When federal agents announced on November 29 that they'd indicted or convicted eight individuals accused of using botnets (networks of computers infected with Trojan horse applications) to engage in criminal activity, the press release barely explained the nature and extent of the men's crimes -- or the investigations that led to arrests in an operation the FBI and other law enforcement agencies have termed Bot Roast II.
When InfoWorld decided to dig a little deeper, we found that the motivations of each perpetrator were far richer, and the nature of the crimes more complex, than a simple rundown of their rap sheets could express.
In fact, the eight Bot Roast II criminals committed a broad range of online crimes, which together make up a representative sample of motives and patterns common to these kinds of crimes. The following story is our attempt to profile the people behind the crimes.
The Perp: Adam Sweaney Pleaded guilty to: felony fraud and computer crimes, Plea date: September 24, 2007
Sweaney, a 27-year-old computer technician from Tacoma, Wash., seems to have started out on the side of the good guys. In Internet postings to the Yahoo Answers message board, a man who signed his messages "Adam Sweaney, Tacoma PC Repair" appeared to help computer users with their problems relating to worms and malware. But at some point, Sweaney switched allegiances to the Dark Side. From as early as May 2006 and for nearly a year, Sweaney was infecting PCs with Trojan horses that built a botnet he later used to transmit spam messages on behalf of others.
Court papers filed by the USAttorney prosecuting the case say that Sweaney's goal was to earn money by leasing out access to the botnet (which he called "proxies"), a common business practice for bot-herders. He advertised his proxies on message boards where spammers and bot-herders made business deals, boasting of his spamming prowess with posts such as "last month sents 50 million gi domains, delivery 87% price US$500.00 Also still have full FTP server setup with lots of data ... plus updated last weekend with some fresh files/shyt." For just US$500, you could hire Sweaney to send 50 million spams, 87 percent of which were guaranteed to make it to live e-mail accounts.
In July, 2006, an FBI undercover agent contacted Sweaney posing as a spammer interested in his offerings. Sweaney gave the agent free access to the botnet for 20 minutes, then engaged the agent in a discussion of what services were available, including a list of 18 million Hotmail e-mail addresses he was selling for US$10 for each million addresses. The agent bought those addresses, as well as 14 million Yahoo addresses, and access to the botnet for a period of two weeks. In the course of the investigation, the FBI discovered that one of the bot-infected computers belonged to the Justice Department's Antitrust Division in Washington, DC.
The Perp: Gregory King Indicted for: four counts of "transmission of code to cause damage to a protected computer", Indictment date: Sept. 27, 2007
Among the people happy to hear about Greg King's indictment were the operators of two Web sites, Killanet and Castlecops, which King repeatedly attacked using his botnet. The latter site, a clearinghouse for information about malware, botnets, and spammers, was subjected to a massive distributed denial-of-service attack in February 2007. But let's not get ahead of ourselves.
The owners of the Web sites that the 21-year-old King harassed alleged in court filings that he engaged in a campaign of harassment, intimidation, threats, and finally massive DDoS attacks. Using the online monikers Silenz and GregK to taunt his victims in brazen online posts of threats and links to porn sites in IRC chat channels and message boards, he launched repeated attacks on Killanet, a Web site aimed at children and teenagers, dating back to June 2004 and continuing through October 2006. According to published news reports, King's motivation was revenge for perceived slights.
King had no interest in subtlety or in masking where his attacks originated from, and reportedly even dropped hints as to his real-life identity. He controlled his botnet from his parents' home in Fairfield, Calif., as well as from a nearby library, a McDonalds, and from a Best Buy store near his home.
In February 2007, King used his botnet to DDoS the servers used by Castlecops for five continuous days. The motivation for the attack: Castlecops moderators had deleted or modified some of King's more vitriolic posts to the message board. "If you edit my post once more, you will be sorry," King wrote in a post on February 13th. Four minutes later he was banned from the message board. That night, King launched his attack.