[ISN] FBI busts alleged DDoS Mafia

InfoSec News isn at c4i.org
Mon Aug 30 02:32:22 EDT 2004

Forwarded from: William Knowles <wk at c4i.org>


By Kevin Poulsen
Aug 26 2004 

A Massachusetts businessman allegedly paid members of the computer
underground to launch organized, crippling distributed denial of
service (DDoS) attacks against three of his competitors, in what
federal officials are calling the first criminal case to arise from a
DDoS-for-hire scheme.

Jay Echouafni, 37, is a fugitive from a five-count federal indictment
in Los Angeles charging him with aiding and abetting computer
intrusion and with conspiracy. As CEO of the online satellite TV
retailer Orbit Communication Corp., Echouafni allegedly paid a
business associate to recruit members of the computer underground to
cripple three online stores, resulting in long periods of downtime and
an estimated $2 million in losses to the businesses and their service

Paul Ashley, 30, of Powell, Ohio, is named in a separate criminal
complaint as Echouafni's go-between in arranging two of the attacks.  
Ashley was the network administrator of the Web and IRC hosting
company CIT/FooNet, run from his home, which was shuttered sometime
after being raided by the FBI last February. Three other Americans and
one U.K. citizen are charged with actually carrying out the attacks.

"This is an example of a growing trend: that is, denial of service
attacks being used for either extortionate reasons, or to disable or
impair the competition," says FBI supervisory special agent Frank
Harrill. "It's a growing problem and one that we take very seriously,
and one that we think has a very destructive impact and potential."

According to an FBI affidavit filed in the case, Echouafni was a
client of CIT/FooNet's hosting services when he made a deal with
Ashley, then the owner, in October of last year. Echouafni allegedly
paid Ashley $1,000 to snuff out two competing websites that he claimed
had stolen some of his content and were staging DDoS attacks against
his company.

Ashley in turn used his connections in the underground, and in at
least one case the promise of free CIT/FooNet server, to recruit three
associates to do the dirty work: Joshua Schichtel, Jonathan Hall, and
Lee Walker, known online as "Emp," "Rain," and "sorCe" respectively.  
Each of the three apparently had sizable "botnets" at their disposal,
meaning they could each command thousands of compromised PCs to
simultaneously attack a single host -- Walker alone had control of
between 5,000 and 10,000 computers through a customized version of the
Agobot worm, according to the FBI affidavit. Schichtel's network of
3,000 zombies was more modest, and he quietly subcontracted the job to
Richard "Krashed" Roby, who allegedly took the assignment in exchange
for a free shell account.

The attacks began on October 6th, with SYN floods slamming into the
Los Angeles-based e-commerce site WeaKnees.com, crippling the site,
which sells digital video recorders, for 12 hours straight, according
to the FBI. The company's hosting provider, Lexiconn, responded by
dropping WeaKnees.com as a client, sending the company to more
expensive hosting at RackSpace.com.

RackSpace fought back, but the attackers proved determined and
adaptive. In mid-October the simple SYN flood attacks were replaced
with an HTTP flood, pulling large image files from WeaKnees.com in
overwhelming numbers. At its peak the onslaught allegedly kept the
company offline for a full two weeks. (The company declined to comment
on the case).

RapidSatellite.com, which sells satellite TV receivers, was hit at the
same time and with similar results. The company responded by quickly
moving their electronic storefront to the distributed content delivery
services of Speedera, only to be crippled three days later by an
attack on that provider's DNS servers, which for an hour also blocked
access to other Speedera-hosted sites, including Amazon.com and the
Department of Homeland Security, according to the FBI affidavit.  
RapidSatellite then moved to Akamai, but were out again within a week
when the attackers switched to an HTTP flood attack, running massive
numbers of queries through RapidSatellite.com's search engine.

Behind the scenes Ashley was allegedly micromanaging the assault. A
chat log recovered from Schichtel's hard drive shows Ashley
admonishing his subordinate to stay on top of his portion of the
attack: "u gotta keep ane [sic] eye on it...cuz they could null route
the ip and change the dns...and it would be back up." When Schichtel
asks, "what did they do to you?," Ashley replies with an answer fit
for Tony Soprano. "[F]---ing with us...well, a customer."

"Operation Cyberslam"

In December, the alleged DDoS conspirators' informal relationship
became more corporate, when Echouafni purchased CIT/FooNet from
Ashley, and kept Ashley on as network administrator at $120,000 a year
salary. Ashley, in turn, formally hired Hall to perform "security" for
the company -- which the FBI suggests was a euphemism for launching
more DDoS attacks against Echouafni's enemies.

In Feburary, Echouafni -- now the boss -- phoned Hall directly to
order an attack on a new target, according to the government: another
satellite T.V. retailer called Expert Satellite. Hall dutifully
launched a SYN flood against the new victim, but the results didn't
please his CEO; Echouafni contacted Hall repeatedly to inform him that
the site had resurfaced, and to express his disappointment. "Echouafni
also implied that [Hall] would be fired if he did not launch the
attacks," reads the affidavit

By then, law enforcement was making progress on the investigation they
code named "Operation Cyberslam."

FBI cyber crime agents had spotted what appeared to be reconnaissance
for the HTTP flood attacks in WeaKnees.com's October log files,
originating from a shell hosting company called Unixcon. Unixcon
traced the activity to an account that had been established with a
stolen credit card number, but an FBI source, whose identity is
protected in the affidavit, fingered U.K. resident and Unixcon
administrator Lee "sorCe" Walker as the culprit.

Walker was already known to the FBI from an investigation earlier in
the year, when one of Walker's IRC enemies complained that Walker had
DDoSed him. The Bureau even had Walker's home address. An FBI agent
traveled to the U.K. in February to accompany London police as they
raided Walker, who admitted to the WeaKnees.com and RapidSatellite.com
attacks, and fingered Ashley as his handler, according to the

The Bureau raided Ashley's home on Valentine's day. Before they hauled
away CIT/FooNet's servers -- an act that would briefly cause
controversy in the hosting community -- Ashley allegedly admitted to
the attacks, and named all three of his cyber button men and
Echouafni. Echouafni was arrested in Massachusetts, and released on
$750,000 bail secured by his house. "We've alleged in the indictment
that Echouafni was the manager, organizer and leader of the group,"  
says assistant U.S. attorney Arif Alikhan, head of the Los Angeles
computer crimes section, who's prosecuting the case.

He's also missing. According to court records, last month Echouafni's
attorney won a motion to permit Echouafni's wife and children to
"travel freely within and outside of the United States of America,"  
and to have their passports returned. That was Echouafni's last action
in court: the government says he's disappeared, and officials believe
he's likely in Morocco. "He's a native of Morocco, and he was arrested
in March as he returned from Morocco into the U.S.," says the FBI's
Harrill. Echouafni's attorney did not return a phone call.

The Echouafni investigation was one of a handful of cases specifically
cited Thursday by U.S. Attorney General John Ashcroft in announcing
what the Justice Department called "Operation Web Snare -- a tallying
of over 150 recent and ongoing federal criminal cases relating to
computers or identity theft. Ashcroft said the case illustrates "the
increased use of the Internet to damage rival businesses and
communicate threats for commercial advantage."

"I think it's the first case of its kind involving a DDoS for
commercial advantage or for hire," says Alikhan. "There are DDoS
attacks all the time organized on IRC, but this is certainly the first
case where you have a corporate executive who was using the services
of another person to launch attacks against competitors."

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list