Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« The NSA on How to Redact | Main | Big Brother Prison »

February 2, 2006

For-Profit Botnet

Interesting article about someone convicted for running a for-profit botnet:

November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on Web sites.

Ancheta one-upped his hacking peers by advertising his network of "bots," short for robots, on Internet chat channels.

A Web site Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of Web site.

In July 2004, he told one chat partner he had more than 40,000 machines available, "more than I can handle," according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half.

In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 "different nefarious computer users," according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said.

Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Fla., whom prosecutors identified by his Internet nickname "SoBe," Ancheta infected more than 400,000 computers.

Ancheta and SoBe signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.

Posted on February 2, 2006 at 6:06 AM13 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

steve GolfFebruary 2, 2006 8:03 AM

thank you, interesting reading. I wonder if they were traced because they infected military computers and if they would have gotten away otherwise...

steve

richFebruary 2, 2006 9:00 AM

What I found interesting was that collections of thousands of bots (sometimes tens of thousands) were sold for only a few hundred dollars for the lot.

Mike SherwoodFebruary 2, 2006 9:09 AM

@rich

That's the advantage of selling stolen resources. All of the actual costs are borne by the bot owners, the money is 100% profit to the botnet owners.

I like the term "unindicted co-conspirators." If I offer to sell you a recent model Lexus for $5k, you would have good reason to suspect it's stolen. The companies who purchased services from these guys knew exactly what they were doing and should be prosecuted. As long as stealing from others is a profitable business model, people will continue to do it.

Clive RobinsonFebruary 2, 2006 9:37 AM

"signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits"

I realy like this idea it has such a degree of originality about it.

What's the betting that if they had stuck to this in the first place the money would still be rolling in and they probably would not have been caught...

Chris WalshFebruary 2, 2006 10:00 AM

If you distribute the costs over 500,000 victims, you probably won't get caught.

If, OTOH, you use those 500K victims to siphon $$ from a single source (by faking Google ad clicks, say), you'd better hope^H^H^H^Hmake sure that your synthetic clicks get lost in the noise.

grdaFebruary 2, 2006 11:01 AM

bruce- you're missing a / in your closing A tag after the word "article"

Josh RubinFebruary 2, 2006 11:04 AM

The article's claim that botnets are cheap to rent raises an interesting possibility: the FBI could rent a botnet in order to notify owners that their computers are compromised, *and* arrest the perpetrator. It sounds cheap and very effective. The FBI does not need to intrude on the victim
(much), or record their identities; it can just inform them of the sting operation:

"Please visit www.xxx.gov or call your local FBI office for an explaination of why your computer is at risk."

So why they aren't doing it? Is this use of a backdoor dangerous, illegal, or unethical?

Bruce SchneierFebruary 2, 2006 11:05 AM

"bruce- you're missing a / in your closing A tag after the word 'article'"

Fixed. Thanks.

vwmFebruary 2, 2006 11:22 AM

@Josh

If a bot-net tells you, your Computer is at risk, would you believe that? There are plenty Worms and Hoaxes out there, claiming to be the FBI, Microsoft, etc. So nobody would/should listen.

Besides, some computers might crash on receipt of such a message due to bugs in the bot-code. So it could be dangerous after all.

JRFebruary 2, 2006 12:08 PM

As the masses of humanity continue to achieve broadband connectivity, it seems that security awareness and training maybe one of the few, effective proactive response. Here's a couple of free resources towards this end:

http://vte.cert.org/
http://www.staysafeonline.info/

Josh RubinFebruary 2, 2006 12:26 PM

@vwm

I partially agree with you, but ...

"If a bot-net tells you your computer is at risk, would you believe that?"

Absolutely. If my computer is running a program that displays such a message,
and I don't understand how it happened,
then I *am* at risk, no matter who sent
the message!

However, you are right to point out that less experienced computer users are easily hoaxed. The rate of false positives depends on the sophistication of the computer user.

I agree with your second point, that merely sending such a message creates some risk - but all law enforcement actions do that. It's a trade-off.

kashmarekFebruary 2, 2006 1:08 PM

Chances are, that many of our security agencies are using those same bots to gather information. Why upset the flow of data?

autoreplyFebruary 5, 2006 5:11 PM

This is a computer generated reply. I am not at my desk right now, but your article will receive due attention on my return.

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M J
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier