Ringleader of cybercrime group to be offered a job as cybercrime fighter

Owen Thor Walker, a 18 years old ringleader of an international cybercrime group, known as AKILL, part of the A-Team, a group of 8 script kiddies which were all caught in a operation called "Operation Bot Roast II" bust executed by the FBI and several international law enforcement agencies in 2007, responsible for pump'n'dump stock price manipulations through spam, infecting 1.3M computers with malware, further infecting them with spyware earning nearly $40,000 in the process, in between launching a DDoS attack against the University of Pennsylvania, causing an overall damage of over $20M, has been discharged and could be offered a job as a cybercrime fighter :

In court yesterday, Walker, who has Asperger's syndrome, a mild form of autism, smiled as he heard the prosecution describe how international investigators considered his programming to be 'amongst the most advanced' they had encountered. Judge Judith Potter described him as a young man with a bright future and ordered him to pay damages and costs of £5,500, but did not record a conviction. Detective Inspector Peter Devoy said that while 'there is no offer on the table, the option is being kept open'. Maarten Kleintjes, head of the police e-crime laboratory, said the self-taught Walker had a unique ability and was 'at the top of his field'.

It's one thing to discharge him given his age, but entirely another to be publicly fascinated by what he did, state it publicly, and even consider the possibility of offering him a job, which indicates a great deal of ignorance from those who"ought to know".

He is neither a hacker, nor a computer genius possessing some kind of unique skills, he's just someone proving for yet another time that it's not a matter of lack of capabilities for committing cybercrime, but a matter of courage to so. A little something on his "considered to be" highly sophisticated malware :

"The bot code is considered very advanced by international cyber crime investigators, containing a number of sophisticated features that protect it from discovery, allow it to spread automatically and allow it to identify and destroy rival bot code. One feature automatically disabled any antivirus software on an infected computer and prevented the software from being updated, say the documents. "

In reality though, his malware bot going under the name of AkBot is using modules from commodity malware bots, namely

, what he did is combined different scanning modules attempting to locate hosts vulnerable to a different set of vulnerabilities, compared to the misunderstanding that he had coded the bot from scratch. Each of these features, next to the many others offered by an average malware bot freely available for download on the Internet, aren't exclusive, but commodity features. Moreover, given that today's malware bots are open source ones, what he did is modify the command and control locations, then compile and start spreading the bot.

The day when a script kiddie knowing how to compile their own botnets after watching a video tutorial that comes with the bot is called a hacker, or being offered a job for using a already available feature allowing the "killing of running security software" and preventing it from reaching its update locations by, is the day when you're officially admitting you have absolutely no idea what's going on online. Here's a sample output from a sandboxed copy of one of his malware variants scanning for MS04-012: DCOM RPC Overflow exploit and MS04-011: LSASS Overflow exploit at large :

"PRIVMSG #yahoo :[MAIN]: Status: Ready. Bot Uptime: 0d 0h 0m. PRIVMSG #yahoo :[MAIN]: Bot ID: rx-asn-2-re-worked . PRIVMSG #yahoo :[SCAN]: Exploit Statistics: Dcom135: 0, Dcom445: 0, Dcom1025: 0, lsass_445: 0, lsass_139: 0, dcass: 0, MassAsn: 0, plugnplay: 0, VNC: 0, netapi: 0, sym: 0, asn1http: 0, asn1smb: 0, asn1smbnt: 0, Total: 0 in 0d 0h 0m. PRIVMSG #yahoo :[MAIN]: Uptime: 0d 0h 2m. PRIVMSG #yahoo :[PROC]: Failed to terminate process: PROCESS_NAME_TO_TERMINATE PRIVMSG #yahoo :[HTTPD]: Server listening on IP: *.*.*.*:5678, Directory: \. PRIVMSG #yahoo :[DDoS]: Done with flood (0KB/sec). PRIVMSG #yahoo :[DDoS]: Flooding: (*.*.*.*:1234) for 50 seconds. PRIVMSG #yahoo :[SYN]: Done with flood (0KB/sec). PRIVMSG #yahoo :[SYN]: Flooding: (*.*.*.*:1234) for 50 seconds. PRIVMSG #yahoo :[SCAN]: IP: *.*.*.* Port: 1234 is open. PRIVMSG #yahoo :[SCAN]: Port scan started: *.*.*.*:1234 with delay: 50(ms). PRIVMSG #yahoo :[UDP]: Sending 40 packets to: *.*.*.*. Packet size: 50, Delay: 60(ms). PRIVMSG #yahoo :[PING]: Finished sending pings to *.*.*.*. PRIVMSG #yahoo :[PING]: Sending 40 pings to *.*.*.*. packet size: 50, timeout: 60(ms). PRIVMSG #yahoo :[UDP]: Finished sending packets to *.*.*.*."

This isn't ground breaking, it's in fact outdated and being impressed by this enough to even consider offering him a job could not just set an important precedent, but in fact question the expertise level of those impressed by his sophisticated malware bot.

If the size of the bothet matters, and speaks for some kind of pseudo-unique capability to utilize client-side vulnerabilities using publicly obtainable web malware exploitation kits, initiate an international "We are hiring!" campaign and have botnet masters replace cybercrime experts based on how much they impress you at the job interview, and, of course, based on what the RBN wrote about them in its recommendation based on their previous working relationship.