Botnets are big business—at least according to authorities who announced the first U.S. case against an alleged computer hacker, who authorities believe netted $60,000 in cash and a BMW from a personal army of zombie computers.
Federal authorities arrested a 20-year-old California man Thursday and charged him with running a network of 400,000 compromised computers called a “botnet,” including computers used by the U.S. government for national defense.
Jeanson James Ancheta, of Downey, Calif., was arrested by FBI agents Thursday morning and charged with spreading a Trojan horse program, called “rxbot,” and using it to build a network of around 400,000 infected computers.
He is also charged with illegally uploading advertising software (“adware”) onto compromised systems.
Among Anchetas alleged victims were computers at the Weapons Division of the U.S. Naval Air Warfare Center, and machines belonging to the U.S. Department of Defenses Defense Information Systems Agency, according to a statement from Debra Wong Yang, U.S. Attorney for the Central District of California.
Huge networks of compromised computers, known as “bots,” have become a pressing problem in recent months.
Security company Symantec Corp. said that its researchers identified an average of 10,352 bots a day in the first half of 2005, compared to around 5,000 a day in December 2004, according to the companys most recent Internet Threat Report.
The arrest in California follows a similar crackdown in the Netherlands that netted individuals believed to control a network of 1.5 million infected computers worldwide.
It is the first known prosecution of a botnet operator in the United States, according to the statement.
Ancheta is alleged to have modified and distributed a Trojan horse program called rxbot.
Once the Trojan was installed on victims computers, he allegedly used IRC (Internet Relay Chat) to communicate and control the systems, even advertising use of the botnets for DoS (denial of service) attacks and spam.
Symantec believes that the increase in bot networks is directly related to an increase in DoS attacks and online extortion attempts, the company reported.
Ancheta was also a member of affiliate networks used by unnamed “advertising service companies,” who paid him around $60,000 to install their advertising software on the machines he controlled, the statement alleges.
Ancheta allegedly distributed software for Gammacash, of Quebec, and LoudCash, part of CDT of Montreal, which was purchased by 180 Solutions Inc. in April.
Ancheta was paid for distributing 180search Assistant until January, but payments from 180 accounted for less than 10 percent of the $60,000 he was reported to make off improper installations of the adware, according to 180 Solutions spokesman Sean Sundwall.
The majority of Anchetas cash came from his affiliation with Gammacash, the adware company that runs the toolbarcash.com, gammacash.com and xxxtoolbar.com Web sites. At the height of Anchetas activities, in January and February 2005, payments from Gammacash totaled over $6,000 a month, as Ancheta directed tens of thousands of infected machines to servers from which Gammacashs adware was silently installed on the compromised systems, the U.S. Attorneys office said.
The case was investigated by the FBI as well as the Naval Criminal Investigative Service and Defense Criminal Investigative Service.
Authorities are charging Ancheta with 17 counts, including conspiracy, transmission of code to a protected computer, to a government computer, and multiple counts of fraud and money laundering.
Authorities are also seeking more than $60,000 in cash and a BMW automobile that they allege are illicit gains from the botnet activity.
Editors Note: This story was updated to include more information about the case.