Jeanson James Ancheta, 20, of Downey, California, was arrested
on Thursday morning by FBI special agents, apparently the first
time that someone has been charged in connection with selling
access to botnets.
He has been charged with, among other things, attempting to
cause damage to protected computers, causing damage to computers
used by the federal government in national defence, accessing
protected computers without authorisation to commit fraud and money
laundering.
The 17-count indictment alleges that Ancheta wrote malicious
computer code, spread that code to assemble armies of infected
computers, and sold access to the infected computers for the
purpose of launching distributed denial of service (DDoS) attacks
or sending spam.
Ancheta also allegedly used the botnets to generate income from
the surreptitious installation of adware on the infected
computers.
The first conspiracy alleged in the indictment accuses Ancheta of
modifying and disseminating the Trojan horse program "rxbot," which
allowed him to create botnets, each with thousands of
internet-connected computers reporting to an Internet Relay Chat
(IRC) channel that Ancheta controlled.
In a separate IRC channel, Ancheta advertised the sale of his
botnets to those interested in launching DDoS attacks or
distributing spam without detection.
After receiving payment from customers, according to the
indictment, Ancheta would give customers control of enough botnets
to accomplish their specified task. Ancheta would also provide an
instruction manual that included the commands needed to instruct
the botnets to launch DDoS attacks or send spam. The manual would
include the malicious code that would allow the botnets to spread
or propagate.
As part of his fee, Ancheta allegedly set up and tested the
purchased botnet to ensure that the DDoS attacks or spamming could
be successfully carried out.
The second conspiracy outlined in the indictment alleges that
Ancheta caused adware to be downloaded onto the infected computers
that were part of his botnet armies. To do this, Ancheta allegedly
directed the compromised computers to other computer servers he
controlled where adware he had modified would surreptitiously
install onto the infected computers.
In addition, Ancheta had become an affiliate of several different
advertising service companies, and those companies paid him a
commission based upon the number of installations, according to the
indictment.
To avoid detection by network administrators, security analysts
and law enforcement, Ancheta would vary the download times and
rates of the adware installations. According to prosecutors, when
companies hosting Ancheta's adware servers discovered the malicious
activity, Ancheta would redirect his botnet armies to a different
server he controlled to pick up adware.
In addition, to generate the roughly $60,000 he received in
advertising affiliate proceeds, Ancheta apparently caused the
surreptitious installation of adware on approximately 400,000
compromised computers. Ancheta used the advertising affiliate
proceeds he earned to pay for, among other things, the multiple
servers used to conduct his schemes.
According to prosecutors, Ancheta used programs powerful enough to
cause the infection of computers at the Weapons Division of the
United States Naval Air Warfare Center in China Lake, as well as
computers belonging to the Defense Information Systems Agency, a
component of the United States Department of Defense.
Both networks are used exclusively by the federal government in
furtherance of national defence.
Ancheta is charged with two counts of conspiracy, two counts of
attempted transmission of code to a protected computer, two counts
of transmission of code to a government computer, five counts of
accessing a protected computer to commit fraud and five counts of
money laundering.
If convicted of all charges in the indictment, Ancheta faces a
maximum sentence of 50 years in prison.
