Teen pleads guilty to creating DDoS tool used in 1.7 million attacks

A 19-year-old UK teenager from Hertfordshire has pleaded guilty to creating and running the Titanium Stresser booter service, with which he launched 594 denial of service (DDoS) attacks.

According to a statement put out by the Bedfordshire Police, Adam Mudd developed the tool when he was just 15 years old.

He didn’t just use it to launch his own DDoS attacks. He also sold it online and ran it as a service, distributing it to cyber crooks.

Investigators are still working out the total amount Mudd made from the attacks, but their preliminary estimate is around $385,000.

Investigators determined that Mudd’s stressor – which is a tool used to flood networks with data, bogging them down until they’re dead in the water, non-functioning and vulnerable to compromise – was used in more than 1.7 million DDoS attacks worldwide.

Those attacks were launched against 181 IP addresses between December 2013 and March 2015, the month that Mudd was arrested and the service was shut down.

According to Silicon Angle, Mudd kept detailed logs of all the attacks that relied on Titanium Stressor.

In fact, it was, for a time, the most popular DDoS-for-hire service available online.

One of Mudd’s satisfied customers must have been the hacking group Lizard Squad. According to The Register, Mudd’s creation was the basis for Lizard Stresser, a DDoS tool marketed by the hacking group.

Remember Lizard Squad? They ruined Christmas 2014 with a DDoS directed at PlayStation and Xbox servers, timed to make sure nobody could play games during the holiday.

A spot of poetic justice was had when the Lizard Stresser service itself got hacked, spilling customer details on to the internet.

Interestingly, the very same thing happened recently to vDOS, one of the most disruptive attack-for-hire services on the internet.

vDOS was taken down in September, and its alleged co-owners were arrested following a “massive hack” on the site. Tens of thousands of customers’ details were spilled, along with the identities of its teenage owners.

Technically speaking, those who launch these DDoS attacks aren’t hackers, given how little technical skill is required.

All they have to do is harness the horsepower provided by botnets, as Sophos’s Mark Stockley noted at the time of the vDOS takedown. Those botnets contain tens of thousands of computers compromised by malware.

Perhaps not coincidentally, both security journalist Brian Krebs and DNS service provider DYN – both involved in the vDOS sting – were hit by massive DDoS attacks from the Mirai botnet.

As Brian Krebs has reported, Lizard Stresser relies on thousands of hacked home routers to launch DDoS attacks.

That’s not dissimilar to Mirai, which also uses poorly secured devices that aren’t laptops, desktops or servers.

As we noted at the time of the attack on Krebs, Mirai originated not from malicious bot or zombie software on regular computers, as might have been the case a few years ago, but from so-called Internet of Things (IoT) devices such as routers, web cameras and perhaps even printers.

You might not think of such humble devices as having enough brawn to do the damage that DDoSes have wrought, but string them all together, and they can be used to cause a world of hurt.

Mirai wasn’t well-coded. But it didn’t have to be scrupulously developed in order to be destructive.

To make it all that much worse, in the aftermath of the assault on Krebs, the source code of the malware used in the attack was open-sourced.

But back to Mudd: he pleaded guilty to two offenses under the Computer Misuse Act and another of money laundering under the Proceeds of Crime Act. He’s due to be sentenced in December.

We don’t yet know how much prison time Mudd may be facing, but Silicon Angle reports that the judge who accepted his guilty plea noted that “a spell in a youth offenders institution will be considered”.