[plug] International student w/ DDoS and social engineering history

Bob Linus bob0linus at gmail.com
Sun Jul 3 22:12:01 WST 2005 

Hello.  I am writing to the list because I have gotten little response
from anyone.  I lost my patience today and confronted this guy (for
the second time in a few months), explaining some of the unethical
activity that I have caught him doing.  Sorry if I ruined an
investigation, but it was driving me nuts to live with a guy who
enjoys doing this stuff while recently graduating with a Masters in IT
and applying for permanent residency in Australia.

I have not provided names if it is not a serious issue; but if further
information is needed, I can be reached at this email address.

------------------------------
To: enquiries at ahtcc.gov.au
Subject: (memo) International student with suspicious track record

Hello, I am looking to make general inquiry and notification of an
international student from Turkey, graduating with a master's degree,
who will apply to stay and work in Australia.  I am not sure where he
crosses the line between juvenille and criminal behaviour.  I do not
think it would be a good idea to approve extending his visa to work in
Australia.  I am also an international student in Australia (former US
army veteran in information systems).

Suspicious activity involves:

* DDoS attacks with SYN floods (he showed me screenshots and bragged
about some of them). He has email messages stored that allude to them.
The DDoS attacks were directed to irc flame wars, Turkish sites of
people in his own country, and once or twice to University of Notre
Dame's servers.  Since threatening him though, he has ceased DDoS
behavior.  He had 300 or 3000 bots (zombies/hijacked computers) based on
conversation, and a recent recorded MSN conversation stated that he gave
the bots to one of his friends.

* I have recent evidence of him researching and uploading (ClamAV)
Trojan.Spybot.gen-2, which returns keylogs and passwords to himself at
irc-m.icq.aol.com #icqfreund.  He has placed it on our adsl webserver.
(recently deleted after confronting)

* He shared with me that he was reading a female Australian student's
email for over a year.  She had a default password at the university
(birthday).  I informed the girl.  She initially wanted to go to the
police also.  She was moving apartments and concerned with her safety
enough that she changed addresses.

* Favorite movie and books involve US hacker Kevin Mitnick: "Track Down"
and "The Art of Deception".

I have been keeping an eye on this guy, since I don't know many that
would be able to even report DDoS type of activity.  He has shut down
his DDoS operation about 4-5 months ago, but I think he is waiting for a
clear opportunity for access to another dedicated server that would not
be able to trace back to him, through social engineering methods.  His
friends in Turkey also engage in DDoS activity, so retaliation is
highly likely.  He has made conversations that he was responsible for
shutting down AOL's ICQ irc server for months.

He has partially cleaned up his act since threatening him a few months
ago (and now again), but I do not really trust him.  He enjoys
electronic harrassment and 'being on top' of people.

More information about the plug mailing list