In the first case of its kind in the U.S., federal authorities Thursday arrested a California man and charged him with accumulating a botnet of more than 400,000 machines, including some owned by the Department of Defense, then renting out the purloined PCs or using them himself to pocket tens of thousands in fees from adware vendors.
Jeanson James Ancheta, 20, of Downey, Calif., was arrested by the FBI and charged in a 17-count indictment of, among other things, conspiracy, damaging federal government computers, and illegally accessing PCs to commit fraud and money laundering, said U.S. Attorney Debra Wong Yang's office in Los Angeles in a statement.
In the 52-page indictment, Ancheta was said to have used a customized version of the " rxbot" bot worm to infect as many as 400,000 computers, rented out access to the botnet to others, and illegally installed adware on the compromised computers that generated thousands each month in affiliate fees from online advertisers and marketing firms.
Ancheta's arrest is the first in the United States of a botnet operator, although botnet creators have been pinched in the past elsewhere. A threesome in the Netherlands, for instance, was arrested a month ago for creating and using a botnet nearly four times larger than Ancheta's. Thursday, U.S. adware firm 180solutions acknowledged that the Dutchmen had tried to cash in on affiliate fees by surreptitiously installing its software on the botnet-controlled PCs.
Ancheta also had a connection, although tenuous, to 180solutions.
The indictment alleges that he used his botnet to install adware from Quebec-based, adult entertainment-oriented Gammacash and CDT, Inc., another Canadian adware vendor which ran an affiliate program called LOUDcash. In March 2005, 180solutions acquired CDT; LOUDcash is now called ZangoCash Canada.
But Sean Sundwall, 180solutions' director of marketing, denied that Ancheta's activities were directly related to the Seattle-based adware company.
"All of this went on prior to our acquisition of CDT," Sundwall said. "Ancheta has never received a check from 180solutions."
According to Sundwall, CDT shut off Ancheta's LOUDcash tap in January of this year when it finally notice the large number of installations he was being credited with.
Ancheta boasted about the ease with which adware firms could be hoodwinked, the government's indictment said. In an instant message conversation with an unnamed (and unindicted) co-conspirator living in Florida, Ancheta said "it's easy like slicing cheese." Replied the co-conspirator, named only as "SoBe" in the indictment, "I just hope this lc [LOUDcash] stuff lasts a while so I don't have to get a job right away."
Authorities allege that Ancheta received frequent payments from the adware suppliers via check or through PayPal; the biggest check was for nearly $8,000. The bulk of his illegal earnings came from Gammacash.
"My spending average is $600 a week, every friday [sic] I buy new clothes and every week I buy new parts for my car," Ancheta allegedly wrote SoBe in another AIM message.
Ancheta also is charged with another conspiracy that involved selling access to his botnet and/or selling the customized rxbot worm to other hackers who wanted to expand their own bot networks. Payments for such "rentals," however, were miniscule in comparison with the money made by dropping adware on infected PCs. In one incident outlined in the indictment, Ancheta was said to have sold access to 10,000 machines for $400 to a woman who wanted to use them as spam proxies.
Among the machines in Ancheta's botnet were PCs at the Weapons Division of the Naval Air Warfare Center in China Lake, Calif., and computers that belonged to the Defense Information Systems Agency, which is part of the Department of Defense.
If convicted, Ancheta faces up to 50 years in prison.
The government's indictment, which is in PDF format, can be read or downloaded from http://www.usdoj.gov/usao/cac/pr2005/Botnet_Indictment.pdf.