Last week, Russian antivirus expert Eugene Kaspersky said that current trends in cybercrime aren't being portrayed accurately in the popular American media. In Kaspersky's opinion, the stereotype that the Russian mafia is behind most phishing and spam rings is largely untrue. He's right. Last week Microsoft helped arrest some Bulgarian phishers. And a recent federal indictment helped shed light on the activities of an American criminal hacker.
An American cybervillain
Consider Jeanson James Ancheta. This 20-year-old Downey, California, resident worked in an Internet cafe and, according to an aunt, hoped to join the military reserves. Given his modest aspirations, Ancheta lived a rather luxurious lifestyle, often seen driving his 1993 BMW and spending upward of $600 a week on new clothes and car parts. Last week in a Los Angeles federal court, Ancheta pleaded guilty to four felony charges of violating United States Code Section 1030, Fraud and Related Activity in Connection with Computers, specifically subsections (a)(5)(A)(i), 1030 (a)(5)(B)(i), and 1030(b).
According to the multiple-count indictment, Ancheta did what any wannabe botmaster would do: he authored a worm that allowed him to infect as many computers on the Internet as he could with off-the-shelf remote access Trojans (RATs). These include common home computers without firewall and antivirus protection. Ancheta's worm-compromised computers installed a custom version of rxbot, a commonly available Trojan horse, customized to listen to an IRC channel in Ancheta's control. Over time, he amassed about 40,000 worm-infected remote access computers (also known as bots). However, some of the bots included computers at the Defense Information Systems Agency (DISA) in Falls Church and at China Lake Naval Air Facility in California. The DISA offers network-based solutions for the President, the Vice President, and the Secretary of Defense.
Some of the bots included computers at the Defense Information Systems Agency (DISA) in Falls Church and at China Lake Naval Air Facility in California. The DISA offers network-based solutions for the President, the Vice President, and the Secretary of Defense.
How he did it, part 1
Shortly after acquiring his first 1,000 bots, Ancheta went into business. To control his growing collection of bots, Ancheta rented a hosted server where he installed IRC and hosted a Web site. The Web site advertised rental prices and advice to other cybercriminals. On it, he suggested how many of his bots one would need to take down companies of various sizes. The indictment lists a few exchanges with individuals who took Ancheta up on his offer, individuals who went on to create denial-of-service (DoS) attacks against King Pauo Electronic Company and Sanyo Electric Software Company, for example. One individual, listed as a "confidential source," was eager to take down the Web site of his unnamed competition. It may be that the feds used this single confidential source to first discover Ancheta's business, then went after him.
How he did it, part 2
What Ancheta did next is very interesting. In count four of the indictment, Ancheta is said to have partnered with "Sobe," an unnamed individual living in Boca Raton, Florida. This time, however, Ancheta leased server space on a number of different hosted servers for the purposes of making money very quickly. Adware is a parasitic program that's installed on your computer (sometimes with notification, sometimes not); online vendors, such as gambling sites, pornography sites, and so forth, often sign up affiliate Web sites that download the programs to anyone visiting; in exchange, the Web site owners get a small kickback.
Ancheta and Sobe signed up their leased servers to become affiliates of Loudcash and Gammacash, the latter now a part of 180solutions, an adware company currently facing several complaints for unfair business practices. Ancheta and Sobe then took their 10,000-plus botnet network and began to direct all the remote-controlled zombie computers to hit their affiliate server, which then automatically downloaded and installed adware on the compromised botnet computers and in turn netted a sum of money, via PayPal, for Ancheta.
How much? According to the indictment, at its peak, Loudcash made one payment of $2,305.83, which is chump change compared to a one-time payment of $7,966.10 from Gammacash. Overall, Ancheta is said to have made about $60,000 over a six-month period.
But because Ancheta leased servers from hosted companies such as Sago Networks, FDCservers, and the Planet, he had to be careful not to send all of his bots to a particular server at the same time--that would overpower the server and raise suspicion. Also, the affiliate system might be suspicious of a single Web site receiving a massive amount of traffic all at once. So, Ancheta paid Sobe to moderate the traffic of its bots. Using IRC commands, Sobe was able to restrict the flow so that the bots contacting the various servers did so in a way that resembled network traffic under normal conditions. However, that wasn't always possible.
Ancheta fired off a message to the operator saying "This IRC network was investigated by my staff, and we have removed the suspicious channel related to this." Ancheta later boasted to Sobe, 'Haha always works.'
Once, the indictment cites, a server operator got wind of something foul and sent a note to Ancheta and Sobe. The server operator identified that the IRC channel controlling the drone used port 6667 but made a typo in the actual IRC channel name. Ancheta fired off a message to the operator saying, "This IRC network was investigated by my staff, and we have removed the suspicious channel related to this." Ancheta later boasted to Sobe, "Haha always works."
But on December 10, 2004, the feds raided Ancheta's Downey home and confiscated his generic tower desktop computer and laptop. That didn't stop Ancheta, however. The indictment lists several more payments from Loudcash and Gammacash continuing into March 2005. Also, Ancheta continued to rent servers, increasing his affiliations with those services and thus receiving more cash. In May 2005, federal authorities confiscated Ancheta's Dell laptop, more or less putting an end to his little online business.
The above crimes are not the result of a mafia crime syndicate. This is the work of one kid employed at an Internet cafe in Downey, California, suddenly living a life of luxury. There are hundreds like him, probably many in the United States, operating botnets that we don't yet know about.
What to do
Obviously, your computer can be "0wned" only if it's not protected. At minimum you should have a two-way firewall installed (one way blocks malicious incoming traffic, and the other protects you against adware that attempts to broadcast personal data to third parties). The best solution, I think, is to install an Internet security suite. Either way, the fewer computers these guys can infect and use for their "businesses," the less incentive there is for people to pursue this lifestyle of crime.
Is Ancheta a brilliant business man, ripping off sex and gambling sites, or is he still a low-life cybercriminal? Talk back to me.