Security firm Damballa says that when computer crime cops in Norway arrested five men last month in a joint operation with Europol, one of them was the creator of the MegalodonHTTP botnet used to launch distributed denial-of-service (DDoS) attacks against websites.
At the time of the arrest by Norway’s Kripos national criminal investigation service, little was known other than the men had been charged with possessing, using and selling malware including remote access trojans (RATs), and that they were aged between 16 and 24 years old.
Now Damballa says that it worked together with the Norwegian authorities over the space of a “few months” to track and identify the author of MegalodonHTTP.
MegalodonHTTP, perhaps the most clumsily-named botnet in existence, relied upon every Windows PC it tried to hijack into its DDoS botnet to have .NET installed and running by default – almost certainly limiting the number of victims it managed to successfully compromise.
Described by Damballa researchers as “skid malware” (malware for script kiddies), the fact that it was advertised for a low price on hacking forums inevitably made MegalodonHTTP attractive to some.
Damballa says that it is not at liberty to release the true identity of MegalodonHTTP’s author, who goes by the online handle of “Bin4ry”, but that he is no longer active or doing business.
If it’s true that another malware author’s activities have been curtailed then that’s good news, and we can only hope that other youngsters will be deterred from entering a life of cybercrime.
More details on MegalodonHTTP can be found in this Damballa blog post published last November.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Suspected MegalodonHTTP DDoS botnet author arrested”
Not at liberty? Well with the handle it might be that others can. But if they really think it is worth it they either have too much time (and they're bored or curious enough – even if to see how easy it is) or they have issues; I can understand the former but the latter not so much (but perhaps it's hard to separate the two).
I would argue that all DDoS tools are for script kiddies. Especially if it's a GUI like this one apparently is (or maybe that's just the website … but I would guess there is a GUI ?)
… maybe it's because I remember the pre-DDoS days (just DoS) where you had the actual source code (maybe some new ones do ?) of the exploits (e.g. smurf, jolt, teardrop, winnuke, etc.) available and some you had to understand at least part of it to use (smurf comes to mind as an example). Others you also had to know how to enable it (because some authors were ethical and deliberately put in code that prevented it from being abused by people too inept to understand it); the amusement and bemusement of seeing people whining and insisting that they needed SYN flooder (unsure on the one in Phrack magazine which describes it in detail and trust relationship exploitations) to work for 'laboratory work' when the the code disabling it would take 1 second max. to change. But that's a good thing as it prevented a script kiddie from abusing it.
Of course even then script kiddies used the exploits that they could but many (.. I presume… I know I did) enjoyed not actually using them but the technical aspects of it (both the low level networking stuff, how the exploit works and the source code itself).