back to article WannaCry-slayer Marcus Hutchins 'built Kronos banking trojan' – FBI

Marcus Hutchins, the British malware researcher who killed off the WannaCry ransomware outbreak, was arrested in Las Vegas on Wednesday on suspicion of being a malware writer himself. Hutchins, aka MalwareTechBlog on Twitter, was collared after attending the DEF CON hacking conference in Nevada, US, last week. FBI agents …

Page:

  1. Rafael Moslin

    Guess he upset a lot of bad guys stopping that attack...

    1. danR2

      bad guys...

      I haven't heard that many banksters were unduly inconvenienced.

    2. Anonymous Coward
      Anonymous Coward

      Or he is responsible for wannacry and panicked, and cooked up a story about finding the kill switch - that he coded...

      Sounds credible. He also posted diversionary post to Twitter about Kronos.....

      I wonder how many other "security researcher" aren't what they appear, pretty much every other day we have a story from another unknown "expert"

      1. Graham Dawson Silver badge

        Or - and I hate that the world has made me this cynical - wannacry was cooked up by the NSA or some other US TLA and now they're getting a biut of payback for it being shut down so quickly.

        The incompetence, malice and pettiness of US spy orgs all have precedent.

      2. streaky

        Sounds credible.

        It sounds fucking absurd honestly. Not to say it couldn't be true but it sounds absurd.

        1. Anonymous Coward
          Anonymous Coward

          Never underestimate the absurdity of the Universe.

          1. FromTheRoot

            An intesresting twist on what you said would be if the Earth turned out to be flat, hence no "Universe"

        2. FlamingDeath Silver badge

          Absurdity is not a measure of truth, as has been shown with the 9/11 commission, the Warren Commission, and many many other whitewashes in history.

          What AC is suggesting makes a lot of sense to me. If I were an arsonist, surely the best cover I could have is that of a firefighter?

          I'm not saying he is correct, just saying it sounds credible

          1. Anonymous Coward
            Anonymous Coward

            You haven't seen Backdraft?

            1. MyffyW Silver badge

              It's a measure of our paranoid times that one's instincts are to simultaneously doubt the integrity of the suspect, the law enforcement authorities and the medium through which news is communicated.

      3. Mark 85

        Sounds credible. He also posted diversionary post to Twitter about Kronos.....

        Might or might not be right. I remember the controversy when Kaspersky first popped up and the rumors because his AV was detecting new viruses that no one had ever seen before. Time will tell....

      4. roytrubshaw
        FAIL

        "Sounds credible."

        Sounds more like F.B.I. S.O.P. I.e. when investigating a highly technical crime, find the nearest foreign expert and arrest them.

      5. Anonymous Coward
        Anonymous Coward

        Seems more than just credible to me.

        He got the kicks from creating it.

        He got the publicity and hailed as an international hero from stopping it

        AND he got the ransom cash as well.

        What more could a cyber criminal want?

        1. Anonymous Coward
          Anonymous Coward

          AND he got the ransom cash as well.?

          he was soliciting ideas on twitter for giving the cash away to deserving causes...may even have done so in a less cynical world....

    3. Anonymous Coward
      Holmes

      After reading the indictment, I kind of wonder if he's in touch with Snowden, and they are trying to get at Snowden through him. Or someone similar to Snowden.

      Seems awfully easy to allege that people left digital footprints around the scene of a digital crime - especially a threat researcher whose JOB is to snoop around digital crimes. Of course his digital footprints are going to be all over digital crime scenes.

      Either that or they've got him dead to rights. One or the other. But even if he did the crime, I wouldn't be shocked to find that this is an attempt to get him to roll over on someone like Snowden who is a bigger fish for them.

      1. streaky

        Yeah, it's nothing to do with Snowden.

        1. Anonymous Coward
          Anonymous Coward

          re: Sounds credible.

          Thank fuck it takes more than that to convict.

        2. Anonymous Coward
          Holmes

          @streaky - "Yeah, it's nothing to do with Snowden."

          Yeah, you're right - they don't need more evidence or a new witness against Snowden. They just need Snowden himself.

      2. Anonymous Coward
        Anonymous Coward

        I wouldn't be shocked to find that this is an attempt to get him to roll over on someone like Snowden who is a bigger fish for them.

        Pardon my ignorance, but what is there to be had on Snowden? The world pretty much knowns what he had, and where he lives is also not so terribly protected that there would not be a way to get to him without too many problems.

        By the way, the way the Russian relationships are deteriorating I would pardon Snowden right now before the Russians decide to consider him a sufficiently useful source of information to "invite" his cooperation.

  2. bombastic bob Silver badge
    Unhappy

    no good deed goes unpunished

    and the corollary: it only takes one "AW, SHIT" to un-do a zillion "Atta Boy"s (that's how I remember the phrase from when I was in the Navy)

    1. PJF

      Re: no good deed goes unpunished

      Is the world going to heck?!

      That's twice in less than 12 hours that I've given B.Bob an up!

      1. John Brown (no body) Silver badge

        Re: no good deed goes unpunished

        "Is the world going to heck?!"

        No idea. Is that somewhere near hell?

    2. Prst. V.Jeltz Silver badge

      Re: no good deed goes unpunished

      one "AW, SHIT" to un-do a zillion "Atta Boy"s

      sounds like my career

      1. Florida1920

        Re: no good deed goes unpunished

        sounds like my career

        Join the club. I took over ownership of a popular site on Sunday. Atta-boy. Tonight I blew it up. Ooops. Fortunately, it's back up. Fortunately, it's doubtful the g-men noticed, and I'm far from home anyway. To really foul up in this business all you need is a laptop and wi-fi.

  3. danR2

    Also Wannacry?

    I've read the indictment, and it looks solid. It would be odd for a dedicated hacker-for-money to stumble over just the solution to another criminal exploit, let alone play 'save-the-day' hero. At least I can't recollect the like.

    1. MattPi

      Re: Also Wannacry?

      "I've read the indictment, and it looks solid. It would be odd for a dedicated hacker-for-money to stumble over just the solution to another criminal exploit, let alone play 'save-the-day' hero. At least I can't recollect the like."

      If I remember one of the interviews, he was investigating it and noticed it tried to contact a domain that didn't exist (as a measure for the malware to detect if there was a transparent proxy on the network watching it). He registered the domain to see what would happen and somewhat accidentally killed off the spread because all the new copies now thought they were being watched and shut down.

      That seems like a pretty normal thing to do for someone who enjoys reverse-engineering code, or a way for a dedicated black hat to learn new tricks and keep up with the technology.

      1. danR2

        Re: Also Wannacry?

        '...he was investigating it' reminds me of the time I stole a pocketknife from the store, buried it in the public right-of-way beside the road, and then went and told my mother about the knife I 'found'. She gave me an instantaneous, level-gazed, 'cool story' "Where did you get that knife, Danny?" reply and I was quickly sent off to return it to the store. With an apology.

        1. Graham Dawson Silver badge

          Re: Also Wannacry?

          He's a security consultant. It's quite literally his job to "investigate" malware. Unless you were a retail theft prevention consultant, your childhood escapade isn't remotely comparable.

          1. Ian Johnston Silver badge

            Re: Also Wannacry?

            "He's a security consultant"

            With qualifications and clients and professional indemnity insurance Or is he a "consultant" like every dopey sloane with a camera is a "photographer"?

        2. I3N
          Angel

          Re: Also Wannacry?

          Timmy Turner: Uhh ... Internet

      2. Blotto Silver badge

        Re: Also Wannacry?

        If he's a security guy and noticed it trying to get to a non existent domain he must have seen it do a dns lookup. The easiest and quickest way to determine what it would do would be to add an entry in his host file and point the domain to a webserver in his own LAN, not go to the lengths of paying for and registering a domain with an odd name then create an internet facing webserver and point the domain at it. Turns a 5 min job into a few hours at minimum and at some cost. If after testing in the home lab he discovered it rendered the attack null then great buy the domain, put your sever on it and tell the world.

        There is something a little off with this.

        1. Anonymous Coward
          Anonymous Coward

          Re: Also Wannacry?

          Or ...

          You see it is trying to contact this oddly-named domain, so you check to see who that belongs to and discover it is unregistered.

          Do you a) snap it up yourself because that might be fun / useful / lucrative or b) just leave it for someone else to find ?

          And if you pick a) why not then use the real-world domain and capture all the traffic to it and not just whatever you have locally active (if you have anything locally active) is sending?

          It doesn't seem all that off to me.

        2. Midnight

          Re: Also Wannacry?

          "There is something a little off with this."

          There sure is. I think you should look at changing the vendor you purchase domain names from, as it really shouldn't take "a few hours minimum" to sign in to a control panel, type or paste in a domain name, check the box that says "Yes please put this domain on the same domain name servers I always use" and then push a button to buy it. It's a five minute job at most, and that includes typing your password wrong four times and swearing a bit before you turn Caps Lock back off. And if you're concerned about the cost, which is less than the price of buying warm drinks for the entire team one time, you can typically 'return' the domain a few days later and end up paying nothing.

          What you may be missing is that checking in with a mysteriously named domain is a fairly common technique for malware to use, and that it is not unusual to take control of expired, unregistered or cancelled domains to 'sinkhole' them, effectively shutting down an entire botnet by not only removing its central command and control facility but also redirecting the C&C traffic to a friendly site where you can keeps tabs on botnet infections and activity. The value isn't just in stopping a single infection on your local network, but also in seeing what every other infected host in the world is doing, so taking a few minutes to register a domain and point it to your existing sinkhole server is a reasonable thing to do.

          This is exactly what MalwareTech described in his original write-up of WannaCrypt ( https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html ), and he includes some data he was able to collect on global and regional infection rates through the sinkholed domain.

          It may seem odd if you're not familiar with modern botnet hunting, but what MalwareTech did wasn't that unusual.

          1. Blotto Silver badge
            Paris Hilton

            Re: Also Wannacry?

            All that vs editing a host file entry and spinning up a vm in a sand boxed environment?

            Ok

    2. Anonymous Coward
      Anonymous Coward

      Re: Also Wannacry?

      Hacking Muchausen By Proxy

    3. streaky

      Re: Also Wannacry?

      I've read the indictment, and it looks solid

      Me too, it looks like a list of claims and zero evidence. Given how clueless US agencies are I'm more prepared to believe his friends who says it's mistaken identity - plus how stupid would you have to be..

      1. GrapeBunch

        Re: Also Wannacry?

        I upvoted you, but I'm not sure. "clueless" ... "stupid" ... it could just be a nefarious way to get something they really want. And if the dates are right, they knew they wanted it before the Las Vegas convention, but after Marcus became an accidental hero. They'll certainly be looking for other things in any electronic equipment he might have been carrying (didn't we all agree last month not to carry equipment to USA?), or if there's no data, they could add it. His safest option was to have not been carrying any equipment.

        So, are there any safe countries in which to reside--and be a hacker not employed by a government? Perhaps Russia, but maybe not, if you are the wrong flavour.

        1. streaky

          Re: Also Wannacry?

          didn't we all agree last month not to carry equipment to USA?

          We did indeed.

          Re: stupid. I meant him - if you'd pulled that then decided to pootle about in the US at a hacker con you're just asking for threats of 10 lifetimes unless you confess.

          It sounds unlikely. If you do this sort of thing you wouldn't be stupid enough to draw attention to yourself with either the malware cited or with wannacry, You just wouldn't. Unless you're a world class moron.

      2. waldo kitty
        Holmes

        Re: Also Wannacry?

        "Given how clueless US agencies are [...]"

        ummm... remember, all this so-called evidence is given to a/the Grand Jury... they are the ones that say "yay or nay" on these things... these folks are common every day john and jane does who likely don't have the first clue about these things to start with... just talk with some random on the street and see what kind of answers you get for the most common computer, internet and security related topics... clueless? yeah, to say the least... the GJ is definitely not a jury of peers... if this case goes to trial, it is highly doubtful that the court will even be able to find any true peers, peers that fully know and understand the aspects of so-called hacking and computer/internet security...

      3. mrobaer

        Re: Also Wannacry?

        The indictment is just the final result, you know, what happened *after* the jurors heard testimony and were presented with (apparently) sufficient evidence to indict on those charges.

      4. Aodhhan

        Re: Also Wannacry?

        Grand juries aren't a bunch of idiots. These are professionals with doctorate degrees who look at what evidence has been gathered so far to make a decision on prosecution.

        The fact he's being held without bond is quite telling in itself... with monitoring technology today, this is rarely done even if there is a slight flight risk. Likely there is information and damages from this along with other items which have yet to be released and will likely have a closely monitored and quiet discovery process.

        While he is innocent until proven guilty, it doesn't look good for him. What floors me, is the amount of people who come out defending him with very little knowledge of it. I wonder how liberal they'd be if he was responsible in any way of draining their bank account.

        There are plenty of sick self-absorbed individuals who will write or in this case modify malware, let it run it's course, then come in and play hero of the day.

    4. Anonymous Coward
      Anonymous Coward

      I've read the indictment, and it looks solid.

      And if so, why don't arrest him on entry, instead of waiting for him to leave? To access any data it may have collected, or people met at DefCon?

      1. Prst. V.Jeltz Silver badge

        Re: I've read the indictment, and it looks solid.

        "And if so, why don't arrest him on entry, "

        I think you answered your own question , as did the article

      2. Anonymous Coward
        Anonymous Coward

        Re: I've read the indictment, and it looks solid.

        well reading his tweets for the last few days he had his wallet stolen including credit card in Las Vegas and commented that he wasn't sure why they only took a wallet with little cash and left the phones. Perhaps they needed access to his credit card data before arresting him? Just a thought.

    5. Dan 55 Silver badge

      Re: Also Wannacry?

      The indictment has no evidence whatsoever, which is what's important. At the it reads like the Brexit white paper before starting negotiations.

      There is a real chance that years of this guy's life could be wasted in the US.

      1. This post has been deleted by its author

        1. GovAge

          Re: Also Wannacry?

          Well Googled :). The 323 million that is.

      2. JohnG

        Re: Also Wannacry?

        "There is a real chance that years of this guy's life could be wasted in the US."

        I predict he will be offered a plea bargain and threatened with years on remand, away from his homeland, his home and his family, if he doesnt comply. (As I understand it, he has not yet had access to a lawyer or contact with his family, so I guess the bullying is in progress). If they win, the FBI can then claim to have solved a major international crime by pinning it on johnny foreigner.

    6. Anonymous Coward
      Anonymous Coward

      Re: Also Wannacry?

      I've read the indictment, and it looks solid. It would be odd for a dedicated hacker-for-money to stumble over just the solution to another criminal exploit, let alone play 'save-the-day' hero. At least I can't recollect the like.

      Err, no. Those are statements, assertions. Until there is evidence to prove such assertions they are but noise, and the guy remains innocent until formally convicted by a judge.

      Or, in other words, you can't judge this from the accusations. You need the facts and their context. It could be that the FBI simply found his IP address when he was researching malware and is trying to make this into all the evidence they need for a conviction, it could be that someone is seeking to deflect a crime onto him to get a reduced sentence themselves (which again requires solid evidence).

      Until we see the actual facts that underpin this case, there should be no other assumption than innocence. That's how it works.

      1. Bluto Nash

        Re: Also Wannacry?

        Until we see the actual facts that underpin this case, there should be no other assumption than innocence. That's how it works.

        That's how it's supposed to work. YMMV

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like