008 at 3:58 pm #

    Does all security consultant need to sign an official document saying that I will do ethical stuff only before working as a security consultant?

    What’s to stop a security consultant from saying “Pay me Protection Money or else…”?

  18. dirty March 10, 2008 at 8:11 pm #

    No, no one is required to sign anything unless they have certs like CISSP, etc.

    It just paints a negative image for people in our field

  19. James C March 11, 2008 at 8:18 pm #

    @ Sir Henry
    I use torture to do my background checks on staff I hire, probably the reason I don