Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Krebs recycles @MalwareTechBlog’s past—Marcus Hutchins did indeed sell malware, he says

Richi Jennings Your humble blogwatcher, dba RJA
Malware TechBlog FBI arrest

Marcus Hutchins, a/k/a MalwareTech, is still on bail, after having been charged by the FBI for writing and selling a banking Trojan. It’s been a few weeks—and in that time, investigative infosec reporter Brian Krebs has been busy.

Krebs has been tracing the previous aliases and activities of Hutchins. And he concludes that the hero of WannaCry isn’t perhaps as squeaky-clean as his supporters would like to believe.

But does that mean the Feds are right? In this week’s Security Blogwatch, we celebrate the presumption of innocence.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  The legacy of the Manhattan Project

Code you can live by

What’s the craic? Brian Krebs asks, Who Is Marcus Hutchins?

FBI agents in Las Vegas arrested 23-year-old British security researcher Marcus Hutchins on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. … A great many … quickly leapt to his defense to denounce his arrest [saying] the government’s case was built on flimsy and scant evidence.

Hutchins has worked tirelessly to expose cybercriminals and their malicious tools. To date, some 226 supporters have donated more than $14,000 to his defense fund.

But as I began to dig deeper into the history tied to dozens of hacker forum pseudonyms, email addresses and domains he apparently used over the past decade, a very different picture began to emerge. … I will attempt to describe and illustrate more than three weeks’ worth of connecting the dots. … The clues suggest that Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart.

Most of the activities and actions that can be attributed to Iarkey/Flipertyjopkins/Da Loser et. al … are fairly small-time. [But] Hutchins around 2011-2012 switched to two new nicknames that corresponded to users who were far more heavily involved in coding and selling complex malicious software: “Element Products,” and later, “Gone With The Wind.” … In 2012, Element Products announces the availability of a new product he had for sale — dubbed the “Ares Form Grabber” [and] as an authorized reseller of the infamous exploit kit known as “Blackhole.” … In addition, Element Products ran a “bot shop.”

Let me be clear: I have no information to support the claim that Hutchins authored or sold the Kronos banking trojan. According to the government, Hutchins did so in 2014. … However, the findings in this report suggest that for several years Hutchins enjoyed a fairly successful stint coding malicious software for others.

Hutchins did not try to hide the fact that he has written and published unique malware strains, which in the United States at least is a form of protected speech. … Hutchins declined to comment for this story, citing his ongoing prosecution. He has pleaded not guilty to all four counts against him.

The plot thickens. Rob “@ErrataRob” Graham narrates his thoughts:

That @MalwareTechBlog is the "wrong guy" was never the narrative. The narrative is that we stand behind members of our community.

People are innocent until proven guilty. We should not expel him as a pariah.

Writing code that virus writers use is not a crime. I've done it. Hutchins is up front having done this.

Even selling malware on Alphabay isn't a crime. He's not accused of simply selling it, but conspiring with someone to use it.

But is there anything new here? Here’s the pseudonymous @SwiftOnSecurity:

I found the Krebs article pretty investigative but fair, and matched my existing understanding. Finds no public evidence of current charges.

Leaving all these numerous traces about other small stuff over years, but nothing about Kronos, is, if anything, a positive for him.

Matches what I heard on the grapevine hours after the initial revelation. Teen stuff apparently well-known in circles, nothing about Kronos.

I have a long history of underestimating future scrutiny of identities and the links between them. It takes a lot of discipline/foresight.

But Brian “@arekfurt” in Pittsburgh sees it differently:

If I were the prosecutor and his case went to trial, I'd try to move heaven & earth to try to get those facts in front of the jury. Related "prior bad acts", even involving less serious actions, can often be huge in a jury's mind.

"If he's the type of a person to steal bikes, you know he's willing to steal a car. … And he'd probably know how to sell it, too."

And what of the unintended consequences? u/DuncanYoudaho thinks ahead:

"Security Research' kept me out of Prison" is a fairly well-established trope at DEFCON. Hopefully it applies here too.

The feds burning bridges to bag a former skiddie will turn off more than a few skilled actors from assisting the government in the future.

So? Matthew “@matthew_d_green” Green begs for mercy:

Some of the smartest and most productive white hats in our field did dumb things when they were teenagers. We'd be screwed without them.

Or maybe it means that we should be trying harder to engage those teenagers in useful work, before they do that crazy-dangerous stuff.

Teenagers: stay away from malware, and stick to doing harmless stuff like getting wasted and driving your cars really fast on public roads.

Because only one of those things will follow you.

Not trying to excuse bad behavior, but if a 16-year old can easily do millions in damage -- maybe our infrastructure just sucks.

But what of Marcus Hutchins himself? @MalwareTechBlog speaks:

A big part of me wants to answer truthfully the question of "how are you doing" just to see the other person's reaction. … "My life is so big of a dumpster fire that all the people adding fuel to it are making no noticeable difference"

Posting an example bootkit which would take significant work to weaponise is a problem? Stop feeding your high horse so much marijuana.

Meanwhile, Vesselin “@VessOnSecurity” Bontchev is the voice of reason:

While many of the things in the article are somewhat ethically shady (remember, he was 14 at the time!), none of them is criminal. … Creating malware is programming, programming is speech. … It's criminal only when done with intent to cause harm.

Granted, in most cases the criminal intent of the malware author is quite obvious, but this isn't one of those cases. … The prosecution has to prove that it was done with the intent to cause harm.

The moral of the story? Teach your children well (you who are on the road must have a code that you can live by). [You’re fired —Ed.]

And Finally…

The sobering reminder behind Weldon Spring, Missouri

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: FBI (cc0)

Keep learning

Read more articles about: SecurityInformation Security