
IAmA a malware coder and botnet operator, AMA - Devko
http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/
======
citricsquid
Most of what he says is obvious stuff and the emphasis he puts on how much he
modifies stuff makes me assume he's someone that just runs programs and
doesn't have any unique insight, but he does make one interesting point:

> Try to use "Verified-By-Visa" and "Mastercard-Securecode" as rarely as
> possible. If only your CVV2 code is getting sniffed, you are not liable for
> any damage, because the code is physicly printed and could have been stolen
> while you payed with your card at a store. Same applies if someone cloned
> your CC reading the magnetic stripe or sniffing RFID. Only losing your VBV
> or MCSC password can cause serious trouble.

Does anyone know if this (using verified-by-visa, mastercard-securecode remove
any payment protection if you get key-logged etc) is correct?

~~~
leif
When a website asks me to use one of these, and I don't want to, how do I
decline but still make the purchase? It always seems like my options are take-
it-and-like-it or don't complete the transaction. Is there a third option?

~~~
pmjordan
I've had certain websites _require_ VbV for purchases. I can only assume the
transaction fees are lower for such transactions, or they got some kind of
other deal from their merchant bank.

The worst part is the information required for the "I forgot my password"
process is often not terribly hard to get hold of (date of birth, that kind of
thing).

The best option at this stage is probably to have a "normal" credit card for
everyday use which is specifically NOT VbV enabled, and a special VbV credit
card that you keep at home for internet purchases from companies that require
it. Or just don't buy from those companies.

~~~
jacquesm
> I've had certain websites require VbV for purchases. I can only assume the
> transaction fees are lower for such transactions, or they got some kind of
> other deal from their merchant bank.

Transaction fees are not the problem, putting a stop to consumer fraud and
charge-backs are the net win for the merchant.

------
K2h
I very much enjoyed the reading of his comments - I pulled a few of his that
others may find interesting.

[polymorphism code - to hide virus signature]

Randomness is your friend, make your own crypter and make it so fucking random
on every compile, that AV reverse engineers kill themselfs (HINT: randomize
the crypters sourcecode using perl scripts)

[polymorphism code - to hide virus signature]

I started coding about a year ago, hacking old malware sourcecodes and reading
russian boards. Most botnet operators are dumb as fuck, who don't even care
about their traces, the ones you see on TV, catched by Microsoft and Brian
Krebs. If you have more knowledge you can automatize nearly everything, like
creating scripts that rewrite your sourcecode for your crypters so your
malware gets undetected again, saving you hard work.

[finding infections on a computer]

Use GMER (<http://www.gmer.net/>) every now and then when your spider sense is
tingling. Srsly, you can't fool GMER, it scans from the deepest possible point
in your system, at ring0 and is impossible to fool, there is nothing deeper
than ring0 on a usual PC where malware can hide stuff from. I always wondered
why other AV vendors don't do it like GMER, it can detect all rootkits. But
when a AV can detect everything, who will pay 30$ a year for signature
updates...

~~~
rosstafarian
the statement about GMER is not true. I've seen GMER miss MANY rootkits/etc.
As far as catching and removing rootkits that other most av's tend to misss
i've had by far the most success with combofix(which includes a GMER scan).
Nothing will catch 0day rootkits 100% of the time, once a system is
compromised it's best to format and start from scratch (or restore from backup
if you're positive it's clean, but make sure you replace the mbr too). Theres
just no other way to be completely certain. I lost track of the times that I
thought I got everything on a windows machine, then google for something like
malwarebytes as a test only to be redirected.

~~~
VMG
He seems to think of himself as very skilled because most other people in his
field can't program. While he certainly is pretty good at what he does, it is
scary to think what somebody with _real_ knowledge could do.

------
jacquesm
Let's play 33 bits on this guy, my guess is that he's German, Austrian or
Swiss based on the settings for his IRC client, that should knock about 6 bits
off, 27 to go.

~~~
nikcub
oh I was doing that while reading the AMA. the giveaway is being the 4th
customer of a bank that provides HBCI:

> My bank had around 20,000 customers using smsTAN and 3 (I was the 4th lol)
> using HBCI.

He is German, of college age and an early customer at one of 2 or 3 banks that
provide HBCI. Consider him nailed.

I also bet he has published security related work under his real name at some
point, especially since he has been applying for jobs. Most people in the
security industry applying for legit work who don't have qualifications pad
out their resumes with online research (or speaking at conferences, etc.).

~~~
vibrunazo
I really hope I never make enemies with anyone around here.

~~~
Qua8zei3
I think Hackernews has 220000 registered users. You are one of them.

You have 17 bits left. Use them wisely.

~~~
jcitme
This is fallicious. Anyone can register for an account. Knowing someone is on
HN only gives enough information, that said person is in the 'HN demographic'.
Just because he happened to register for an account, vs someone similar who
didn't, does not give us the amount of entropy removal you implied.

~~~
jacquesm
Since the GGP is easily googleable he actually has 0 bits left, but you are
correct about the math.

------
reidmain
"Protip against driveby infections (the ones in the browsers): Disable addons
in your browser and only activate the ones you need. Chromium and Chrome for
example let you disable all additional content like flash, html5, pdf and java
in the options, you will see a grey box instead of the content and can
manually run it using right-click -> Run. Chrome options -> Content options ->
Plug-Ins -> Disable all or Click-to-play. Chrome also allows you to whitelist
sites you trust, like youtube. This will make you immune to driveby infections
regardless of the version of your java or adobe reader, because you will only
be able to click and run content, that is VISIBLE on the site. Malicious
content is ALWAYS hidden in a 0pixel iframe! This also stops the nasty flash
advertisements implying you can't aim precise enough to win an iPad3."

This is one thing I've been trying to convince people to do for ages but, for
some reason, that one extra click turns so many people off. The extra minute
or two I probably spend a day clicking on plugins to activate them will pale
in comparison to how much time I'll have to spend recovering from being
infected.

~~~
sage_joch
I've actually stopped using Firefox because it re-enables plugins that I've
disabled (maybe it's more accurate to say it allows 3rd-party software updates
to re-enable them).

~~~
capnrefsmmat
This was fixed in Firefox 8, unless 3rd-party programs have gotten much more
clever:

[https://blog.mozilla.org/addons/2011/08/11/strengthening-
use...](https://blog.mozilla.org/addons/2011/08/11/strengthening-user-control-
of-add-ons/)

------
tuananh
* About 20% of the users have good graphic cards, but are not sophisticated enough to install drivers.

* 30% of victims are Americans.

* 80% have an antivirus installed.

* An average income of $40 per day (bitcoin only). May vary up to $1,000.

~~~
computator
> About 20% of the users have good graphic cards, but are not sophisticated
> enough to install drivers, so my [Bitcoin] miner can't run.

If he has root-level control of the systems, why doesn't he install the needed
drivers himself?

Somebody already asked him this question on reddit, but he didn't answer.

Does anyone have any idea why he wouldn't/couldn't/shouldn't install drivers
himself?

~~~
fromhet
Also, why not mine litecoins (cpu's are good at doing that, so no drivers
needed and he can mine bitcoins at the same time) and sell them for bitcoins?
They are worth enough that his profits would go up noticeably much.

------
elorant
I don't understand how these people sleep at night. The whole notion I didn't
make the game I just play the ball is just hilarious.

Furthermore those guys don't understand that eventually they're hurting the
web. All that will bring stricter legislation and governments will start
enforcing rules like IP identification for just about anyone out there.

I can understand organized crime exploiting the cyberspace. But for
individuals its just plain stupid.

~~~
Monotoko
They are just like petty criminals in real life, you've seen what surveillance
and legislation does in real life... virtually nothing. The smarter ones go
into the cracks and the shadows (Tor) which just leaves us folk being
monitored for no reason, but we're okay with it because "it's helping to stop
crime"

There is also the addition that you are just interacting with a computer, a
keyboard, a mouse and a screen. I bet if you asked this guy if he would go out
and mug someone he'd say no, because he'd be face to face with the person...
he'd see the upset and pain he's caused.

Not saying it's right, but there is certainly a bit of psychology involved
here, gaining from the computer doesn't seem like a crime to those not in
charge of their own compass.

~~~
intended
Well, those speed bumps increase the fitness requirements for a short time of
hackers. So it's not a total loss/ black-white picture.

------
sakai
Well, clearly this guy's moral compass is a bit out of whack, but the IAmA
does offer some fascinating insights into this world...

~~~
diminish
yea, the world is a weird place. seeing a lot of angry ethical reactions on
reddit, i can't help but think: on one side, there are people like this guy in
the comments who left marketing a health product due to false claims, or me
refusing to code for certain clients based on "personal" ethical judgments and
on the other side there are these "crackers" who steal the credit cards of
random people and who even hate them.

one thing i want to believe, you can't build a future on crime, or can you?

~~~
white_devil
What is this I don't even..

It sounds like you're considering a life of crime. Probably thinking about how
you could be like that botnet guy on Reddit. Getting money without working is
a nice thought, after all.

You know, the "ethical reactions" stem from that guy doing evil things. He
knows he's being evil but doesn't care. Some people find that appalling.

For him, it's just an easy way to make money, and the fact that he produces no
value to society at large is irrelevant. He even gets to work on challenging
problems!

In fact, what he's doing is quite similar to working for the financial
industry, doing HFT or whatever. It's clearly wrong, and clearly harmful to
mankind, but it's easy money, so ethics are thrown out the window.

It _is_ generally easier to make money by scamming/abusing people than by
doing something valuable. That doesn't mean you _should_.

~~~
driverdan
The thing that most people don't realize is that it isn't as easy as most
people think or how he makes it sound. It's very similar to building a passive
income product. You invest a lot of work up front for an "easy" payout later.

It may only take him an hour or two a day to manage the network but I doubt
that's all the time he spends on it. From reading the AMA and my own personal
experience I bet this guy spends much of his time researching tools, improving
his code, testing AV software, and browsing / contributing to "industry"
forums. This isn't even taking into account the time he spent upfront before
it made him any money.

It may be something he enjoys but it's not as easy as clicking a few buttons
every day and watching the money pile up. It's sad to think that all this time
could be spent building a legitimate product instead of something like this.

~~~
jacquesm
Wait until he gets those handcuffs on, then we'll talk about how high the
investment in time really was.

Next up: I thought I was hot stuff, now I'm a convict, ask me anything.

~~~
adbge
I think your faith in the justice system (especially considering the technical
nature of this redditor's activities) is unfounded.

~~~
jacquesm
This guy is _begging_ to get caught with the amount of attention he draws.
It's a matter of time.

~~~
pbhjpbhj
Do you think anyone in a governmental capacity will take this Reddit and start
an investigation? I'd like to think so, but sadly doubt it. There might be a
couple of vigilante efforts though.

------
JWhiteaker
_Magnetic stripes are the most hilarious thing ever, but still work almost
everywhere on the globe._

I am amazed that magnetic stripes are still the norm for credit cards in the
US. Europe has managed to move all but completely to chip-based cards, but the
US hasn't.

Does the cost of fraud due to magnetic stripes outweigh the cost to upgrade
the entire US system, or is the market just too fragmented to coordinate such
a transition?

~~~
ajross
Credit card fraud is actually a fairly small problem in the US. Wikipedia
tells me that the total cost of fraud is 0.07% of the transaction value. And I
suspect (without evidence) that the bulk of this is made up of remote
purchases, not swiped activity.

Really, the chip things are an example of security theater. Yes, they're more
"secure" in the sense of being harder to defeat. No, they're probably not
actually worth it in terms of the cost of upgrading all the infrastructure.

A serious upgrade would need to look at things like two factor authentication,
c.f. Google Wallet, etc...

~~~
raverbashing
"Really, the chip things are an example of security theater. Yes, they're more
"secure" in the sense of being harder to defeat"

Absolutely not!

In the US fraud may be small (but it's increasing). But magnetic stripes are
_very unsafe_

Chip'n'Pin may have some issues, but it's much safer to most common attacks
such as

\- card stripers (very inconspicuous) \- physical theft of the card (because
it requires a pin)

And, as someone that had a striped card, it's a pain (even if liabilities are
$0)

~~~
ajross
You're missing the point entirely. I'm not saying that chip & pin has no
value. I'm saying that the value it has is finite (i.e. it saves money equal
to the amount of fraud it eliminates) and needs to be weight against the cost
of replacing all the card reader infrastructure. And I argue that the fact the
US has not upgraded is an existence proof that the upgrade cost[1] outweighs
the savings.

[1] Really the amortized upgrade cost. Remember that chips are dinosaur
technology already, and have known problems. What's the point of doing an
upgrade if you need to dump it all and start over in 6 years anyway?

~~~
raverbashing
"cost of replacing all the card reader infrastructure"

I'm not sure how many PoS are already equipped to deal with chip cards. In the
USA/Canada it's hit or miss (most misses), and in Europe it was the standard
10 years ago (but most readers take swipe cards).

Replacing cards is cheap and they can be replaced as they expire

What would be the upgrade cost for each PoS? $100? Some systems are more
integrated than others (like card reader integrated with the register as one
device) so this may cost more.

Or maybe it's just a matter of issuing the cards to justify the stores to
upgrade.

~~~
maxerickson
My previous U.S. card had a chip. The very recent replacement came without
one.

So they aren't really moving in the direction of issuing cards with chips. I
never actually encountered a situation where I was aware I could use the chip,
over 5 years or whatever it was.

------
mikek
Great nugget:

> a US credit card costs 2$ on the black market and a UK starts at 60$,
> americans are all in debt.

~~~
simonsarris
Well this could be because US credit cards are magnetic and UK ones are (much
more secure) chip-and-pin cards.

~~~
farnsworth
Yeah, this has got to be it. Non-US CC info seems much more difficult to
acquire, and thus more valuable. And just because Americans are in debt
(obviously not all) doesn't mean their credit cards are maxed out.

~~~
jlgreco
There is however likely a difference in average credit limit on cards of
citizens of countries with different economies.

------
andr3w321
There's so many legal ways this guy could make just as much money with his
skills. I never understood why someone is willing to put his freedom at risk
when that is the case.

I guess he's just lazy or thinks he's incapable of making as much as easily
legally, maybe he likes the thrill and challenge of it all, maybe he thinks
he's invincible and there's zero chance of him getting caught. Either way he's
very foolish for continuing to do this especially if he has no endgame in
sight.

~~~
K2h
I have read that in many criminal enterprises it is much like business, where
grunts at the bottom have lower income and lots of hours, and most of the risk
(exposure). I think this guy is a grunt, probably at the same level of
structure of a 2 employee business. when i read through his comments i am
struck with the impression that he has passivly attempted legit employment
that use the skills he has learned but has not been sucessful yet. he probably
has his initial goals set to high. if he starts at the bottom somewhere, given
his supposed skill level he should be promoted quickly. just need to put in
the time. if not patient enough, put that effort into consulting.

given the real return on his enterprise, i agree with your assesment that he
can probably make much more with a real legitimate job and just avoid that
risk altogether.

------
mikemarotti
The fact that this guy even posted an AMA shows that it's either entirely fake
(doesn't seem it), or he's way too cocky. I suspect some trouble may be coming
his way soon. He seems to think that he's infallible and that he won't catch a
charge for running a botnet.

~~~
corin_
From what he says I agree that he seems either stupid or a liar, but I'm not
sure about your premise, it's not hard to post an AMA that can't be linked to
you.

~~~
Jach
For the average cyber-stalker, that's true. But I'd wager if some government
agency actually wanted to track him down (he's probably too low-value of a
target), he's revealed more than enough bits of information about his personal
life for them to do so.

~~~
Iv
He is using Tor, which gets a lot of criticism for not being secure but
actually defeats Syrian or Chinese governments. If the US can track a hidden
service in Tor, they will probably not waste this trump by catching such a
small fish.

~~~
smsm42
You don't need to crack Tor for that. Get the list of Germans hanging out on
Anonymous IRC. Choose only college students. Remove ones that don't have time
to do this stuff due to actually working somewhere. Intersect with HBCI users
in banks where there aren't many of those. Remove Mac users and Linux users
(he mentions he only uses Windows). Remove families that use credit cards (he
mentions his family does not). This would already probably end up in
reasonably short list. Now amending this list with various other bits of info
he left - such as which sites he frequents, which drinks he prefers, which
software he uses, etc. I don't believe it should pose any major challenge for
a law enforcement agency, even if part of the info is lies - they are used to
legwork and assembling small pieces. But probably with his size nobody would
bother unless he does something major (i.e. catching him generates a big
press-release) or he just hands himself to law enforcement by doing something
stupid like drinking too much and bragging about being elite haxor criminal to
a female undercover officer. If he just does it for a year and then stops, he
has good chances to get away with it, but not because of mighty Tor, but
because the law enforcement would never notice him.

~~~
fromhet
Is something like a reddit thread enough to arrest someone then? Even the
person behind the AMA is tracked down, is that evidence enough to get him in
jail?

~~~
smsm42
As evidence - of course not. But as means to fin out who that is - sure, why
not. Once the person is identified, it is a question of good old survelliance,
and they are professionals at that, so chances are the guy will make a
mistake, and sooner rather than later, and the hard evidence will be there.
Look what happened to LulzSec - once the person is known, if he continues to
do what he does, he will lose. Even professional spies can not pull it off if
identified, what to say about some college students?

------
option_greek
It's fascinating to know all this stuff from his perspective but the moral
attacks by others in the comments truly suck. What is the point of AMA if all
they do is attack the one sharing information.

~~~
andypants
Especially downvoting his comments. Like he cares about karma points. All it
does is push all his responses to the bottom or hide them. Then what's the
point of an AMA?

------
CoffeeDregs
Great post. I forwarded it on to my family and friends in order to give them
some awareness of the people who're looking at them from the other side of the
internet. Rather than sending more strident "think before clicking" warnings,
this post is a great way to get them to think like an attacker so that they
can avoid the attacks better.

------
slig
He's also been a coder for only one year... if he actually modifies stuff,
that sounds very impressive.

------
16s
The CVV2 is not recorded in the mag stripe.

~~~
vibrunazo
Ooohh.. so _that's_ why those websites ask for it. Learn something new every
day :S

~~~
16s
They can't store the CVV2 either. Doing so, even encrypted, violates PCI-DSS.

~~~
bediger4000
So, if you don't care about violating the terms of PCI-DSS, you can store the
CVV2/CVC/whatever. I bet lots of places do. In fact, I worked for a Visa
Level-1 merchant that had a card processing system that used an Oracle DB
table as a queue for outgoing authorization requests. The table held the
CVV2/CVC/whatever for as long as it took to get an authorization or a timeout,
whichever came first. We passed the PCI audit, even though the auditors knew
about it.

Given that there's only 1,000 CVV2 values (10,000 for Amex) isn't putting so
much into CVV2 value a bit ridiculous? Someone who really wanted to could get
a CVV2 value in only 500 auth attempts on average.

~~~
smackfu
The point is that even if someone steals your order database with credit card
numbers and expiration dates, they need to try every number 1000 times. That's
a decent speedbump.

If you store CVV2 in your database against your merchant agreement, and
someone steals it, I'm sure the credit card comp will come after you for the
losses.

~~~
bediger4000
If you're a "Carder", and you've got 1,000 cards, you just try them once a
day. You'll get 2 CVV2's a day, average. And a bet that a once-a-day wrong
CVV2 doesn't trip very many, if any, fraud checks. How much more is a card
worth to a carder with CVV2/CVC than one without? Another niche service to
provide in the cybercriminal underground, I guess.

As far as being non-PCI compliant, you as a merchant are only compliant right
at the time of the audit. And maybe not even then, given Heartland's
experience. The whole PCI thing is to give Visa and MasterCard a way to do
some CYA.

------
diminish
Now, what has to be done not to get hacked ends up being answered as; AVs
won't help, macs won't help, linux won't help, and use ipad? are we heading
towards a world where average users will end up in managed computing behind
walls, and only some hackers and crackers will use open computing? is
computing doomed to be a the black and white world of tyrannic rule vs. mob
rule?

~~~
azakai
> linux won't help

? He says Linux does help.

~~~
diminish
but he says, only because it is not much common, and different distros are too
diverse to justify an "investment"

~~~
azakai
Yes, the reasons are not very impressive ones, but nonetheless.

~~~
da_n
<http://en.wikipedia.org/wiki/Security_through_obscurity>

~~~
tetha
I don't see the relevance. Linux is no good target, because there are not many
linux boxes compared to windows/mac and because 100 linux boxes might require
10 different ways to attack them, while 100 windows boxes might require 1 or
2. There is nothing obscure here, just diversity.

~~~
holri
Diversity is always a good tacit in defeating pest. Learn from nature /
biology. Monocultures are unstable and have to be superficially stabilized
with great effort.

~~~
diminish
similarly the guy says, he creates variations of the code in order to avoid
detection. a world where hunter and the hunt all diversify.

------
pestaa
My favorite bit so far:

    
    
        if you know how your computer is beating inside, you are hard to fool

------
hippo_crete
He says he has no respect for the security industry and AV companies. He makes
compellling arguments against them.

Then when asked about his future, he says he plans to work for an AV company!

WTF?!

He can see what's wrong, but he can't do what's right.

And that, my friends, is the problem.

~~~
gbrindisi
If you want to do this for the rest of your life you have no choice than
working for a security firm (AV included) or being a criminal.

The problem is why he didn't get that job at Kaspersky. He is obviously
skilled so what happened?

------
darksaga
The thing that's scary is how easy it is for these people to get away with
what they're doing. I wonder how much money is lost every year and how many
hackers you never hear about going to jail for this stuff. I'm pretty sure
this is the motivation to do a lot of this stuff. The risk/reward level is
completely slanted.

I see a LOT of stories on HN and other Tech sites about these kinds of
attacks. Unfortunately, I rarely, if ever, hear about hackers getting arrested
for this sort of activity.

------
tferris
WTF

