Sunday, November 11, 2007

Botnet owner faces 60 years in prison and a $1.75 million fine

Until recently, botnet owners seemed to be able to trash people's systems without having to face very many consequences. And in a lot of instances, more than a system gets trashed when it is compromised by a botnet owner.

Friday, the Central California U.S. Attorney's office announced the prosecution of one of these botnet owners. Of interest, the botnet owner, John Schiefer admitted to compromising up to 250,000 computers with malware (malicious software).

In the first prosecution of its kind in the nation, a well-known member of the “botnet underground” was charged today with using “botnets” – armies of compromised computers – to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications.

The criminal information and plea agreement filed this morning in United States District Court in Los Angeles outline a series of schemes in which Schiefer and several associates developed malicious computer code and distributed that code to vulnerable computers. Schiefer and the others used the illicitly installed code to assemble armies of up to 250,000 infected computers, which they used to engage in a variety of identity theft schemes. Schiefer also used the compromised computers to defraud a Dutch advertising company.

According to the press release, Schiefer and crew seemed to prefer harvesting eBay and PayPal information:

In his plea agreement, Schiefer acknowledged installing malicious computer code, or “malware,” that acted as a wiretap on compromised computers. Because the users of those compromised computers were unaware that their computers had been turned into “zombies,” they continued to use their computers to engage in commercial activities. Schiefer used the malware, which he called a “spybot,” to intercept electronic communications being sent over the Internet from those zombie computers to www.paypal.com and other websites. Once in possession of those intercepted communications, Schiefer and the others sifted through the data to mine usernames and passwords. With Paypal usernames and passwords, Schiefer and the others accessed bank accounts to make purchases without the consent of the true owners. Schiefer also acknowledged in the plea agreement that he transferred both the wiretapped communications and the stolen Paypal information to others. It is the first time in the nation that someone has been charged under the federal wiretap statute for conduct related to botnets.

It appears that the FBI's Cyber Division might have had something to do with catching Mr. Schiefer and crew.

In June, they announced a nationwide initiative against botnet owners called Operation Bot Roast.

Mr. Schiefer isn't mentioned in the release about Operation Bot Roast, but it appears that the FBI is starting to take this activity seriously and is making it more dangerous for botner owners to operate.

When Schiefer pleads guilty to all of this on November 28th, he will face a statutory maximum sentence of 60 years in federal prison and a fine of $1.75 million.

Full press release from the United States Attorney's Office Central District of California, here.

If you have been a victim of a botnet owner, who turned your computer into a zombie you can assist the FBI by reporting the matter at the Internet Crime Complaint Center.

They also have some information on how to avoid having your computer turned into a zombie, here.

6 comments:

Obbop said...

Odds are the foul vile putrid scum will receive an extremely mild sentence that does not deter others.

And, assuredly, a well-paying job awaits the scum in corporate America when released from the minimal sentence.

Rest assured the foul thing will not have to repay his many victims.

But, let a poor kid in the ghetto steal a candybar and the full weight and force of the elite-class-owned government and legal system will ensure that kid is marked for life and suffers horribly for his crime.

Anonymous said...

Obbop - Good point. This is why we need to speak up.....This dude deserves to burn at the stake!

kevin said...

Poor kids in the ghetto don't get charged with stealing candy bars.

mjc said...

"Mr. Schiefer isn't mentioned in the release about Operation Bot Roast, but it appears that the FBI is starting to take this activity seriously and is making it more dangerous for botner owners to operate."

s/botner/botnet/

Anonymous said...

I have to disagree with Obbop. I plead guilty to a hacking felony and this perception that the corporate world sees this as desirable is just silly.

I wasn't even the target. I was just one of the many employees that had to plead guilty and testify against the guy doing the hacking. If you know about the crime, even if you don't participate, you are considered to be part of the conspiracy.

But, you will surely be pleased to know, this has destroyed any possibility of returning to the corporate IT world. Believe it or not, companies don't want convicted hacking felons working in their IT departments.

Maybe one or two famous guys can get paid big bucks for talking at security seminars, but most of us need to choose new professions.

Obbop said...

"Poor kids in the ghetto don't get charged with stealing candy bars."

The voice of ignorance chock-full of knee-jerk rhetoric has spoken.

Or, offer proof of thine inane utterance.