‘Security Consultant’ Caught for Running Large Bot Network

Apparently he stopped his naughty activities back in 2006, but still…a guy that is supposed to securing machines was installing malware and had a bot totaling about a quarter of a million zombies.

Most used for info gathering, Paypal accounts and installing Malware for comission, he claims to have made $19,000 in a week installing TopConverting (read more).

A Los Angeles security professional has admitted to infecting more than a quarter million computers with malicious software and installing spyware that was used to steal personal data and serve victims with online advertisements.

John Kenneth Schiefer, 26, variously known online as “acid” and “acidstorm,” agreed to plead guilty to at least four felony charges of fraud and wiretapping, charges punishable by $1.75 million in fines and nearly 60 years in prison.

Investigators say Schiefer and two minors — identified in the complaint only by their online screen names “pr1me” and “dynamic” — broke into about 250,000 PCs. On at least 137,000 of those infected systems, Schiefer and his cohorts installed programs that allowed them to control the machines remotely.

That’s a pretty reasonable sized network, enough to rent out for some serious DDoS attacks, and certainly enough Paypal accounts to earn some good money.

Schiefer said he and his friends spread the bot programs mainly over AOL Instant Messenger (AIM). By using malicious “spreader” programs such as Niteaim and AIM Exploiter, Schiefer and his co-conspirators spammed out messages inviting recipients to click on a link. Anyone who took the bait had a “Trojan horse” program downloaded to their machine, an invader that then tried to fetch the malicious bot program.

Schiefer admits he and friends used several hjacked PayPal accounts to purchase Web hosting that helped facilitate the spreading of their bot programs.

Pretty lame, but most of the infections were done with pre-built AIM tools. This is ultimate script kiddy stuff, but hey I guess it works right.

Source: Washington Post

Posted in: Legal Issues, Malware

, , , , , , ,

Latest Posts:

tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.

19 Responses to ‘Security Consultant’ Caught for Running Large Bot Network

  1. Pantagruel November 13, 2007 at 3:38 pm #

    Well atleast he knew what he was talking about and had first hand knowledge of the potential threat of a botnet ;)

    Ofcourse quite lame posing as a ‘security professional’while being nothing short of a plain script kiddo/botnet masta

  2. cpj November 13, 2007 at 3:47 pm #

    well i suppose he could always say you have to intimately know what you are fighting against … it probably gives him more experience than all of the security personnel who have NOT run their own botnets …

  3. normalsecrecy November 13, 2007 at 8:13 pm #

    cpj-good point. but who’s going to (knowingly) hire a liar to protect their networks and data? he might’ve had a better shot at legit security work if he just ran the botnet as a pure criminal and hadn’t posed as a security professional.

    people are funny that way. we’ll forgive a guy screwing around on his wife as long as he doesn’t first go on an innocence campaign and say he “did not have sex with that woman” only to get busted down the line.

  4. Goodpeople November 13, 2007 at 9:45 pm #

    One botnet down, x to go.

    Being a security professional and CEH myself, I can only hope that this guy never sees daylight again. They should bury him so deep that the heat radiating from the core of the earth scourns his feet.

    So far for my not so politically correct opinion. A couple of years ago here in The Netherlands, some scriptkiddie who wrote a virus using some virus construction kit got offered a high paying job at a local gouvernment after he did his time in jail.

    That is why I became an IT professional. Computers make sense, people don’t….

  5. Nobody_Holme November 13, 2007 at 10:04 pm #

    No… People make perfect sense, management dont. Thats how the world works, it seems…
    Also, If he sells this kind of stuff he is a security proffesional… just like someone who sets explosives and someone who disarms them are both explosives experts.

  6. dirty November 14, 2007 at 6:24 pm #

    Just briefed some customers on this (part of job is infosec news) anyway its sad because there is already so much distrust in this line of work….it takes years of working on relationships in order to build confidence in customers and something like this can shock them so much it can destroy or hurt even the most honest sompnay/person’s reputation.

  7. Goodpeople November 15, 2007 at 12:15 am #


    That is exactly why I hope that they hit him hard. Our work is difficult enough as it is. We don’t need this kind of incidents.

  8. CG November 15, 2007 at 4:28 am #

    Just briefed some customers on this (part of job is infosec news) anyway its sad because there is already so much distrust in this line of work

  9. Pantagruel November 15, 2007 at 9:36 pm #

    @ -CG-
    It’s less fun if you come across the auction for the ClamAV vuln they are running. Quite sick to sell an exploit instead of diclosing it to the ClamAV people. It’s not making you look more ‘pro’ if you want to sell an exploit to the highest bidder.

  10. CG November 16, 2007 at 5:28 am #

    i’m actually a supporter of 0day and full-disclosure (but not really a supporter of their business model). 0days keep sysadmins, network admins, security consultants, people that write exploits, security companies, AV, etc in business, busy, and getting paid. it also keeps the technoidiots in fear mode which is also good for the above.

    Now, if i was actively writing 0day i might feel different but since i am in the “i wish people would release more exploits for these vulns” camp i like people releasing exploits but not necessarily selling them (that’s a whole other issue)

  11. Nobody_Holme November 16, 2007 at 5:49 pm #

    I have the dodgy philosophy of not having a problem if its yet another hole in a microsuck program, but getting pissed off if they do shit like this against open-source stuff. I do want them to get owned by a vuln they themselves sell at some point, mind…

  12. dirty November 16, 2007 at 8:00 pm #

    Background checks will only reveal if theyve been caught before. Even NSA’s and CIA’s checks and security clearances miss some people. Think of all the spies that are found out.

  13. Goodpeople November 18, 2007 at 6:26 pm #

    Checking people’s online behavior is a good place to start. But then again.. I use different nicknames on different sites. The name Goodpeople is only a few months old…

  14. Nobody_Holme November 19, 2007 at 7:45 pm #

    Thats kind of a bad thing… because people would check and would find you have no history, and say “hm, he must be hiding something”

    On another note, I use this nick waaaaay too much. I dont have any others… I should go fix that some time.

  15. Goodpeople November 19, 2007 at 10:41 pm #

    > On another note, I use this nick waaaaay too much. I dont have
    > any others

  16. Sir Henry December 14, 2007 at 6:36 pm #


    I am in agreement with Dirty on this. Background checks are only as efficient as the technical abilities of the person performing them. In any environment, people will hire someone who has technical expertise unrivaled by anyone else in the environment. That leads to situations like this. Not sure what the solution is other than to beef up the technical knowledge of those hiring and those performing the background checks.

  17. J. Lion March 6, 2008 at 3:58 pm #

    Does all security consultant need to sign an official document saying that I will do ethical stuff only before working as a security consultant?

    What’s to stop a security consultant from saying “Pay me Protection Money or else…”?

  18. dirty March 10, 2008 at 8:11 pm #

    No, no one is required to sign anything unless they have certs like CISSP, etc.

    It just paints a negative image for people in our field

  19. James C March 11, 2008 at 8:18 pm #

    @ Sir Henry
    I use torture to do my background checks on staff I hire, probably the reason I don