A 21-year-old computer science student, who won a Programmer of the Year Award in high school, has admitted selling key-logging malware out of his college dorm room.
On Friday, Zachary Shames, an undergraduate at James Madison University in Virginia, US, pleaded guilty in a federal district court to one count of aiding and abetting computer intrusions. His plea was accepted by Judge Liam O’Grady.
In 2015, Shames made the JMU dean's list. Now he faces up to 10 years in the clink.
According to the Eastern Virginia district attorney's office, Shames was responsible for developing and selling more than 3,000 copies of a key-logger program called Limitless Logger that was used to infect at least 16,000 machines.
Shames went onto hacker forums to tout his $25 keystroke-logging spyware, which once installed on a victim's computer recorded passwords and other sensitive information. The malicious code attempted to encrypt itself to hide from antivirus packages, and logged keypresses were siphoned off to a website called limitlessproducts.org.
Shames was eventually snared by FBI agents after selling his software from a PayPal account that was registered in his real name, according to court documents obtained by The Register. That PayPal account was connected to an email address – firstname.lastname@example.org – that answered support queries for the malware and was also the contact address for the domain name limitlessproducts.org. Shames had registered that domain under his real name and home address, too.
An ice hockey fan and one-time country club waiter, Shames built the software nasty while he was in high school, according to the DA's office. When he graduated from Langley High, in Fairfax, Virginia, he continued to develop and peddle his malware online from his JMU dorm room in Shenandoah Hall. He was arrested and charged after the Feds, armed with a search warrant, swooped in March 2016.
In happier times ... Spyware author Zach Shames
"I am a Junior at James Madison University working towards a degree in Computer Science," the malware author boasts on his personal website.
"I am really interested in developing cool new programs and I want to expand my skills to make me a more well-rounded programmer. I have been programming for the past six years, and in my spare time I do freelance design jobs and coding for various programs/websites. I am passionate about anything and everything internet and technology."
Here's how passionate he was. According to prosecutors, "Shames developed malicious software, known as a keylogger, that allowed users to steal sensitive information, such a passwords and banking credentials, from a victim’s computer.
"Shames sold his keylogger to over 3,000 users who, in turn, used it to infect over 16,000 victim computers. Shames developed the initial versions of his keylogger while attending high school in Northern Virginia, and continued to modify and market the illegal product from his college dorm room."
The kid will be sentenced on June 16. ®