[ISN] I was a teenage crybercriminal

InfoSec News isn at c4i.org
Wed Aug 31 04:01:26 EDT 2005


By Tom Spring
PC World.com
August 29, 05

In 2004, after months of putting a virtual tail on a hacker who called
himself Pherk, FBI agent Timothy Nestor had the guy right where he
wanted him.

Though unsure of Pherk's identity, Special Agent Nestor was tracking
every digital footstep the hacker took as he wreaked havoc on dozens
of businesses by shutting down their online storefronts.

Pherk's modus operandi was to commandeer an army of 2000 zombie
computers and use those PCs simultaneously and repeatedly to request
Web pages from the sites; the surge in queries would overwhelm the
sites' servers, knocking the businesses offline. What the hacker
didn't know was that Nestor, supervisor of the FBI's Cyber Crime Squad
in New Jersey, had isolated one of the zombies and was now following
the perpetrator's every online move.

Eventually the accumulating evidence of these illegal Web activities
enabled the FBI to trace the attacks to 17-year-old Jasmine Singh
Cheema. Nestor then obtained a search warrant; and in early December
2004, six FBI agents and two New Jersey state police officers barged
into the Edison, New Jersey, home of Cheema's parents. According to
Nestor, the 17-year-old Cheema sat at the family's dining room table
and confessed everything to the FBI as his mother hovered nearby.

On the increase

Pherk's technique of crippling a Web site by flooding it with
information is called a distributed denial of service (DDoS) attack.  
Despite being illegal, such attacks are on the rise. And not
surprisingly, the number of PCs infected with malicious code that
turns PCs into zombies has risen as well - from 3,000 during the first
quarter of 2005 to 13,000 during the second quarter, according to a
report from anti-virus firm McAfee.

Big-time criminals aren't always responsible for these crimes.  
Authorities said Cheema's attacks were aimed at a handful of Web sites
that competed with CustomLeader.com, a small online sports memorabilia
business. Business owner Jason Arabo, himself only 18 at the time, is
alleged to have given Cheema some of his company's imitation classic
sportswear as payment for Cheema's work. Arabo, was arrested in March
and charged with conspiracy to commit the attacks. If convicted, he
faces up to five years in prison and fines totaling as much as

The agency said that it obtained the image from an online dating site.  
Cheema pleaded guilty in New Jersey Superior Court to two counts of
computer theft by hacking online businesses; on August 12, he was
ordered to serve five years in youth detention and to pay $32,000 in

According to the New Jersey state attorney general's office, Cheema
generated the attacks by compromising PCs throughout the world with a
virus. The infected PCs then sent the victims' systems trillions of
packets of data per hour, overwhelming them.

What disturbed law enforcement officials most about the Cheema case
was the extent of the damage his attacks caused in spite of their
simplicity. Investigators report that Cheema infected 2000 computers
just by making available on a file-swapping network a file advertised
to be a picture of Jennifer Lopez naked. Instead of opening an image,
though, people who clicked the file installed a Trojan horse that
exploited PCs with poor virus and firewall protection. The PCs then
became clandestine members of Cheema's zombie army.

Catching a cybercrook

The FBI's number three national priority today (after terrorism and
counterintelligence) is cybercrime. In one of the FBI's sixteen U.S.  
cybercrime squads, located in a nondescript office building in
Somerset, New Jersey, members spend their workdays tracking down
crimes ranging from Web site defacement to network break-ins to DDoS
attacks to child pornography to the online sale of pirated software,
music, or videos.

Other types of cybercrime are more common than zombie PC attacks,
sometimes called botnet attacks. But because armies of zombie PCs are
often massive and have the potential to inflict severe damage on
victims, some law enforcement officials say that thwarting botnet
infections and attacks have become their number one priority.

"The number of cases we see, like the Singh [Cheema] case, are
becoming far more frequent," Nestor says.

According the FBI, most of the PCs Cheema hijacked were located on
college campuses in Massachusetts and Pennsylvania. He directed those
PCs to go after a handful of sites, probably without realizing that
his attacks would have such widespread consequences. The ripple effect
from the attacks launched by Cheema's so-called botnet army of PCs
ultimately reached 120 online companies, including major retailers,
banks, and pharmaceutical businesses as far away as Europe, according
to the FBI.

"If one teenager can jeopardize over a hundred Web sites from his
parent's house, imagine what groups of seasoned cybergangs can do,"  
Nestor says.

Global problem

Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs
that are controlled by groups of people dispersed around the world,
says Christopher Painter, deputy chief of the Computer Crime section
of the U.S. Department of Justice. Most perpetrators are adults who
execute extremely sophisticated assaults. "They don't brag, and they
cover their tracks very well," Painter says.

One notorious cybergang, called Shadowcrew, reportedly had 4,000
members scattered across the United States, Brazil, Spain, and Russia.

Money is these cybergangs' primary motivation, says Larry Johnson,
special agent in charge of the Criminal Investigative Division of the
U.S. Secret Service. The asking price for temporary use of an army of
20,000 zombie PCs today is $2000 to $3000, according to a June posting
on SpecialHam.com, an electronic forum for hackers.

Marshalling their armies of zombie PCs, online extortionists may
threaten to crash a company's Web site unless they are paid off.  
"Hackers are not shy about asking for $20,000 to $30,000 from
companies. The [companies] know it's far cheaper to pay the hackers
than to get knocked offline and lose hundreds of thousands of dollars
in lost business," Johnson says.

Many of these extortionists may go unreported because businesses are
unwilling to volunteer evidence of their coercion to law enforcement
officials, Johnson says. Commonly, corporations don't want to admit to
their customers, stockholders, and business partners their networks
were ever vulnerable to an attack.

According to a 2004 survey conducted by the Computer Security
Institute, a membership association and education provider that serves
the information security community, only about 20 percent of computer
intrusions are ever reported to law enforcement agencies. The Secret
Service, Johnson says, receives between 10 and 15 inquiries per week
from businesses owners who believe they may be the target of a

Cooperation is key

Despite the low percentage of attacks that are reported to law
enforcement officials, the evidence needed to arrest the perpetrators
is often available, says James Burrell, supervisory special agent of
the Boston FBI's cybersquad. In labs like his, agents conduct
high-level computer forensics on PCs, analyze malicious code, break
encrypted files, and pore over server logs looking for clues.

"For us, it's all about traceability," Burrell says. The evidence the
FBI needs may be available for only a short time, and it may be
located on a server halfway across the globe. For these reasons, he
says, it's vital that local, state, federal, and foreign agencies
share information.

The FBI has 48 legal attache offices across the globe, and agents in
those offices can assist with cybercrime investigations when leads
take the case outside of the United States. The Justice Department
says that cracking cross-boarder cases involves using international
organizations like the G8 24/7 High Tech Point of Contact Group, whose
member countries designate an always-available contact for providing
investigative assistance in computer crime cases. Started in 1998 by
eight highly industrialized nations, the group now consists of more
than 40 countries that share data and coordinate field work.

When cases are cracked, international organizations like the
International Criminal Police Organization (Interpol) help with
extraditing criminal defendants across borders.

According to the U.S. Secret Service, its investigations take it
outside the United States in about half of the botnet cases it
pursues. Though the agency relies on existing relationships with
foreign law enforcement agencies, it also works with the CERT
Coordination Center, a federally funded computer security incident
response team and with the International Botnet Task Force, whose
members include private and governmental agencies.

Can they be stopped?

Despite some success, law enforcement officials say that cybercrime is
extremely hard to get a handle on. That's because it thrives in
countries like Russia and China that have weak computer crime laws or
lax enforcement. In such cases, catching cybercriminals outside U.S.  
jurisdiction becomes nearly impossible.

When U.S. prosecutors do bring cybercrooks to justice, they
increasingly file charges under updates to the federal criminal code.  
The Computer Fraud and Abuse Act, for example, provides for a maximum
sentence of 20 years in prison. Still, some critics argue that too few
computer crime laws exist and that the government underfunds
cyber-security programs.

Congressman Dan Lungren, R-California, chairman of the Homeland
Security Subcommittee on Economic Security, Infrastructure Protection,
and Cybersecurity, says that U.S. business interests aren't the only
thing at stake. Lungren worries that hackers who control botnets might
attempt to carry out terrorist acts online to take down the nation's
electric utilities or tamper with air traffic control systems.

"We have seen a progression from hackers to hackers with criminal
intent," Lungren says. "We are naturally concerned with any hacker
with terrorist intent."

Cyber criminals have been technologically two steps ahead of law
enforcement for a long time. But that may be changing, according to
Robert Villanueva, criminal investigator within the U.S. Secret
Service. "Hackers used to think they couldn't be touched on IRC
channels and using VPN networks," Villanueva says. "We know they are
out there, and we are infiltrating their groups and taking notes," he

In the future, FBI special agent Nestor says, attacks will get more
sophisticated. "It's a cat-and-mouse game. It always has been. As soon
as we figure out who the bad guy is and how he operates, the
cybercrooks come up with something new."

More information about the ISN mailing list