On January 13, college student Zachary Shames pleaded guilty to a federal district court in Virginia, US, for authoring Limitless Logger, the malicious keylogger that was used to steal thousands of sensitive user information like passwords and banking credentials. In November 2014, Trend Micro’s Forward Looking Threat Research team (FTR) published a research paper that covered Limitless and how it was used to steal information from thousands of victims. Prior to that, we passed on details that correctly identified Shames as the creator to the FBI. This blog details how we made that link, which we left out of the published research paper.
According to the U.S. Attorney’s Office in the Eastern District of Virginia, the 21-year-old Computer Science undergrad at the James Madison University in Virginia was charged with one count of aiding and abetting computing intrusions. Shames admitted to developing and selling more than 3,000 copies of the spyware, which was used to infect more than 16,000 machines, all in violation of Title 18 of the United States Code, Section 1030(a)(5)(A) and 2.
In July 2014, several members of the FTR team started researching on attacks that made use of two commercially available keyloggers, Predator Pain and Limitless Logger, after seeing both used in a number of intrusions, several of which targeted high-profile victims.
At the time of the research, Limitless, alongside other tools, was being widely used in targeted campaigns. Among the countries most impacted were Malaysia, India, Australia, Denmark, and Turkey.
Figure 1. Impact of Predator Pain/Limitless by Country
Note that at the time of the research, one of the actors involved targeted South East Asian countries, showing a bias towards Malaysia.
Below were industries most affected by Predator Pain/Limitless as seen in our past research, the highest of which were the manufacturing (cosmetics, gems, industrial equipment, lights and fixtures, sailing equipment, tiles), services (construction, diving, logistics, sailing, shipping), and hospitality industries.
Figure 2. Predator Pain/Limitless Victims by Industry
Figure 3. Limitless Logger builder
Limitless has many features that are common on a commercial keylogger, including the ability to silently record keystrokes, disable security controls, and recover account passwords for exfiltration to the attacker who licensed it. Sold with a lifetime license for $35 on the forum hackforums[.]net, the software’s price made it very popular, especially to several African groups operating Business Email Compromise (BEC) campaigns. The availability of tools like this have proven to be useful in methods similar or related to BEC schemes, which often involve the distribution of business-themed email messages to a collection of publicly-listed email addresses. These messages typically contain a keylogger that sends gathered information back to cybercriminals through email, FTP, or Web panel (PHP).
At the time of our paper’s release, the original author, using the moniker Mephobia, handed over the project to another Hackforums member who continued to sell it under the brand “Syndicate Keylogger.”
Figure 4. Mephobia’s post in Hackforums
Apart from examining the tool’s users (one of our researches led to a separate arrest by Interpol and Nigeria’s EFCC), we also looked into the author behind it. Based on several posts made through his account on Hackforums, we were able to determine some initial facts:
- At the time he handed over control of the project (Jan 2014), Mephobia had just completed his first semester in the University.
- His sales advertisements included contact details such as Skype accounts, Paypal and others. He also had a variety of other accounts that linked the Limitless project to the name Mephobia (or HFMephobia, where HF stands for Hackforums), including Github, Photobucket, and a Pastebin post of some code.
- The Pastebin code had a different Skype account – the profile for which listed an address in Washington DC and a possible date of birth.
From our previous research, we found the presence of the nickname Mephobia in earlier malware projects that predated the creation of Limitless, such as Reflect Logger, and a keylogger for the online game Runescape.
The username Mephobia also led to a number of other research leads. Notably, it appeared in a variety of SQL injection dumps from hacking forums that had been publicly leaked. While the authenticity and validity of such dumps is difficult to verify, repeatedly seeing the same email addresses associated with a nickname at least merits the possibility of a true connection. Based on several of these forum breaches Mephobia frequented earlier in his hacking education and used more personal email accounts other than the Gmail account he would leverage for the majority of his Hackforums communications. One account had the nickname RockNHockeyFan.
This nickname, in turn, led us to several other sites, notably a profile on an online study support site named Quizlet, which linked the RockNHockeyFan to the name “Zach Shames.” It also led to a post on the Runescape gaming forum, Sythe.org, where a user with the nickname Z3r0Grav1ty was advertising a tool for stealing Runescape accounts—the same tool we found in our malware database that contained the string “Mephobia.” On this post, it lists two contact details: an AOL account listing including the nickname “RockNHockeyFan” and an MSN Live account zman81895[@]live[.]com. This, in turn, led to a number of social network profiles associated with an individual named Zach or Zachary Shames.
To validate our suspect name for Mephobia, a second examination of his Hackforums posts were carried out, armed with this new information. Sure enough, in a post on January 2012, the now closed account of Mephobia can be seen posting a chat log where he does, in fact, reveal his name to be “Zach Shames.”
Figure 5. Mephobia revealing his name to “Zach Shames”
The above image was obtained from a Hackforums post at https://hackforums[.]net/showthread[.]php?tid=2120548&pid=19141517&highlight=%22Zach+Shames%22#pid19141517.
With this information, the FTR team sent a detailed research report in 2014 to the FBI Washington DC field office, where the suspect resided. Shames, who admitted to developing the initial versions of the keylogger as a high school student in Northern Virginia before “perfecting” his product in his college dorm room, now faces a maximum penalty of ten years behind bars. Shames’ sentencing is set for June 16, 2017.
While Limitless is neither the most expensive, nor the most advanced malware available today, it is a clear reminder that any malware, even at this level, can be used to devastating effect. It should also serve as a reminder to the younger generation of experts that creation of such tools has real world implications and very serious consequences, and hopefully encourage them to use their talents to help make the world more secure. Finally, FTR’s work in cooperation with the FBI highlights Trend Micro’s continued commitment to partnering with law enforcement. This ultimately heightens the value of public and private partnerships, as only together can we truly work to make the exchange of digital information safer.