[hysterix]

Well quite frankly if you've been in the scene for a while, you'd be able to tell using other clues, speech patterns, and reused nicks.

Julius Kivimäki aka zee, aka Zeekill (https://encyclopediadramatica.se/Zeekill) has an extensive history, he actually has been dox'd and outed numerous times prior to this.

I knew lizard squad was zee by zee's idiotic behaviour. He constantly used the moniker "Ryan" or "Ryan Clearly" the name of another unrelated hacker. Well sure enough he gave an interview to someone using that moniker. Having even the tiniest bit of inside knowledge it was easy to piece together 1 + 1 = 2 and lizard squad is zee, aka julius.

There are other clues too, believe it or not, not too many entities are capable of massing as large a ddos as they were. Those that have the technical capability, normally don't advertise as such.

Zee was a "special" case, in that he had the capability, and advertised it as such, I was astounded the boy hadn't been jailed years prior. As I mentioned earlier he has an extensive history, and was involved in many of the large site take downs and ddos's that have made public news.

[rudolf0]

Zee/"ryanc" has indeed been involved in things like these for many years. HTP (Linode + much more) is just a small part of it.

I'm also very surprised it's taken this long for him to be arrested. He's completely brazen and has committed countless crimes despite knowing full well the general public and law enforcement know exactly who he is.

And if he truly was/is involved in carding, he probably won't get out for a while. I can hold some respect for blackhat groups, and hell, even a tiny, miniscule bit of respect for script kiddies like Lizard Squad, but once they get into financial fraud and theft my sympathy is gone.

[ryanlol]

Just because someone knows who I am does not mean that'll matter when it comes to proving things in court, which in real life isn't as easy as one might imagine.

>he probably won't get out for a while

If only I'd get sentenced in the first place.

[meowface]

If you get extradited, you're not going to have a fun time...

[ryanlol]

Well, I live in a country that will not extradite it's own citizens. And even if I somehow did manage to get extradited the US has a legal system where you'd actually have to prove a persons guilt, not just speculate it based on some IRC log of dubious origin.

[Maarten88]

Wow. You have not been following the news lately, and don't understand much about the us legal system.

[ryanlol]

That's a popular view, but I don't think that in real life it's an entirely correct one. At the very least those with money tend to be able to have a fair trial in the US.

[tacojuan]

The HTP dudes actually seemed sophisticated. Lizardsquad is just some dudes with a botnet.

[rudolf0]

Zee was apparently involved with both groups. He was likely the only skilled member of Lizard Squad.

[tacojuan]

Anywhere I can get more info on the HTP group? I was pretty fascinated by their zines at the time...

[ryanlol]

Unless there's ever any public court records, I doubt you'll find much (if any) good information.

[bobcostas55]

How the hell do these little kids get control of big botnets?

[hysterix]

The reply to your question is already on point. There is a sickening amount of open systems on the net. I know zee used tends of thousands of routers as only some of his ddos tools. I also know of dudes who wrote custom scripts specifically for zee's ddosing, would scan for incoming connections matching whatever signature identified at the time, automatically connect to the router using whatever exploit to get in, change the root pass and restart it.

Zee got his net taken away from him numerous times hitting the wrong people.

But yes in a nutshell, the digital world is mostly unprotected open and unlocked houses, with little pockets of protected castles here and there, and some locked houses too.

[emidln]

I wonder what the payoff is for running a script to secure the CentOS box you just rooted versus leaving it open to additional attacks. On one hand, you have potential loss of your work due to disruption of services leading to someone noticing and re-imaging the box. On the other hand, I don't particularly like sharing with randoms.

It also makes me wonder if optimized command and control networks have been developed. Most of the code I see floating around public drops goes to very little effort to conceal data exfil, if it even makes an effort to identify data to exfil at all. This seems like a real waste given that some large percentage of machines you steal are likely worth more than just their cpu time and bandwidth. Obviously the more code you run, the higher your chances of detection, but it seems like a huge creative space. How do I find interesting files without tripping all the alarms? How do I efficiently take over someone else's LSM hooks?

[meowface]

They're likely just band-aid patching the exact hole they use to get in, rather than securing the whole system.

[meowface]

By incoming connections, do you mean web visitors who fell victim to CSRF/XSS exploits in their router management web panels? Or was he hijacking routers another way?

[hysterix]

I don't know if zee gained any skill over time, but I believe he simply used public exploits.

So for example remote command injection vulns:

http://en.1337day.com/exploit/description/20598

http://en.1337day.com/exploit/description/20602

http://en.1337day.com/exploit/description/20671

Then it is just a matter of figuring out where these routers are, and then writing a few scripts to exploit and command them in mass. I don't think CSRF/XSS would net him the vast numbers he'd need to make a significant ddos.

And to more specifically answer your question, by "incoming connections", I mean like monitoring the ddos via netstat on a box zee was actively attacking.

[meowface]

Well, problem is those vulns require either the attacker to share or control the victim's LAN in some way, or the router's management panel to be exposed to the Internet (which is usually not the default for the vast majority of consumer routers).

For cases where they're remotely exposed, just about anyone can scan the Internet and try to exploit these routers. I'm sure he was doing that, but I'm sure hundreds or thousands of other people were as well.

When combined with something like a CSRF, you can use those exploits against a victim even if their router is locked down (only listening on LAN, strong admin password). All they need to do is visit a site you control, without something like NoScript. If the admin password is not guessable, then they'd need to have an active login session. That can be circumvented if the router has an auth bypass vuln, which has been found in at least a few models.

Also, I believe a lot of routers can be used for DDoSing without exploiting or compromising them at all if they're exposing SSDP (UPnP). SSDP reflection, possibly combined with NTP reflection, is likely how Lizard Squad launched their DDoS attacks.

P.S. I know you and have talked to you (and Zee and some others), briefly, on some IRC networks long ago.

[ryanlol]

If that was a case, people running SSDP (and other UDP service) honeypots would no doubt have noticed the massive increase in traffic.

[ef4]

The bar is pretty low. When there are tens of millions of unpatched machines floating around on the internet, and hundreds of weaponized exploits already written by other people, all it takes is patience and lack of good judgement.

[personZ]

If they're taking over Paypal accounts or stealing credit card numbers, it can be as simple as buying a lot of capacity at the various VPN provider. We know from the attack on Tor that they had many thousands of google compute instances, and the same may be true on the many, many other providers.