Feeds

Botmaster owns up to 250,000 zombie PCs

He's a security consultant. Jail beckons

Website security in corporate America

An American computer security consultant on Friday admitted using massive botnets to illegally install software on at least 250,000 machines and steal online banking identities of Windows users by evesdropping on them while they made financial transactions.

John Kenneth Schiefer, 26, of Los Angeles, pleaded guilty to four felonies, including accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. He faces a maximum sentence of 60 years in federal prison and a fine of $1.75m, according to documents filed Friday in federal court.

Schiefer, who went by names such as "Acid" and "Acidstorm," has long been a fixture in underground hacking circles. He sometimes adorned his instant message handles with phrases such as "remember the name or feel the pain" and "crime pays, and it also has an excellent benefits package." He was employed at a Los Angeles-based security firm known as 3G Communications, where he sometimes carried out his crimes, according to court documents.

The plea agreement caps an investigation involving the FBI that began in 2005, said Assistant US Attorney Mark Krause. He declined to say if charges would be filed against several conspirators mentioned in court documents, who went by names including "revolt," "Harr0," "butthead," "pr1me" and "dynamic". The case is the first time a crime related to botnets has been charged under US wiretap statutes.

Schiefer, referred questions to his attorney, who was out of town and didn't immediately return a phone call.

According to prosecutors, Schiefer and several accomplices developed malware they dubbed "spybot" that made vulnerable Windows machines part of botnet. They controlled the zombies using servers from various hosting companies, herding as many as 250,000 machines at a time. Schiefer controlled the machines using computers at his home and place of employment.

The malware contained a sniffing feature that siphoned PayPal credentials from Protected Store, a section of Windows that stores passwords users have opted to have saved. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges.

"Once in possession of those intercepted communications, defendant and co-schemers known and unknown would sift through the data to obtain PayPal information, namely usernames and passwords, as well as usernames and passwords for other online accounts," according to a plea agreement that was jointly prepared by prosecutors and defense attorneys.

At one point, a conspirator who went by the name "Adam" expressed concern about a plan to steal money using the malware. Schiefer responded by reminding Adam he was not yet 18 years old. "Quit being a bitch and claim it", Schiefer said, according to the plea agreement.

Schiefer often used the PayPal and bank account information he appropriated to transfer money out of victims' accounts. On one occasion, in December 2005, he moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of Dynadot. Additionally, Schiefer sold appropriated information to others, according to prosecutors.

Schiefer also used the botnet to collect more than $19,000 in commissions from a Dutch company called Simpel Internet for installing its adware on end users' machines without their permission. In June 2005 he made more than $14,000 by surreptitiously installing the software on more than 110,000 machines. The next month, he made more than $4,700. Schiefer took pains to conceal the scheme from people at Simpel. Among other things, he directed accomplices to throttle the number of installations, so they would appear to be legitimate.

In agreeing to plead guilty, Schiefer pledged to pay restitution of $19,128.35, the full amount he made in affiliate fees. While he almost certainly won't get anything close to 60 years, his sentence could still be substantial, judging from penalties meted out in the past. In May 2006, Jeanson James Ancheta was sentenced to five years in federal prison after pleading guilty to four felony botnet charges in the same court. There is no time off for good behavior in the federal system.

Schiefer is scheduled to make an initial appearance in federal court in Los Angeles on November 28. His arraignment is slated for December 3. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.