I need the bots…I need the bots bad…I need them bots….
Federal
indictments often make for fascinating reading material, and that was
certainly true with last week’s indictment of Jeanson James Ancheta for
operating a botnet that was estimated to be around 400,000 computers
strong (though not all at the same time, as we find out.) The lesson to
be learned from reading it?
Fo’ Shizzle — dealing bots ain’t that different from dealing drugs
Some of the most amusing bits of the indictment concern Ancheta’s
online negotiations to rent out his bots to customers for use in denial
of service attacks, spam campaigns and for adware installs.
I’m especially fond of the IRC exchange with an “unindicted co-conspirator” who used the name “Daytona,” which reads…
“On
or about August 9, 2004, during chats in IRC, Daytona asked Ancheta to
sell Daytona additional bots, explaining ‘I need the bots bad…I need
the bots…I need them bots…send asap.’”
Even if you were
inclined to doubt the chorus of voices who have been saying that
compromised computers have become big business, listening to “Daytona”
beg for ‘em like a junky looking for his OxyContin should convince you.
Bots = $$$
In fact, the Anchetta indictment shows how bots have become just
another form of currency in the computer underworld. Ancheta sells a
few hundred (around 600, actually) to Daytona, who peels a few off for
his buddy “MLG,” another customer of Ancheta’s. Later, on August 10,
2004, we learn that Ancheta gave 250 bots to Daytona, who kept 150 of
them as payment from MLG for brokering the sale. Remember these are
compromised computers we’re talking about — this could be access to
_your_ computer that’s being traded.
Adware…It’s easy like cheese!
The other thing reading Ancheta’s indictment shows you, as if you
didn’t already know it, is that adware/spyware is big business and very
lucrative for bot herders like Ancheta.
This
guy starts out renting out his Rxbot network to do some DDOS attacks
and spamming, and selling off bits and pieces of it to interested
customers who stop by his IRC channel/storefront #botz4sale (see —
these guys are stealthy). He makes good money — $400 here, $400 there.
But it doesnt really compare to what he makes as an “affiliate” just by
infecting and reinfecting his bots with adware from companies like 180
Solutions and, especially, Gammacash. According to the indictment, he’s
getting paid for around 1,000 installs a day and banking checks left
and right — $3970.91 from Gammacash on Nov 5, 2004, then another
$4,044.26 from them on Nov. 19. Dang!
“It’s easy like slicing
cheese” Ancheta says at one point in an AIM chat with a customer who
uses the handle “SoBe”. SoBe’s response? “I just hope this lc
[LOUDCash] stuff lasts a while so I don’t have to get a job right
away.”
Yeah. Count on it.
Hosting companies…hmmm…
The indictment doesn’t paint a pretty picture of the Internet hosting
companies that allow creeps like Ancheta to set up IRC servers that are
the heart and brains of the botnets. The Indictment from the U.S.
Attorney is full of references to hosting companies like EasyDedicated,
FDCServers, the Planet and Sago Networks. These shops allowed Ancheta
to control his botnets and, in the event they blew the whistle onhis
botnets, he simply told them he wasn’t aware of the activity and shut
down the offending botnet channel (shifting it to another server in the
meantime.) Admittedly, there’s not much hosting companies can do to
keep botnets from hopping around the Internet, but enforcement of
antibotnet policies would appear to be lax — especially with folks like
Ancheta sending checks off to the companies for access to the servers.
–pfr
