, The Register 2007-11-11
An American computer security consultant on Friday admitted to using massive botnets to illegally install software on at least 250,000 machines and steal the online banking identities of Windows users by eavesdropping on them while they made financial transactions.
John Kenneth Schiefer, 26, of Los Angeles, pleaded guilty to four felonies, including accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. He faces a maximum sentence of 60 years in federal prison and a fine of $1.75m, according to documents filed Friday in federal court.
Schiefer, who went by names such as "Acid" and "Acidstorm," has long been a fixture in underground hacking circles. He sometimes adorned his instant message handles with phrases such as "remember the name or feel the pain" and "crime pays, and it also has an excellent benefits package." He was employed at a Los Angeles-based security firm known as 3G Communications, where he sometimes carried out his crimes, according to court documents.
The plea agreement caps an investigation involving the FBI that began in 2005, said Assistant US Attorney Mark Krause. He declined to say if charges would be filed against several conspirators mentioned in court documents, who went by names including "revolt," "Harr0," "butthead," "pr1me" and "dynamic". The case is the first time a crime related to botnets has been charged under U.S. wiretap statutes. Earlier this year, another security researcher, Max Ray "Max Vision" Butler, was charged with allegedly running an identity theft ring.
Schiefer, referred questions to his attorney, who was out of town and didn't immediately return a phone call.
According to prosecutors, Schiefer and several accomplices developed malware they dubbed "spybot" that was used to compromise vulnerable Windows machines and make them part of a botnet. They controlled the zombies using servers from various hosting companies, herding as many as 250,000 machines at a time. Schiefer controlled the machines using computers at his home and place of employment.
The malware contained a sniffing feature that siphoned PayPal credentials from the protected store -- a section of Windows that stores passwords that users have opted to save. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges.
"Once in possession of those intercepted communications, defendant and co-schemers known and unknown would sift through the data to obtain PayPal information, namely usernames and passwords, as well as usernames and passwords for other online accounts," according to a plea agreement that was jointly prepared by prosecutors and defense attorneys.
At one point, a conspirator who went by the name "Adam" expressed concern about a plan to steal money using the malware. Schiefer responded by reminding Adam he was not yet 18 years old. "Quit being a bitch and claim it", Schiefer said, according to the plea agreement.
Schiefer often used the PayPal and bank account information he appropriated to transfer money out of victims' accounts. On one occasion, in December 2005, he moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of Dynadot. Additionally, Schiefer sold appropriated information to others, according to prosecutors.
Schiefer also used the botnet to collect more than $19,000 in commissions from a Dutch company called Simpel Internet for installing its adware on end users' machines without their permission. In June 2005 he made more than $14,000 by surreptitiously installing the software on more than 110,000 machines. The next month, he made more than $4,700. Schiefer took pains to conceal the scheme from people at Simpel. Among other things, he directed accomplices to throttle the number of installations, so they would appear to be legitimate.
In agreeing to plead guilty, Schiefer pledged to pay restitution of $19,128.35, the full amount he made in affiliate fees. While he almost certainly won't get anything close to 60 years, his sentence could still be substantial, judging from penalties meted out in the past. In May 2006, Jeanson James Ancheta was sentenced to five years in federal prison after pleading guilty to four felony botnet charges in the same court. There is no time off for good behavior in the federal system.
Schiefer is scheduled to make an initial appearance in federal court in Los Angeles on November 28. His arraignment is slated for December 3.
If you have tips or insights on this topic, please contact SecurityFocus.