Naked Security Naked Security

Student keylogger creator faces jail after pleading guilty

Keylogger developed while accused was in high school went on to infect some 16,000 computers, say prosecutors

A college student who made and marketed keylogger malware while he was still in high school in Northern Virginia pleaded guilty at the end of last week and is facing potential prison time.

According to a press release from the US Department of Justice (DOJ), 21-year-old Zachary Shames pleaded guilty to charges of aiding and abetting computer intrusions.

According to a statement of facts filed with the plea agreement – one which Motherboard’s Vice has posted – Shames designed, marketed and sold “certain malicious keylogger software” starting in or around August 2013, when he was in high school.

A security researcher told Vice that he came across evidence that the vaguely described “certain” keylogger was in fact “Limitless Keylogger Pro”: a now-defunct keylogger that sold for $35 on the popular hacking message board Hack Forums.

That fee got buyers a “lifetime” subscription, payable by bitcoin or PayPal.

Here’s the marketing/download/tutorial video from YouTube:

Shames sold his spyware to more than 3,000 people, who went on to inflict it on 16,000 people’s computers, according to the DOJ. After he went on to college, he continued to tweak the malware and market it from his college dorm room, said police.

According to Motherboard’s Lorenzo Franceschi-Bicchierai, the Limitless Keylogger program was advertised on Hack Forums by a user named Mephobia on March 14, 2013.

Vice determined that Shames was behind Limitless Keylogger as in 2011 Mephobia had also advertised a bot programmed to spread through Omegle, a teenagers’ chat service.

Mephobia claimed the bot had been made by ROCKNHOCKEYFAN. There’s also a profile on Quizlet, a learning tools site, that was taken out under the name of “rocknhockeyfan” and which is apparently owned by Shames. Plus, there’s another Hack Forums thread in which Mephobia posted a chat log that revealed his real name was Zach Shames, according to Vice.

The Washington Post reported that Shames is a junior at James Madison University, where he’s working on a degree in computer science. He’s a graduate of Langley High School, in Fairfax County, Virginia.

According to what appears to be his LinkedIn profile, Shames has had two jobs: as an intern for the defense contractor Northrop Grumman from May 2015 until August 2016, and as a software engineering intern at IT services firm Neustar from May to August 2014.

During that time, Limitless Keylogger was getting ever more powerful. Its developer added features including a dedicated builder, the ability to upload stolen data to an FTP server (or to have it emailed to its operator), and the ability to dump data and passwords from a host of apps: Chrome, Firefox, IE, Opera, Safari, Bitcoin Wallet, EpicBot, Spotify, Minecraft, Rarebot, RSBot, FileZilla, Core FTP, Smart FTP, DynDNS, Nimbuzz, Pigdin, Imvu, MSN, and Internet Download Manager.

A keylogger like Limitless goes after victims’ credentials – usernames and passwords – to gain access to their email, social network, and/or bank accounts and to squeeze money out of those accounts.

And as its marketing spiel relates, Limitless also eventually gained the ability to intercept what gets put into a clipboard. While password managers have clipboard-wiping features, Limitless advertised a clip-logging feature as a way to get at passwords that get copied and pasted from KeePass, for one.

So if someone is using a tool like KeePass to store their passwords, like me :P They can get logged as well, so you still get the victims password :D

Besides the prospect of bypassing password manager protection, there’s plenty of sensitive information that gets copied and pasted into a clipboard. As we noted recently when writing about how keyloggers are still alive and well, clipboards are used for items of immediate importance: copying and pasting text out of emails into documents, or vice versa, for example.

That can include extremely sensitive information in a business setting.

In short, this kind of tool empowers all the wrong people for all the wrong reasons. For the bargain price of $35, a script kiddie can take a tool like Limitless and use it to very easily steal information from victims, no real hacking skill required.

Sixteen thousand infected PCs may not sound like a lot when you compare it with the mega-breaches of millions of accounts that we’ve seen recently at Yahoo and LinkedIn, among many, many others.

But a keylog attack is a whole other ballgame. The crooks don’t just get credentials for one account – in the worst possible case, they get every credential for every account and a massive supply of personal information, company documents, and personal communications along with it.

Shames is facing a maximum of 10 years in prison, though maximum sentences are rarely handed out. His sentencing is scheduled for June 16.