Feeds

I Was A Teenage Bot Master

The Confessions of SoBe Owns

The Essential Guide to IT Transformation

That Unstoppable Feeling

They felt unstoppable, SoBe said. Even after Ancheta's home was raided, in December 2004, and FBI agents confiscated his computer, "he was back online within a day" and the two continued their botnet activities. He felt the same invulnerability after Ancheta was locked up.

"It doesn't matter," SoBe insisted in the days immediately following his arrest. "James can get off, and go back to doing it and in under a month he will be making 3x what he made and be able to cover his tracks much better."

SoBe and Ancheta didn't know it immediately following the raids, but thanks to several slip-ups, they had been under the watchful eye of FBI agents, who were quietly building a case against the two hackers. The first mistake was Ancheta's brazen advertisements on #bots4sale, an act that moved him to the top of investigators' to-do list.

"Up to then, we hadn't seen anything as blatant," FBI agent Ken McGuire said in a 2006 interview. "Anybody who's blatant enough to advertise in internet message boards that you have botnets to sell is someone you want to clear off."

Not long afterwards, the pair came to the attention of investigators again, this time because of software bugs in rxbot, the package the two had appropriated and modified to build their bot empire. To keep the botnet growing, their zombie machines automatically looked for new machines on nearby networks to compromise. But as it turned out, their software was a little too aggressive.

Mugshot of Ancheta

Jeanson James Ancheta

"If it scanned its own subnet, its possible it would keep going and scan out of its subnet, potentially scanning a DoD network," SoBe explained. According to court documents, that's exactly what happened. SoBe and Ancheta's software ended up infiltrating machines belonging to the China Lake Navel Air Facility, the Defense Information Security Agency and Sandia National Labs.

"A lot of good evidence came from the military computers," McGuire said. "It was an excellent break in the case because it permitted us further analysis."

Douche Bags and Backdoors

For their part, SoBe and Ancheta didn't seem to grasp the severity of their error at the time. In August 2004, an associate warned Ancheta by IRC chat to be sure "to filter out shit though like .gov and .mils" when his malware sought new victims. But two months later, when SoBe told Ancheta "hey btw there are gov/mil on the box if you want to get rid of them," Ancheta responded "rofl," according to court documents.

Another big blunder was SoBe's decision to lease a server using his real name and address. The pair used such boxes to host web servers and an IRC daemon that each of their bots reported to. By changing the topic in the IRC channels, they could cause the zombies to connect to other servers under their control and install any software they happened to host there. SoBe said he used his real identity "since i still dont approve of fraud."

SoBe was also convinced that investigators were able to infiltrate his botnet through a secret backdoor that had been built into their IRC daemon. He had gotten the program from Jonathan Hall, a hacker who in 2004 was charged - but never convicted - in a separate botnet investigation dubbed Operation Cyberslam.

The "server was in my name and [investigators] had a backdoor to gain oper status thx to some douchebags not telling us about it," SoBe complained bitterly.

In an interview, Hall said he viewed the source code for the daemon and had indeed spotted a backdoor. "It was plain as day," he said. The program was originally designed by Lee Graham Walker, another defendant in Operation Cyberslam, and over several years it went through multiple modifications, both by him and others, who used it as means to conduct secure communications over IRC.

Eventually, another hacker made additional changes to make it suitable for bot herding, but before she did, she "backdoored the hell out of" it, Hall said. As a result, anyone who knew about the secret feature could gain access by typing "/system foo foo," "/system bar bar," or any similar combination.

It remains unclear if the FBI ever learned of the backdoor and used it in their investigation. And ultimately, it probably doesn't matter: SoBe and Ancheta left tracks in enough places that they would almost certainly have been caught either way.

Next page: SoBe finds the seduction of exploit-writing too powerful to pass up

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.