[ISN] Hacker pleads guilty to building, renting attack network

[InfoSec News]

http://www.mercurynews.com/mld/mercurynews/business/13693354.htm

Jan. 23, 2006

SAN FRANCISCO (AP) - A 20-year-old hacker admitted Monday to
surreptitiously seizing control of hundreds of thousands of
Internet-connected computers, using the zombie network to serve pop-up
ads and renting it to people who mounted attacks on Web sites and sent
out spam.

Jeanson James Ancheta, of Downey, Calif., pleaded guilty in Los
Angeles federal court to four felony charges for crimes, including
infecting machines at two U.S. military sites, that earned him more
than $61,000, said federal prosecutor James Aquilina.

Under a plea agreement, which still must be approved by a judge,
Ancheta faces up to 6 years in prison and must pay the federal
government restitution. He also will forfeit his profits and a 1993
BMW. Sentencing is schedule for May 1.

Prosecutors called the case the first to target profits derived from
use of ``botnets,'' large numbers of computers that hackers commandeer
and marshal for various nefarious deeds. The ``zombie'' machines'
owners are unaware that parasitic programs have been installed on them
and are being controlled remotely.

Botnets are being used increasingly to overwhelm Web sites with
streams of data, often by extortionists. They feed off of
vulnerabilities in computers that run Microsoft Corp.'s Windows
operating system, typically machines whose owners haven't bothered to
install security patches.

A November indictment charged Ancheta with 17 counts of conspiracy,
fraud and other crimes connected to a 14-month hacking spree that
started in June 2004 and that authorities say continued even after FBI
agents raided his house the following December.

``Part of what's most troubling about those who commit these kinds of
offenses is they think they'll never be caught,'' said Aquilina, who
spent more than a year investigating Ancheta and several of Ancheta's
online associates who remain uncharged co-conspirators.

Ancheta's attorney, federal public defender Greg Wesley, did not
immediately return phone calls seeking comment.

Ancheta has been in federal custody since his November indictment. He
previously worked at an Internet cafe owned by a relative and had
hoped to join the military reserves, according to his aunt, Sharon
Gregorio. Court documents suggested he had a taste for expensive
goods, spending $600 a week on new clothes and car parts.

The guilty plea comes less than a week after the FBI released a report
that estimates viruses, worms and Trojan horse programs like the ones
Ancheta employed cost U.S. organizations $11.9 billion each year.

November's 52-page indictment, along with papers filed last week,
offer an unusually detailed glimpse into a shadowy world where
hackers, often not old enough to vote, brag in online chat groups
about their prowess in taking over vast numbers of computers and
herding them into large armies of junk mail robots and arsenals for
so-called denial of service attacks on Web sites.

Ancheta one-upped his hacking peers by advertising his network of
``bots,'' short for robots, on Internet chat channels.

A Web site Ancheta maintained included a schedule of prices he charged
people who wanted to rent out the machines, along with guidelines on
how many bots were required to bring down a particular type of Web
site.

In July 2004, he told one chat partner he had more than 40,000
machines available, ``more than I can handle,'' according to the
indictment. A month later, Ancheta told another person he controlled
at least 100,000 bots, and that his network had added another 10,000
machines in a week and a half.

In a three-month span starting in June 2004, Ancheta rented out or
sold bots to at least 10 ``different nefarious computer users,''
according to the plea agreement. He pocketed $3,000 in the process by
accepting payments through the online PayPal service, prosecutors
said.

Starting in August 2004, Ancheta turned to a new, more lucrative
method to profit from his botnets, prosecutors said. Working with a
juvenile in Boca Raton, Fla., whom prosecutors identified by his
Internet nickname ``SoBe,'' Ancheta infected more than 400,000
computers.

Ancheta and SoBe signed up as affiliates in programs maintained by
online advertising companies that pay people each time they get a
computer user to install software that displays ads and collects
information about the sites a user visits.

Prosecutors say Ancheta and SoBe then installed the ad software from
the two companies -- Gamma Entertainment of Montreal, Quebec, and
Loudcash, whose parent company was acquired last year by 180Solutions
of Bellevue, Wash. -- on the bots they controlled, pocketing more than
$58,000 in 13 months.

``It's immoral, but the money makes it right,'' Ancheta told SoBe
during one online chat, according to the indictment.

``I just hope this (Loudcash) stuff lasts a while so I don't have to
get a job right away,'' SoBe told Ancheta during a different
conversation.

Aquilina, the assistant U.S. attorney prosecuting the case, wouldn't
say whether authorities plan to charge SoBe or any of the people
accused of renting out Ancheta's bots, many of whom are described as
``unindicted co-conspirators.''

During the course of their scheme, Ancheta and SoBe infected U.S.  
military computers at the China Lake Naval Air Facility and the
Defense Information System Agency headquartered in Falls Church, Va.,
according to a sworn declaration signed by Ancheta.