Tuesday, April 01, 2008

AKILL Convicted - Are we safer now?

Last night the BBC World Service called to ask me what I thought of the AKILL conviction. We primarily discussed that the news here should not be that AKILL is the criminal mastermind of the Internet, but that its Good News that we've managed to catch someone and get a conviction.




AKILL, Owen Thor Walker, AKA "Snow Whyte" (Whyte was his mother's maiden name), AKA "Snow Walker" (note to hackers, don't use your own name as your alias), is a troubled young man living in New Zealand. Up until his conviction he was a quiet, gifted programmer, who worked for Trio Software Development. The media is painting him to be the ring leader of a worldwide criminal enterprise which controls 1.3 Million computers and has caused $20 Million USD in damages.

There is no question Walker was brilliant. He is diagnosed with Asperger's Syndrome, a disorder in the same family as autism, characterized by very poor social interaction, and a fixation on a narrow range of intellectually challenging pursuits that often involve a high degree of repetition. His mother says he left school at age 14, largely because of problems with bullies, and completed his education via correspondence courses.

But what were the actual charges? ComputerWorld New Zealand is reporting this morning that the only damages they have charged him with are $13,000 in costs which the University of Pennsylvania incurred in recovering from a Botnet attack he launched against the TAUNET service housed at UPenn. (See ComputerWorld.nz

The Sydney Morning Herald, which ran a picture of Walker and his mother in this article of Feb 29, 2008, said:

Walker was arrested in November last year in the northern city of Hamilton as part of an international investigation into a cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts.


But the original story which brought AKILL into the International eye was the charges brought by the FBI under Operation Bot Roast II, which Forbes magazine mentioned like this as recently as yesterday:

The FBI's deputy assistant director of its Cyber Division, Shawn Henry, points to the November arrest of the hacker known as AKILL, an 18-year-old in New Zealand running a botnet of 50,000 computers.


The other charge that we know about AKILL is that he has been accused "by Dutch authorities" of being part of a scheme where hackers installed advertising software on computers they compromised. One of the other targets of Operation Bot Roast II was Robert Matthew Bentley, of Panama City, Florida. Bentley was convicted of his charges on March 6, 2008, according to this FBI Jacksonville Press Release.

I am saying that it is very likely that this is actually the same scheme that AKILL was tied up in, (but haven't found the proof of that yet). Bentley was accused of installing software for a scheme called "Dollar Revenue". Dollar Revenue was fined $1.54 Million USD by Dutch authorities in a scheme where hackers were paid 15/100 of a Euro for installing the adware on European computers, or 25 cents for installing the adware on American computers. (See this PC World article)

These types of revenues fall more in line with what was said during AKILL's trial, where the judge was considering whether to force Walker to pay restitution of "$8,000". New Zealand media are reporting that Walker plead guilty to infecting "at least 20,000" computers, and his bank accounts show that he had received payments of "$40,000 NZD". (See for example this New Zealand TV station's report.

What actually was the "criminal mastermind" activity that AKILL performed? He took source code for a previous botnet program and made some slight modifications to it. Detective Inspector Peter Devoy of the New Zealand police confirmed in interviews that AKILL is responsible for the "AkBot" malware. (See Security IT World's story for more.) (Devoy was also the one quoted in the original New Zealand Police press release: Waikato Police investigate cyber-crime

How was Walker caught? It looks like a good job of International Cooperation, but one lynchpin in the investigation goes back to making poor choices in friends online. Ryan Goldstein, AKA Digerati, has been a troublemaker for years. Ryan, a 21-year old student at UPenn, was a member of a hacking group called "TeamLoosh", and couldn't decide what color his hat should be.

TeamLoosh leader, rofles, basically went on a character-assassination rampage against Ryan, posting defaming photographs and emails intended to show that Ryan was a pedophile anywhere that he saw Ryan making posts. Some of these appeared in places like "governmentsecurity.org", posting links to a file named: http://www.teamloosh.com/txt/Digerati-Exposed.zip (now offline).

Ryan was angry, but having been banned from several places because of these accusations, he behaved in his typical fashion. He promised AKILL access to several "elite" hacker websites where he still had influence, if he would help him get revenge. The DDOS, intended to punish the TAUNET Internet Relay Chat servers which had banned "Digerati", was said to include 50,000 attacking computers, which were launched against TAUNET by AKILL.

The Digerati Indictment is available from the Pennsylvania US Attorney's Office. It reveals the exact nature of the payment offered to AKILL. (Quoting from page 5 of the indictment:


"I can get you some good private stuff, i can also pay you, to take taunet down...i have access to a lot of stuff you might want...www.findnot.com/servers.html - i have a legit login/pass for that, guaranteed to work through 2007 at least...undetected, unreleased bifrost (trojan) beta with 100% av (antivirus) and fw (firewall) bypass."


I'm very pleased that Ryan/Digerati and Owen/AKILL/Snow Whyte have been apprehended, but the point of what I tried to say on BBC World Service this morning was let's not make this a fishing story. We haven't landed Moby Dick here. We haven't stopped a "Criminal Mastermind". We caught a few juveniles with anger management and social problems, who made $40,000 selling hacked computers to a Dutch advertising company and attacked a University chat room because the boys there told another boy he was not their friend any more.

Its a message that International Law Enforcement Cooperation is working, at least between the Dutch, the FBI, and the New Zealanders, but we still have a long way to go before the Internet is going to be a safe place to play.

-----

Corrections Made:
Ryan Lee, ryan1918, has pointed out an error in the original version of this posting. Ryan Lee (ryan1918) is *NOT* Digerati, and should not be confused with Ryan Goldstein.

To Priest, stm, rofles, Gammarays, Zerofool2005 - thanks for the comments - send me an email. Happy to learn more and have a more accurate article.

9 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. you try to link several things together out of thin air. taunet wasnt hosted at upenn and isnt a university chat room and digerati isnt ryan1918. did you even read the indictment?

    ReplyDelete
  3. god your dumb......

    ryan1918 != Ryan Goldstein AKA Digerati
    Digerati was never part of TeamLoosh.
    TeamLoosh is not a "hacker" website. Its a bunch of skiddies who go round raging people.......
    Taunet wasnt hosted at UPENN.

    Dig made some serious mistakes by posting every where that he was infact studying at UPENN. Which became his downfall. If your going to make an interview for a worldwide news corporation. You REALLY need to learn what your talking about.

    ReplyDelete
  4. Oh good grief, I was right there to see all this happen and you got basically nothing right.

    AKILL was caught only because Ryan Goldstein, A.K.A. Digerati, gave him up to the feds after he got caught. As an attempt to bargain his way into a lesser sentence.

    There was no "massive collaboration between governments" or law enforcement agencies, as all these articles that have suddenly sprang up state.

    Also, Digerati (Ryan Goldstein) and Ryan1918 are two different people. I can understand how you messed that one up since Ryan is such an amazingly rare name these days.

    "He was behind the original DDOS against CastleCops"

    This statement strikes me as fantasy filler, an author's desperate attempt to make it appear as if they've done actual reasearch.

    I've not been able to find anything to support this statement, I was in a position for quite a long time where if it had happened I'd have it in my notes, and CastleCops is subjected to a DDOS attack, what? twice a day? Well at least you went with a safe choice, who the heck is going to find any reference to Digerati (Ryan1918? lol) amongst all those DDOS posts.

    TeamLoosh was just a suckup crew, they hosted evidence files collected by SSGroup.Org (the group that banned DIgerati from their IRC channel on TAUNET and petitioned to have him network banned ... successfully) so that they could get some admins into the SSGroup VIP forums.

    At any rate, TeamLoosh is a nothing crew, a group of unmentionable nobodies that are hardly relevant to AKILL in any way.

    The attacks against TAUNET were because SSGroup had an irc server there, when ssgroup moved servers (starting thier own network) the target changed.

    So taunet isn't really relevant either, ssgroup should have been mentioned at least, since they were the actual target. Try some google and you'll undoubtedly see that. (google.com is a search engine, it's used by good authors to do a thing called research. If you don't know what research is, and I doubt after reading this article that you do, you can go google it.)

    Where are all the articles asking why Goldstien isn't being charges as a sex offender? I know for a fact the FBI received video and photographic evidence that should have at least gotten them to court, I was sitting right beside my wife when she gave it to them.

    I'm thoroughly disgusted by all of these articles that are 90% make believe.

    "Last night the BBC World Service called to ask me what I thought of the AKILL conviction."

    Why? Why did they call you? Were you there? Where? I didn't see you!

    BBC, call someone that actually KNOWS something. Hell call me! Go log in on one of the IRC Networks that was actually involved in these incidents and ask them!

    UAB: Go find a new Director of Research in Computer Forensics. One that actually knows something.

    ReplyDelete
  5. Ugh, I forgot to mention the part where you said that TAUNET was hosted at UPENN and AKILL and Digerati attacked it with the botnets causing damage to UPENN computers.

    Reality:

    Digerati was a student at UPENN and hosted a private IRC server there. That irc server was not public, was not used for chatting, was merely a place for the bots to join and recieve orders.

    Te UPENN damage was caused by all those bots connecting to their network and flooding them off.

    UPENN itself was never the target of a botnet attack, their network was merely too weak to take the strain of all those joins to one machine.

    Hey! Maybe I should write the articles from now on? =)

    ReplyDelete
  6. Priest is right.

    You really need to do more research on things before oyu publish the on the internet.

    ReplyDelete
  7. Wow as priest,zero and stm pointed out you sure got a lot of that wrong.

    You should ask anyone of these people what actually happened because between SSgroup and taunet all the real facts are available and you will find that Mr Goldstein IS a pedophile - this is not speculation it is observation, facts deduced from evidence.

    BTW - I think you'll find it was me doing the character assassination and much deserved it was too.


    kthnxbai

    ReplyDelete
  8. I like when I get mentioned in articles when people have zero clues as to what they are talking about, I didn't know I was Digerati! WOW! Learn new things everday!

    My site is off line because I haven't had the time to manage anything, I'm back and got everything going, rlee1918@gmail.com

    peace.

    ReplyDelete
  9. rofles here

    http://rapidshare.com/files/110599604/Digerati-Exposed.zip.html

    :) njoy <3

    also:

    scriptkitty.net (etc)

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.