Feeds

Botmaster owns up to 250,000 zombie PCs

He's a security consultant. Jail beckons

Choosing a cloud hosting partner with confidence

An American computer security consultant on Friday admitted using massive botnets to illegally install software on at least 250,000 machines and steal online banking identities of Windows users by evesdropping on them while they made financial transactions.

John Kenneth Schiefer, 26, of Los Angeles, pleaded guilty to four felonies, including accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. He faces a maximum sentence of 60 years in federal prison and a fine of $1.75m, according to documents filed Friday in federal court.

Schiefer, who went by names such as "Acid" and "Acidstorm," has long been a fixture in underground hacking circles. He sometimes adorned his instant message handles with phrases such as "remember the name or feel the pain" and "crime pays, and it also has an excellent benefits package." He was employed at a Los Angeles-based security firm known as 3G Communications, where he sometimes carried out his crimes, according to court documents.

The plea agreement caps an investigation involving the FBI that began in 2005, said Assistant US Attorney Mark Krause. He declined to say if charges would be filed against several conspirators mentioned in court documents, who went by names including "revolt," "Harr0," "butthead," "pr1me" and "dynamic". The case is the first time a crime related to botnets has been charged under US wiretap statutes.

Schiefer, referred questions to his attorney, who was out of town and didn't immediately return a phone call.

According to prosecutors, Schiefer and several accomplices developed malware they dubbed "spybot" that made vulnerable Windows machines part of botnet. They controlled the zombies using servers from various hosting companies, herding as many as 250,000 machines at a time. Schiefer controlled the machines using computers at his home and place of employment.

The malware contained a sniffing feature that siphoned PayPal credentials from Protected Store, a section of Windows that stores passwords users have opted to have saved. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges.

"Once in possession of those intercepted communications, defendant and co-schemers known and unknown would sift through the data to obtain PayPal information, namely usernames and passwords, as well as usernames and passwords for other online accounts," according to a plea agreement that was jointly prepared by prosecutors and defense attorneys.

At one point, a conspirator who went by the name "Adam" expressed concern about a plan to steal money using the malware. Schiefer responded by reminding Adam he was not yet 18 years old. "Quit being a bitch and claim it", Schiefer said, according to the plea agreement.

Schiefer often used the PayPal and bank account information he appropriated to transfer money out of victims' accounts. On one occasion, in December 2005, he moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of Dynadot. Additionally, Schiefer sold appropriated information to others, according to prosecutors.

Schiefer also used the botnet to collect more than $19,000 in commissions from a Dutch company called Simpel Internet for installing its adware on end users' machines without their permission. In June 2005 he made more than $14,000 by surreptitiously installing the software on more than 110,000 machines. The next month, he made more than $4,700. Schiefer took pains to conceal the scheme from people at Simpel. Among other things, he directed accomplices to throttle the number of installations, so they would appear to be legitimate.

In agreeing to plead guilty, Schiefer pledged to pay restitution of $19,128.35, the full amount he made in affiliate fees. While he almost certainly won't get anything close to 60 years, his sentence could still be substantial, judging from penalties meted out in the past. In May 2006, Jeanson James Ancheta was sentenced to five years in federal prison after pleading guilty to four felony botnet charges in the same court. There is no time off for good behavior in the federal system.

Schiefer is scheduled to make an initial appearance in federal court in Los Angeles on November 28. His arraignment is slated for December 3. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.