Schneier on Security
A blog covering security and security technology.
« The NSA on How to Redact |
| Big Brother Prison »
February 2, 2006
Interesting article about someone convicted for running a for-profit botnet:
November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on Web sites.
Ancheta one-upped his hacking peers by advertising his network of "bots," short for robots, on Internet chat channels.
A Web site Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of Web site.
In July 2004, he told one chat partner he had more than 40,000 machines available, "more than I can handle," according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half.
In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 "different nefarious computer users," according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said.
Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Fla., whom prosecutors identified by his Internet nickname "SoBe," Ancheta infected more than 400,000 computers.
Ancheta and SoBe signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.
Posted on February 2, 2006 at 6:06 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
thank you, interesting reading. I wonder if they were traced because they infected military computers and if they would have gotten away otherwise...
What I found interesting was that collections of thousands of bots (sometimes tens of thousands) were sold for only a few hundred dollars for the lot.
That's the advantage of selling stolen resources. All of the actual costs are borne by the bot owners, the money is 100% profit to the botnet owners.
I like the term "unindicted co-conspirators." If I offer to sell you a recent model Lexus for $5k, you would have good reason to suspect it's stolen. The companies who purchased services from these guys knew exactly what they were doing and should be prosecuted. As long as stealing from others is a profitable business model, people will continue to do it.
"signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits"
I realy like this idea it has such a degree of originality about it.
What's the betting that if they had stuck to this in the first place the money would still be rolling in and they probably would not have been caught...
If you distribute the costs over 500,000 victims, you probably won't get caught.
If, OTOH, you use those 500K victims to siphon $$ from a single source (by faking Google ad clicks, say), you'd better hope^H^H^H^Hmake sure that your synthetic clicks get lost in the noise.
bruce- you're missing a / in your closing A tag after the word "article"
The article's claim that botnets are cheap to rent raises an interesting possibility: the FBI could rent a botnet in order to notify owners that their computers are compromised, *and* arrest the perpetrator. It sounds cheap and very effective. The FBI does not need to intrude on the victim
(much), or record their identities; it can just inform them of the sting operation:
"Please visit www.xxx.gov or call your local FBI office for an explaination of why your computer is at risk."
So why they aren't doing it? Is this use of a backdoor dangerous, illegal, or unethical?
"bruce- you're missing a / in your closing A tag after the word 'article'"
If a bot-net tells you, your Computer is at risk, would you believe that? There are plenty Worms and Hoaxes out there, claiming to be the FBI, Microsoft, etc. So nobody would/should listen.
Besides, some computers might crash on receipt of such a message due to bugs in the bot-code. So it could be dangerous after all.
As the masses of humanity continue to achieve broadband connectivity, it seems that security awareness and training maybe one of the few, effective proactive response. Here's a couple of free resources towards this end:
I partially agree with you, but ...
"If a bot-net tells you your computer is at risk, would you believe that?"
Absolutely. If my computer is running a program that displays such a message,
and I don't understand how it happened,
then I *am* at risk, no matter who sent
However, you are right to point out that less experienced computer users are easily hoaxed. The rate of false positives depends on the sophistication of the computer user.
I agree with your second point, that merely sending such a message creates some risk - but all law enforcement actions do that. It's a trade-off.
Chances are, that many of our security agencies are using those same bots to gather information. Why upset the flow of data?
This is a computer generated reply. I am not at my desk right now, but your article will receive due attention on my return.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.