[plug] International student w/ DDoS and social engineering history

Mon Jul 4 05:37:04 WST 2005

On 7/3/05, Bob Linus <bob0linus at gmail.com> wrote:
> Hello.  I am writing to the list because I have gotten little response
> from anyone.  I lost my patience today and confronted this guy (for
> the second time in a few months), explaining some of the unethical
> activity that I have caught him doing.  Sorry if I ruined an
> investigation, but it was driving me nuts to live with a guy who
> enjoys doing this stuff while recently graduating with a Masters in IT
> and applying for permanent residency in Australia.
> 
> I have not provided names if it is not a serious issue; but if further
> information is needed, I can be reached at this email address.
> 
> ------------------------------
> To: enquiries at ahtcc.gov.au
> Subject: (memo) International student with suspicious track record
> 
> Hello, I am looking to make general inquiry and notification of an
> international student from Turkey, graduating with a master's degree,
> who will apply to stay and work in Australia.  I am not sure where he
> crosses the line between juvenille and criminal behaviour.  I do not
> think it would be a good idea to approve extending his visa to work in
> Australia.  I am also an international student in Australia (former US
> army veteran in information systems).
> 
> Suspicious activity involves:
> 
> * DDoS attacks with SYN floods (he showed me screenshots and bragged
> about some of them). He has email messages stored that allude to them.
> The DDoS attacks were directed to irc flame wars, Turkish sites of
> people in his own country, and once or twice to University of Notre
> Dame's servers.  Since threatening him though, he has ceased DDoS
> behavior.  He had 300 or 3000 bots (zombies/hijacked computers) based on
> conversation, and a recent recorded MSN conversation stated that he gave
> the bots to one of his friends.
> 
> * I have recent evidence of him researching and uploading (ClamAV)
> Trojan.Spybot.gen-2, which returns keylogs and passwords to himself at
> irc-m.icq.aol.com #icqfreund.  He has placed it on our adsl webserver.
> (recently deleted after confronting)
> 
> * He shared with me that he was reading a female Australian student's
> email for over a year.  She had a default password at the university
> (birthday).  I informed the girl.  She initially wanted to go to the
> police also.  She was moving apartments and concerned with her safety
> enough that she changed addresses.
> 
> * Favorite movie and books involve US hacker Kevin Mitnick: "Track Down"
> and "The Art of Deception".
> 
> I have been keeping an eye on this guy, since I don't know many that
> would be able to even report DDoS type of activity.  He has shut down
> his DDoS operation about 4-5 months ago, but I think he is waiting for a
> clear opportunity for access to another dedicated server that would not
> be able to trace back to him, through social engineering methods.  His
> friends in Turkey also engage in DDoS activity, so retaliation is
> highly likely.  He has made conversations that he was responsible for
> shutting down AOL's ICQ irc server for months.
> 
> He has partially cleaned up his act since threatening him a few months
> ago (and now again), but I do not really trust him.  He enjoys
> electronic harrassment and 'being on top' of people.

I've known a few people with the same sort of attitude and I still
believe it's a social problem.
Is it possible he's bragging to you because he's found someone that
will listen, and that in the rest of his life he's
bored/ignored/unpopular?
There are three ways you can attack this:
1) You care about him and don't want to see him in "real trouble" with
the AFP or other fairly serious Law enforcements agencies, then find
some people in his life that are of importance or respect to him and
explain whats going on. Make sure they're "official" sort of people
like Teachers, School councilors, Priests etc. Make sure they don't
put you in the spotlight when they "chat to him"

2) Fix it yourself. Get involved with him, become his friend and make
sure that he understands this sort of activity is not acceptable and
that there are many very useful activities/projects around that are
technically challenging and in your/his social circles much "cooler"
to be involved in. Given the choice and opportunity most people would
rather be known by the positive achievements rather than the
destruction they've created.

3) Corporal Punishment. He's a lost cause and needs to be stopped NOW,
call 131 444 and ask them how you report a series of serious criminal
cyber crimes?

-- 
Ubuntu Hoary 5.04 
"Luminocity is a cracktastic technology testbed for Metacity." - From
the gnome.org website
www.modmeup.net