True crime: The botnet barons
- 04 January, 2008 07:03
When federal agents announced on November 29 that they'd indicted or convicted eight individuals accused of using botnets (networks of computers infected with Trojan horse applications) to engage in criminal activity, the press release barely explained the nature and extent of the men's crimes -- or the investigations that led to arrests in an operation the FBI and other law enforcement agencies have termed Bot Roast II.
When InfoWorld decided to dig a little deeper, we found that the motivations of each perpetrator were far richer, and the nature of the crimes more complex, than a simple rundown of their rap sheets could express.
In fact, the eight Bot Roast II criminals committed a broad range of online crimes, which together make up a representative sample of motives and patterns common to these kinds of crimes. The following story is our attempt to profile the people behind the crimes.
The Perp: Adam Sweaney Pleaded guilty to: felony fraud and computer crimes, Plea date: September 24, 2007
Sweaney, a 27-year-old computer technician from Tacoma, Wash., seems to have started out on the side of the good guys. In Internet postings to the Yahoo Answers message board, a man who signed his messages "Adam Sweaney, Tacoma PC Repair" appeared to help computer users with their problems relating to worms and malware. But at some point, Sweaney switched allegiances to the Dark Side. From as early as May 2006 and for nearly a year, Sweaney was infecting PCs with Trojan horses that built a botnet he later used to transmit spam messages on behalf of others.
Court papers filed by the USAttorney prosecuting the case say that Sweaney's goal was to earn money by leasing out access to the botnet (which he called "proxies"), a common business practice for bot-herders. He advertised his proxies on message boards where spammers and bot-herders made business deals, boasting of his spamming prowess with posts such as "last month sents 50 million gi domains, delivery 87% price US$500.00 Also still have full FTP server setup with lots of data ... plus updated last weekend with some fresh files/shyt." For just US$500, you could hire Sweaney to send 50 million spams, 87 percent of which were guaranteed to make it to live e-mail accounts.
In July, 2006, an FBI undercover agent contacted Sweaney posing as a spammer interested in his offerings. Sweaney gave the agent free access to the botnet for 20 minutes, then engaged the agent in a discussion of what services were available, including a list of 18 million Hotmail e-mail addresses he was selling for US$10 for each million addresses. The agent bought those addresses, as well as 14 million Yahoo addresses, and access to the botnet for a period of two weeks. In the course of the investigation, the FBI discovered that one of the bot-infected computers belonged to the Justice Department's Antitrust Division in Washington, DC.
The Perp: Gregory King Indicted for: four counts of "transmission of code to cause damage to a protected computer", Indictment date: Sept. 27, 2007
Among the people happy to hear about Greg King's indictment were the operators of two Web sites, Killanet and Castlecops, which King repeatedly attacked using his botnet. The latter site, a clearinghouse for information about malware, botnets, and spammers, was subjected to a massive distributed denial-of-service attack in February 2007. But let's not get ahead of ourselves.
The owners of the Web sites that the 21-year-old King harassed alleged in court filings that he engaged in a campaign of harassment, intimidation, threats, and finally massive DDoS attacks. Using the online monikers Silenz and GregK to taunt his victims in brazen online posts of threats and links to porn sites in IRC chat channels and message boards, he launched repeated attacks on Killanet, a Web site aimed at children and teenagers, dating back to June 2004 and continuing through October 2006. According to published news reports, King's motivation was revenge for perceived slights.
King had no interest in subtlety or in masking where his attacks originated from, and reportedly even dropped hints as to his real-life identity. He controlled his botnet from his parents' home in Fairfield, Calif., as well as from a nearby library, a McDonalds, and from a Best Buy store near his home.
In February 2007, King used his botnet to DDoS the servers used by Castlecops for five continuous days. The motivation for the attack: Castlecops moderators had deleted or modified some of King's more vitriolic posts to the message board. "If you edit my post once more, you will be sorry," King wrote in a post on February 13th. Four minutes later he was banned from the message board. That night, King launched his attack.
The site, well known in the security community as a resource to track malware trends, was virtually shut down while the site's operators dealt with an attack that, at its peak, flooded its ISP with 969 megabits per second of traffic, an insanely massive volume that all but shut down not only the site, but Castlecops' entire ISP, ApplicationX, during the highest point of the attack.
As for KillaNet, King caused thousands of dollars in losses of time and content due to multiple attacks on the site's Web server, according to a KillaNet press release announcing King's indictment.
If convicted, King faces four counts of "transmission of code to cause damage to a protected computer," with a maximum penalty of ten years in prison and US$250,000 in fines for each count.
The Perp: Azizbek Mamadjanov Convicted of: Wire fraud, enabled by phishing, Sentenced: June, 2007, to two years in prison
Mamadjanov's crimes fall about as far to the fringe of what's considered a cybercrime as you can get -- in this case, it was clearly a fraud that was simply enabled by the use of stolen online banking information. The 21-year-old resident of Florida. registered a fake landscaping business with the state, created business bank accounts using the social security numbers of people who had died, and then used fraudulently obtained banking information stolen from Internet users to transfer money from the victims' accounts to his own.
In July, 2006, he tricked a victim into divulging his account details using a phishing attack, then transferred US$40,000 into his own account. Within about 24 hours of the transfer, Mamadjanov made four US$10,000 withdrawals, each from a different branch of the bank where his business account was set up, Capital City Bank.
A few days later, Mamadjinov repeated the crime using a different victim's stolen credentials and a different business account he'd earlier established at AmSouth Bank. This time, he transferred US$39,823 from the victim's account to his own, and made another quartet of US$10,000 withdrawals from four different AmSouth Bank branches. Apparently, that much cash moving around finally caught someone's attention.
The Perp: Aleksandr Paskalov Convicted of: Wire fraud, enabled by phishingSentenced: Oct. 12, 2007 to 42 months in prison
Azizbek Mamadjanov's friend Aleksandr was his partner in crime. He was sentenced four months after Mamadjanov to prison for engaging in what was, essentially, a copycat fraud using phished credentials to transfer money from the bank accounts of victims into fake business banking accounts Paskalov set up. But where Mamadjanov only managed to get around US$80,000 using the scheme, Paskalov more than doubled his partner's success, netting about US$170,000 in proceeds.
Paskalov duplicated virtually the entire Mamadjanov operation, including the use of social security numbers of dead people to set up business bank accounts at five different Florida banks. Within a short period of performing a wire transfer from the victims' bank accounts to his own, he would then travel to several branches, withdrawing a portion of the transferred money at each one.
In an apparent attempt at cleverness, Paskalov withdrew money from the accounts in odd quantities. For example, on April 3, 2006, he went to five separate branches of Colonial Bank and had cashier's checks drawn in the amounts of US$3983.99, US$2992.88, US$3303.68, US$4992.03, and US$4406.68.
The subterfuge didn't work. Paskalov was caught and can reminisce with his friend in federal prison for the next two years.
The Perp: Jason Downey Convicted of: operating an IRC-based botnet that caused numerous distributed denial-of-service attacksSentenced: on Oct. 23, 2007 to 1 year in prison, followed by probation, restitution, and community service
Downey, the 24-year-old so-called Kentucky Botmaster, operated two IRC networks -- Rizon.net and Yotta-byte.net -- used by himself and other bot-herders as a command-and-control system for a network of bots used to engage in DDoS attacks against other IRC networks. Using the online pseudonym Nessun, he was accused of complicity in a series of attacks dating back to May 2004.
In a news post on IRC-junkie.org dated May 22, 2004, a message written by the operators of IRCHighway, a rival IRC network, said in part "we have acquired quite solid proofs that the group of individuals that is conducting these activities is at least partly composed of top ranking Rizon Network staff members, including pdi and, Rizon's CEO, Nessun."
Downey's reply to that post implied that, while he was sorry for the trouble, he was unable to police the 35,000 users of his network. At the time, he wrote "yes I do own about 30 domains whois them all you wish but that does not mean that 1 I control 100% of everything on them and 2 that a whois of them doesn't prove I DOSed anything."
But the US Attorney prosecuting the case thought otherwise, alleging in court filings that Downey was personally responsible for the attacks that originated from a botnet of roughly 6,000 infected computers he controlled over his network.
The Perp: Ryan Brett Goldstein Indicted for: Conspiring to spread a malicious botnet, causing damage to a university serverIndictment date: November 1, 2007
As in the case of Greg King, Ryan Goldstein may have been motivated by a desire for revenge when he collaborated with a notorious creator of botnet software, with whom he helped spread the network to the Penn State campus where Goldstein is a bioengineering major.
Goldstein, who used the online nickname Digerati, allegedly worked with an 18-year-old New Zealand man known only by his online nickname, AKILL throughout the first half of 2006 to spread AKILL's bots to computers throughout the Penn State campus. The FBI was alerted to the issue when a computer server on campus crashed and agents were called in to analyze the server, which had been turned into a command and control device for a 50,000-strong botnet.
When an IRC group named Taunet to which Goldstein belonged banned him, he decided to take his revenge on the IRC networks where the group was based, and on a Web server. According to court documents, Goldstein wrote to AKILL "i can get you some good private stuff, i can also pay you to take taunet down," and offered login credentials to university computers in exchange for AKILL's assistance. After the botnet crashed the university server, Goldstein contacted AKILL again, saying "i want taunet taken down, they are starting to annoy me again ... they must stay down for at least a week or so."
Goldstein could not foresee that AKILL would cooperate with police in his New Zealand hometown of Waikato when they came with search warrants and seized his computers.
The Perp: John Schiefer Pled guilty to: four counts of felony computer fraud crimesPlea date: November 8, 2007
One of the most notorious of the bot-herders nabbed in Bot Roast II, former computer security analyst John Schiefer, known as acidstorm, faces a maximum prison sentence of 60 years and a US$1.75 million fine for operating a botnet of around 250,000 infected computers, installing password-sniffing software on roughly half of them, and then using stolen PayPal credentials to pay for hosting and other resources to help spread his botnet.
Schiefer, now 26, initially used both his home and office computer networks to spread the bots to vulnerable users of instant messaging programs. After victims clicked a link in a message, they became infected. He then used the botnet to foist an adware program from a Dutch company called TopConverting onto the computers of victims, earning 20 cents for each installation. According to the plea agreement, Schiefer admits that he earned more than US$19,000 from TopConverting in about two months.
At the same time, Schiefer installed software onto the victims' computers, which scanned their Web traffic for sensitive user names and passwords -- specifically for PayPal and other financial Web sites -- and used that stolen information to pay for domain registrations and Web server space. Another piece of malware spread by the botnet to the victims, psniffer, could pull saved passwords from the Windows Protected Store, a location where the Internet Explorer browser collects passwords that users choose to save for later use, and send that information onward to him.
Prior to his arrest, Schiefer says he learned the error of his ways and stopped managing the botnet. In published interviews, he's said that he hopes his cooperation with law enforcement will help lighten his sentence.
The Perp: Robert Bentley Indicted for: coding, controlling, and using botnets to defraud an advertising businessIndictment date: Nov. 27, 2007.
Not only did Robert Bentley spread and manage botnets, but he's the only member of the Bot Roast II party accused of creating an IRC bot for this purpose. Bentley used his bots to foist adware onto the computers of unsuspecting victims, netting considerable cash in the process.
Bentley's botnet of around 100 computers, all located within the corporate network of Newell Rubbermaid -- makers of products such as Sharpie markers and plastic food containers -- spread like a network worm, seeking out nearby computers on the same subnet and exploiting security flaws in Windows to install themselves on other machines.
The only problem was that the bots were too good at seeking out their neighbors and ended up flooding the Rubbermaid corporate network. When that happened, according to the indictment, the "voluminous network traffic generated by this scanning has the effect of simultaneously limiting or even preventing" the infected systems from making network connections.
The victims' computers were infected with the DollarRevenue adware program, which caused popup ads to appear almost continuously. Unfortunately for Bentley, the botnet did not appear to have spread beyond Rubbermaid's corporate network. In the end, Bentley earned less in commissions than it cost the company to restore all the infected computers.