Script kiddies are teenagers who use readily available tools written by experienced hackers to deface websites or break into computer systems, usually done for peer recognition and attention. Script kiddies have little or no personal knowledge of hacking and rely on other people’s programs or scripts, hence the name, “script kiddie.” They are not considered true hackers and are looked down upon in the hacking community as giving hackers a bad name by engaging in immature forms of vandalism.
A popular pastime for script kiddies involves gaining access to website administration privileges in order to “tag” sites with electronic graffiti for bragging rights. This practice of vandalism is known as “Web cracking.” Bored teens build reputations among friends by tagging tens or even hundreds of sites.
In addition to website defacement, script kiddies also use hacking tools to compromise remote computers. The process begins by using automated programs that scan computers connected to the Internet, looking for specific exploits. Once vulnerable targets are identified, other tools are used to penetrate the targets. If the target is a computer that is part of a private network, the entire network becomes compromised.
The next step involves installing “rootkits” on the targeted systems so that the remote computers can be used without the owners’ knowledge. Each compromised computer becomes a “drone” or “zombie computer.” Multiple zombie computers form a “botnet.” The remote operator can upload Trojans or viruses to the botnet, corrupt the computers, steal personal information including credit card numbers and passwords, erase entire hard drives, or just sit back and silently surveil.
Script kiddies commonly compete against each other to see who can build the largest botnet. Since zombie computers can be used to search for new vulnerable computers, botnets can build exponentially into very large networks consisting of hundreds, thousands, or hundreds of thousands of compromised computers. A script kiddie can issue a command to a botnet to carry out operations in the background while innocent users go about their business, completely unaware their computers are being used. With such power, script kiddies can bring down large commercial websites by launching Distributed Denial of Service (DDoS) attacks. A website is bombarded with repetitive requests from compromised computers in a botnet until the server becomes overloaded and crashes.
While cyber-vandalism and DDoS attacks might seem like fun to bored teenagers, these acts are criminal and can land a script kiddie in jail. Canadian teen Mike Calce caused a reported $1.7 million US Dollars (USD) in damages in February 2000 when the then 15-year-old launched DDoS attacks on CNN, eBay, Dell, Inc., E*TRADE, Yahoo! and Amazon. The Federal Bureau of Investigation followed router logs which eventually pointed to the teen's Internet service provider, located in Montreal, Canada. Canadian police placed a wiretap on the suspect's phone and after two months of surveillance, affected an arrest. Calce eventually pleaded guilty to 55 counts and was sentenced to eight months in a detention center, received a year of probation, and was ordered to pay a fine.
Unfortunately, script kiddies aren’t the only ones subject to arrest. Their illegal activities will map back to the compromised computers, implicating innocent owners. This can potentially result in an unannounced knock at the door by authorities and legal seizure of your computer, not to mention arrest (no matter how brief). In one reported case a man was taken into custody when child pornography was found on his computer, only to be released when it was discovered that the files had been uploaded there without his knowledge by a remote operator.
Legal problems, fraud, and the threat of identity theft aside, at the very least having your computer compromised by script kiddies can mean having to reformat the drive and rebuild the system. With the average computer boasting storage of one hundred gigabytes or more, this is no small feat. If the system isn’t backed up, rebuilding it from scratch can take days, weeks or even months, and it can also mean losing valuable data. Compromised networks have it even worse.
Because teenagers lack maturity, many script kiddies fail to realize the often-serious implications of their actions. Guarding against rootkits and keeping security software current will reduce the risk of being targeted by script kiddies.