True crime: The botnet barons

True crime: The botnet barons

Two weeks ago, the feds revealed the names of eight people who had used botnets to engage in nefarious activity. Here are their stories

In a news post on dated May 22, 2004, a message written by the operators of IRCHighway, a rival IRC network, said in part "we have acquired quite solid proofs that the group of individuals that is conducting these activities is at least partly composed of top ranking Rizon Network staff members, including pdi and, Rizon's CEO, Nessun."

Downey's reply to that post implied that, while he was sorry for the trouble, he was unable to police the 35,000 users of his network. At the time, he wrote "yes I do own about 30 domains whois them all you wish but that does not mean that 1 I control 100% of everything on them and 2 that a whois of them doesn't prove I DOSed anything."

But the US Attorney prosecuting the case thought otherwise, alleging in court filings that Downey was personally responsible for the attacks that originated from a botnet of roughly 6,000 infected computers he controlled over his network.

The Perp: Ryan Brett Goldstein Indicted for: Conspiring to spread a malicious botnet, causing damage to a university serverIndictment date: November 1, 2007

As in the case of Greg King, Ryan Goldstein may have been motivated by a desire for revenge when he collaborated with a notorious creator of botnet software, with whom he helped spread the network to the Penn State campus where Goldstein is a bioengineering major.

Goldstein, who used the online nickname Digerati, allegedly worked with an 18-year-old New Zealand man known only by his online nickname, AKILL throughout the first half of 2006 to spread AKILL's bots to computers throughout the Penn State campus. The FBI was alerted to the issue when a computer server on campus crashed and agents were called in to analyze the server, which had been turned into a command and control device for a 50,000-strong botnet.

When an IRC group named Taunet to which Goldstein belonged banned him, he decided to take his revenge on the IRC networks where the group was based, and on a Web server. According to court documents, Goldstein wrote to AKILL "i can get you some good private stuff, i can also pay you to take taunet down," and offered login credentials to university computers in exchange for AKILL's assistance. After the botnet crashed the university server, Goldstein contacted AKILL again, saying "i want taunet taken down, they are starting to annoy me again ... they must stay down for at least a week or so."

Goldstein could not foresee that AKILL would cooperate with police in his New Zealand hometown of Waikato when they came with search warrants and seized his computers.

The Perp: John Schiefer Pled guilty to: four counts of felony computer fraud crimesPlea date: November 8, 2007

One of the most notorious of the bot-herders nabbed in Bot Roast II, former computer security analyst John Schiefer, known as acidstorm, faces a maximum prison sentence of 60 years and a US$1.75 million fine for operating a botnet of around 250,000 infected computers, installing password-sniffing software on roughly half of them, and then using stolen PayPal credentials to pay for hosting and other resources to help spread his botnet.

Schiefer, now 26, initially used both his home and office computer networks to spread the bots to vulnerable users of instant messaging programs. After victims clicked a link in a message, they became infected. He then used the botnet to foist an adware program from a Dutch company called TopConverting onto the computers of victims, earning 20 cents for each installation. According to the plea agreement, Schiefer admits that he earned more than US$19,000 from TopConverting in about two months.

At the same time, Schiefer installed software onto the victims' computers, which scanned their Web traffic for sensitive user names and passwords -- specifically for PayPal and other financial Web sites -- and used that stolen information to pay for domain registrations and Web server space. Another piece of malware spread by the botnet to the victims, psniffer, could pull saved passwords from the Windows Protected Store, a location where the Internet Explorer browser collects passwords that users choose to save for later use, and send that information onward to him.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


Show Comments