ZIFFPAGE TITLECatch Me If YouBy Kim S. Nash | Posted 2006-04-06 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
In moments, hackers with bot code can break into vulnerable computers, turn them into zombies, steal information and spread the infection. While you scramble to secure your network--and the vital data on it--botmasters sell access to your hacked machines
Catch Me If You Can
Catching a botmaster takes time, even one brazen enough to advertise his bot products on Internet Relay Chat channels and talk openly with prospective customers. In the Ancheta case, the FBI had been watching Ancheta for at least four months before the first time they raided his base of operation.
At 6 a.m. on Dec. 10, 2004, 10 FBI agents, armed with guns and a search warrant, converged on a small one-story house in Downey, Calif., where Ancheta operated. The yard was well kept, one of the nicest on the street. Sometimes a child's tea set sat in the front window. But agents always worry about what surprises they might find inside. Standard procedure for the FBI means that many agents go along to execute a warrant, says the FBI's McGuire, who was at the house that day. "We want to make sure we have sufficient numbers for those crazy enough to think that violence is a way to get out," he says.
But there was no violence when the FBI knocked on Ancheta's door. He was home with his mother and 7-year-old sister, who was getting ready for school.
By this time, Ancheta had attracted so much attention that several sources—people who quietly help the FBI watch for crime on the Internet—reported him, according to McGuire, who heads the cybercrime squad in Los Angeles.
Still, even cavalier botmasters can outrun law enforcement for several months. And that's what Ancheta had done. He changed Internet service providers, e-mail addresses, instant messaging handles, domain names and IRC channels, making it harder to piece together his activities.
In the four months it took the FBI to assemble their evidence and get their search warrant, Ancheta's armies attacked thousands more computers—and the FBI didn't even know yet about Ancheta's adware business. In just five weeks, from Nov. 1 to Dec. 7, the government estimates that Ancheta's botnets installed adware on 35,719 PCs without their owners' permission.
But over the second half of 2004, the FBI built its case. On Aug. 31, Ancheta sold 2,000 bots to an undercover FBI agent and assured him they were strong enough to conduct a synflood attack. The agent told Ancheta he wanted to "drop [the] site" of a business competitor, according to the government's indictment.
The agent talked with Ancheta over AOL Instant Messenger throughout the month of August, approaching him as three different people. With each persona, Ancheta discussed sales of bots that could send spam and conduct denial-of-service attacks. When the agent agreed to buy the bots, transferred money through PayPal, and received a file so his IRC channel could accept the bots when Ancheta directed them there, the FBI recorded a Camtasia video (a series of screen shots) of the bots rallying to the channel. They recorded Ancheta's voice when he spoke to the agent on the phone, and corroborated his identity by getting him to acknowledge online where he lived and then matching that to his subscriber information in logs from his Internet service providers.
According to McGuire, when the FBI showed up at his house, Ancheta was cooperative and polite. Agents seized his computers and other items and told him he was "way into felony territory." The FBI did not arrest him then because they wanted more evidence. But Ancheta gave agents a statement acknowledging that he sold botnets, McGuire adds, and said he would get a lawyer after the FBI presented its case to the U.S. Attorney's Office.
The agents took Ancheta's computers and other seized items back to FBI offices to examine. It was not until then that they discoved he was using botnets to install adware on captive PCs.
Around the same time, the FBI received a report from the China Lake Naval Air Weapons Station, saying it had been attacked by a botnet. China Lake did not return calls seeking comment. But McGuire says agents started comparing evidence from Ancheta's computers with information from the Naval Criminal Investigative Service, and found programs and Internet Protocol addresses that matched.
And less than a month later, the FBI's sources told the agency that Ancheta was back in business. The agents working the case were stunned. "We couldn't believe he went out and did it," McGuire says. "We told him it was illegal. We thought we had somebody who acknowledged what he'd done was wrong and stopped."
"[This case] was like having a snag in a jacket where you pull a thread and it keeps unraveling," says prosecutor James Aquilina, assistant U.S. Attorney in Los Angeles.
McGuire believes Ancheta resumed business because he couldn't walk away from the money. He'd bought a BMW, a 1993 325is, for which he claimed to pay $6,000 in cash, according to postings on Bimmerwerkz.com, a forum for BMW enthusiasts where he sought advice and posted pictures of his car. He also talked about muscling up his car with chrome rims, tail lights and other special accessories that one BMW expert estimates cost $7,000.
In any event, Jan. 9, 2005, was a busy day for the FBI. Computers at Northwest Hospital in Seattle were attacked by a botnet, and although it was not one of Ancheta's, it exploited the same Windows LSASS bug that had been used against Auburn four months earlier, according to an affidavit filed in federal court in Seattle against 20-year-old Christopher Maxwell. He's pleaded not guilty. His lawyer, Steven Bauer, did not return calls seeking comment.
On that same day, Ancheta's botnets were found invading computers at the Defense Information Systems Agency in Arlington, Va. "Multiple machines in their network were infected, called out to IRC and were directed to pick up adware or for other nefarious purposes," Aquilina says.
But the FBI now had a laser focus on botnets, and Ancheta's days as a free man were numbered. As he and SoBe managed their bots to avoid attention from the FBI, the adware vendors and other botmasters—redirecting bots among different IRC channels, according to the plea agreement, so they weren't always in one place, or varying how fast they downloaded adware to imitate normal Internet traffic—the bureau prepared for more search warrants.
Over the next 4 1/2 months, the FBI again analyzed evidence. For example, when Special Agent Cameron Malin reverse-engineered code from one of Ancheta's bots, he found an affiliate ID number from GammaCash, an adware company in Quebec. It matched the account number on a pay stub and a check made out to Ancheta from GammaCash, for $2,352.66, that agents had taken from his mother's house. Every time one of Ancheta's botnets infected a PC and installed adware, GammaCash was crediting Ancheta's account. GammaCash did not return calls seeking comment.
On Thursday, May 26, 2005, at 6 a.m. Pacific time, teams of FBI agents showed up on Ancheta's mother's doorstep in Downey one more time, and at SoBe's house in Boca Raton, and at Sago Networks, an ISP headquartered in Tampa whose servers the government says were the source of Ancheta's attacks on the Department of Defense—all at the same moment. They seized computers at all three places. Sago declined to comment about the case other than to say that it fully cooperates with law enforcement.
With that second raid, the FBI believed Ancheta and SoBe were out of the bot game, McGuire says. Their computers, ISP and server hosting infrastructure were unavailable, and their bots had nowhere to rally, although the checks from the adware companies rolled in until August, according to Aquilina.
Ancheta, however, was not arrested until Nov. 3. Aquilina and Malin were suddenly asked to help with another high priority case, an investigation in which lives were threatened. And the government had to review evidence, study the offending code, line up experts to testify and prepare for prosecution. "We did not want to make a false step," McGuire says. "We had to make sure we had all our ducks in a row."
On the morning of Jan. 23, 2006, Ancheta was led into a federal courtroom in Los Angeles. He wore the baggy green outfit of an inmate, because he has been held at a maximum-security detention center downtown since his arrest in November. With family in the Philippines, Ancheta was considered a flight risk. The average age of prisoners at the facility is 37, and their crimes include drug trafficking and murder. But prosecutor Aquilina says he and Ancheta's lawyer, federal public defender Greg Wesley, agreed to put Ancheta in the detention center instead of the county jail, partly to ensure his safety and partly because Wesley needed him nearby so they could discuss the complex case.
Ancheta pleaded guilty to two counts of fraud and two counts of computer crime, including attacking China Lake. He faces up to 25 years in prison.
Neither the U.S. Attorney's Office nor the FBI will comment on SoBe.
In the courtroom, according to a transcript, Judge R. Gary Klausner asked Ancheta whether he understood each charge and what he would give up if he pleaded guilty—not just the right to a trial, but the right to vote, serve on a jury, own a gun.
"Yes, Your Honor," he responded. "Totally."
Ancheta was returned to the prison to wait for his May sentencing. Only his lawyer and immediate family may visit.