Texas Man Pleads Guilty To Building Botnet-For-Hire

Julie188 writes "A Mesquite, Texas, man is set to plead guilty to training his 22,000-PC botnet on a local ISP — just to show off its firepower to a potential customer. David Anthony Edwards will plead guilty to charges that he and another man, Thomas James Frederick Smith, built a custom botnet, called Nettick, which they then tried to sell to cybercriminals at the rate of US$0.15 per infected computer, according to court documents."

Counts

[LordLucless]

I hope they get charged with 1 count per infected PC - and screw concurrent sentencing.

Re:

[slick7]

They aught to drag in the clients also, just for good measure. Hope it wasn't Goldman-Sachs.

Re:

[MartinSchou]

Why not Goldman-Sachs? If that can get the fuckers thrown in jail, I'm all for it!

Re:

[Shark]

Because being Goldman-Sachs guarantees a slap on the wrist? They have a nearly endless supply of lesser management pawns to absorb all blame and they make significantly more money being crooked than any fine might cost them.

It's like fining a a company 20 000 for dumping toxic waste that would have cost them 100 000 to get rid of legally.

Re:Counts

[idontgno]

They have a nearly endless supply of lesser management pawns to absorb all blame

Ooooh, that brings to mind a phrase which, if it hasn't been coined, should be.

"Ablative managment": The layers and layers of expendable mid-level cannon fodder with enough responsibility to absorb blame, enough purported independence to support plausible deniability for their superiors, and enough commodity interchangeable to be easily and cheaply ejected and replaced. Used to shield the precious core of Board Members, CxOs, Senior VPs from PR or legal flamage.

Re:

[slick7]

Sounds like the MAFIA to me.

Re:

[EvilBudMan]

Yeah, this is interesting. I really haven't heard of it happening to many times but going after the clients at least those in the US is a great idea.

Re:

[Sb1]

"Both men face a maximum of five years in prison and a $250,000 fine on one count of conspiring to cause damage to a protected computer and to commit fraud."

To bad there weren't some PC's compromised in Maricopa County Arizona. If so they should be sent over to that Sheriff Joe Arpaio and be on the chain gang for the whole 5 years. Yes I know it's voluntary (last I heard), but have a special one for some offenders. Or better yet have other states grow a backbone and have chain gangs set up in northern co

Re:Counts

[LordLucless]

So the one count they're charged with is for invading a corporate computer. And the thousands of individual citizens' PCs they compromised are ignored. Somehow, I'm not surprised.

Re:

[Anonymous Coward]

It's actually a little ironic. I used to know some botnet herders (around 10-11 years ago) who didn't use their bots for malicious purposes at all, or very seldomly at least. They would actively scan PCs and patch holes - sometimes by downloading Windows updates - and remove competing botnets and viruses. A lot of it tended to be automated, but some of it was genuinely manual labor.

It wasn't their main attraction of course, but the net gain was (sometimes) an overall benefit. A few of the better trojans (Ag

Re:

[flappinbooger]

I've seen norton and mcafee break a computer's networking and radically slow down a powerful system just as much (and more-so) than the worst of the rogues and trojans. No doubt a grayhat (whitehat?) botnet would do some good. What frustrated computer tech hasn't wanted to put a benevolent botnet out there, to stave off the malevolent ones?

Re:

[TheLink]

Hey if invading individual citizens PCs was a crime, someone should have been jailed for the Sony rootkit thing.

Re:

[jimicus]

So the one count they're charged with is for invading a corporate computer. And the thousands of individual citizens' PCs they compromised are ignored. Somehow, I'm not surprised.

I don't think it's as clear cut as that. It's much easier to get evidence of 5,000 infections from a handful of sysadmins saying "We spent X hours cleaning up Y PCs as a result of this particular piece of malware" than it is to get 5,000 individuals to.

Re:

[Jurily]

So the one count they're charged with is for invading a corporate computer . And the thousands of individual citizens' PCs they compromised are ignored. Somehow, I'm not surprised.

Which one is easier to gather evidence from?

Re:Counts

[LordLucless]

It's not exactly rocket science for either of them. For the target, you need to look at logs. For the zombies, you need to look for the bot software. Hell, if they've cracked the control software for the bot network (which it sounds like they have), it's a hell of a lot easier to gather evidence for the zombies.

Re:

[Smallpond]

So the one count they're charged with is for invading a corporate computer. And the thousands of individual citizens' PCs they compromised are ignored. Somehow, I'm not surprised.

Umm. Because the home PC's could be anywhere on Earth and they don't have resources to them track down, contact the owners, get them to file complaints and pursue 22,000 individual minor hacking claims?

Re:

[flyneye]

I'm all for the chaingangs patching the roads. It takes 3 state/county supervisors to watch 5 state/ road crew workers screw off here. Nothing ever gets done. Private contractors work the city so only traffic watch them screw off. If we gotta feed and house these prisoners and it costs more in taxes all the time, then we need some work out of them.

Re:

[flyneye]

Good idea! Unions have raised the costs of goods and services for everyone more than any Democratic tax hike I can recall. Convict powered road repair could under bid them all. A fleet of shovels can cost less than 1 road grader to 0perate. It's a green solution too.

Re:Counts

[cstacy]

Or better yet have other states grow a backbone and have chain gangs set up in northern cold states in the US patching pot holes!!

Fairfax chain gangs fill gaps for cash-strapped DOT
By Derek Kravitz
Washington Post Staff Writer
Monday, April 26, 2010
The vest-wearing, lawn-mower-pushing members of Fairfax County's modern chain gang don't look like jail inmates. Well-disciplined landscapers, yes. Orderly weed-whackers, perhaps. But not convicts. There are no chains, no handcuffs, no black-and-white striped jumpsuits. Just a handful of suntanned men wearing uniforms.
But take a closer look, and you'll see the tell-tale signs that these aren't your normal grass cutters -- the faded gang tattoos, the jail-issued plastic ID bracelets, the armed sheriff's deputy patrolling nearby. Still, confusion is inevitable. "We get a lot of people asking us for business cards, and we have to point to our sheriff's office logo and say, 'Sorry,' " said Sheriff's Deputy Michael Pence, as he watched a handful of inmates mow grass on a recent Friday near a county office building in McLean.

Re:Counts

[kcelery]

22000 machines, if each one got the mission done. There will be 22000 infected machines. If the guy is sentenced
for 1 day each. He will be away for over 60 years.

Re:

[BrokenHalo]

If his 22,000 machines were only worth 15 cents each, that's a total of only $3,300 dollars. Makes you wonder why he bothered; you can probably make better money digging ditches.

Re:

[wvmarle]

It apparently was a proof of concept only; limited (for whatever reason) to a single ISP. No reason why he shouldn't be able to scale up the operation to millions of infected computers.

Re:Counts

[Smallpond]

You misunderstood. He used the botnet to attack one ISP, the PCs could be anywhere.

Re:

[BrokenHalo]

Yeah, that's not very many cents cents in those dollars dollars.

OK, give me a break, I spotted the typo after I had hit the "submit" button... :-|

Re:

[couchslug]

"screw concurrent sentencing."

Concurrent sentencing is actually "sentence nullification" and should be banned.

Re:

[MikeBabcock]

Concurrent sentencing prevents sending you to jail for 300 years for parking tickets.

Re:

[petermgreen]

I disagree, the number of individual crimes that proof can be found for IMO has little bearing on the appropriate sentance. Does it really matter whether the cops happen to find ten of a burglers burgulries or just a couple?

Plus there is the issue of where someone commits one act but that act happens to fit the definition of multiple crimes.

Plus it saves the system a lot of resources because the criminal is unlikely to appeal and will often ask for further crimes the police didn't know about to be taken in

Re:

[GameboyRMH]

It's hilarious to see how incompetent some of them are on the black hat forums.

"How to install? The instructions don't say." (standard-issue PHP web app that even has a handy "install wizard")

"OK I installed the botnet controller, now how do I infect PCs?"

"how do i use this to make many?"

$3300.00

[ipquickly]

At just .15 per bot, this confirms that the economic downturn has affected the bot trade as well.

No stimulus package in sight. I'm holding on to my bots till the rebound.

Re:

[slick7]

At just .15 per bot, this confirms that the economic downturn has affected the bot trade as well.

No stimulus package in sight. I'm holding on to my bots till the rebound.

My botsfrommumbi(trademark pending) are .0275 per bot. So don't hold your breath.

Re:$3300.00

[phantomfive]

Either that or getting a botnet isn't very hard these days. Supply is driving down the cost curve......how hard can it be if this guy did it? He doesn't seem like the brightest guy on the block....

A $3000 transaction; for that he ran the risk of a $250,000 fine. Not worth it, find an honest way to make that money.

Re:$3300.00

[Opportunist]

It's fairly easy.

You need:
1. A controlling server. Preferably located in some country ending in -stan or some other country where law enforcement laughs at interpol when they ask for aid.
2. An infector and sheepifyer trojan. Trivial to code.
3. A few million sheep. For pointers, see facebook&twitter.

Additionally it is wise to create your trojan in such a way that you (and only you) can update it and redirect it to some other control server should yours get shut down for some odd reason. Make sure that you create a good enough challenge/response or be prepared for someone else to harvest your infections.

Re:

[pinkushun]

2.1 Something with flashing words, kittens or cows, and a link to 'send to my friends now!!!' spreads itself easy easy.

Hey let's write our own botnet, buddy :)

Re:

[jibjibjib]

If you're good you can make it a P2P network, like the Skype network or the BitTorrent DHT. Have all the commands cryptographically signed; it doesn't matter where a message is coming from as long as it has the right signature. Then it will be extremely difficult for attackers to find where the controlling server is. The commands to their computer will probably be forwarded to them from some other bot near them in the network, not directly from your control server, and they can't find out where the other bo

Re:

[Opportunist]

Already happening. It's still possible to track down the originating controller.

Shutting such a botnet down is somewhere between trivial and impossible. It all depends on whether you can break their key before they change it. Since the network accepts control commands from anywhere, you "only" need to crack open its key.

Re:

[GCsoftware]

But if they've coded it sanely, the private key is never stored on the bots, and the public key is used merely for verifying the validity of the command. I guess this is the impossible end of your scale.

Re:

[petermgreen]

Consider an architecture where bots act on any command they receive with an appropriate signature (assume decent quality public/private key crypto such that a crypto crack is not an option) and retransmit any command they see to all their peers.

How would you go about finding the original injection point of a command packet bearing in mind that most of the links won't be logging packet contents?

Re:

[Opportunist]

All I can say is that it is possible, given time and the necessary infrastructure.

Re:

[tiptone]

You can't just say "assume decent quality public/private key crypto such that a crypto crack is not an option". We're not talking about breaking the encryption on something that Bruce Schneier designed. See the article for the level of coder we're talking about. Attacking the encryption would be my starting point for all of these. If it can decrypt the incoming messages, chances are there's a flaw I can find that will lead me to that key.

Re:

[nacturation]

Have all the commands cryptographically signed; it doesn't matter where a message is coming from as long as it has the right signature.

And have the cryptographically signed commands posted on Slashdot as AC postings. Have the bots scan the most recent Slashdot stories at -1 for their commands.

Re:

[russotto]

And have the cryptographically signed commands posted on Slashdot as AC postings. Have the bots scan the most recent Slashdot stories at -1 for their commands.

MOD ME UP OR I PWN J00!

*(SJKHCI&^HSKJNSIU&S(QJSJSQ)NSQJBN

Re:

[arndawg]

As an alternative for number one i suggest you use public forums etc and post your GPG encrypted/signed commands there. Have the bots check these sites regularly.

Re:

[wvmarle]

And to make it even easier, I recall articles on /. that there are ready-to-use "diy" trojan kits on the market to make it even easier.

Re:

[Opportunist]

I don't really recommend using those kits. Few of them allow you to keep your precious bots all for yourself. ;)

Seriously, what do you expect? You're buying (closed source) software to install backdoors in someone else's computer from a ... well, let's say not too reputable company. Do you really expect them to let you keep the bots? Be honest!

Re:

[EvilBudMan]

You sound like a man that knows how to do this from experience. Wooo......

Re:

[Opportunist]

From the other side of the game, yes. But I guess I'm not giving away any secrets by telling that. I also don't know why it's Informative. It's pretty common knowledge when you have at least a passing interest in botnet. Besides, the setup outlined above is soooo '07...

Re:

[EvilBudMan]

I don't know why it would be informative either maybe interesting would be better but then again Facebook and Twitter are so 2010.

I also think Facebook is going to be the #1 exploit of 2010. Do you know any good jokes about Facebook?

Re:

[vidnet]

A $3000 transaction; for that he ran the risk of a $250,000 fine

He could probably have sold it a hundred times to a hundred different buyers.

$0.15 Per?

[grcumb]

Thomas James Frederick Smith, built a custom botnet, called Nettick, which they then tried to sell to cybercriminals at the rate of US$0.15 per infected computer....

That's, like, US $3300 for the lot. He's not going to get much hookers and blow outta that.

If he did any programming at all to develop the exploit, then his wages are in the basement. (Probably right next to his 'office'.) Once you factor in the time it would have taken to propagate, test and market the botnet, this guy stood to earning the merest pittance.

Then again, he was stupid enough to turn the thing on his own ISP, so we shouldn't marvel too much over his lack of business acumen.

Re:$0.15 Per?

[Xaositecte]

What's to stop him from leasing use of the botnet to multiple cyber-criminals now that he's built it up? I mean, the initial sale is just a little bit, but suppose the market for the botnet is more than just one organization, or suppose he charges by the day?

I'm not really a professional botnet organizer, so I have no idea how plausible this is.

Re:

[fake_name]

Maybe the $0.15 was a loss leader to help build up a reputation in his desired market segment, then you can up prices once you have a reputation for a solid reliable product.

Re:

[flappinbooger]

Seems to me he's not a rocket scientist, just a script kiddie. He's not likely to really know how to monetize and leverage something like that. Perhaps he was nervous and wanted to get out, but was too greedy to just hit delete.

Re:

[Chris Tucker]

In Odessa Texas you own botnet!

Re:

[Sulphur]

Attack the Rebels' computers, Admiral Biet.

Ah they broke rule #1 of cybercrime

[CrazyJim1]

Don't perform cybercrime in the borders of the USA.

Re:

[Luke has no name]

Seems to be working pretty well for some [slashdot.org].

Re:

[noisyinstrument]

The US is where the bots are located, not (necessarily) the guy running them.

Botnet vs Hack

[carp3_noct3m]

It seems very interesting that they were able to do this, but limited the botnet to the local ISP. In TFA they also state they "attacked" a Planet hosted server but didn't say if it was a DDOS or what. (The Planet is one of the bigger north texas hosters/data centers, I got to have a personal tour there once while working on building a data center elsewhere, they are very professional) and TFA later states they comprimised another website. What confuses me is that most botnets are installed via some sort of social engineering, be it XSS, email spam, etc. But it seems that since they were able to build it in such a short time on such a targeted demographic, that it falls closer into the spectrum of a Storm style botnet, that uses DDOS as both attack and defense. But regarding that I also don't understand the compromises of the website via a large scale like that, usually a DDOS is just that, a denial of service, if there is a vulnerability what is the use of an entire botnet? Maybe used to brute force something, or obfuscate multiple scans of vulns, but overall it seems like this was someone who stood on the shoulders of other botnet writers (would be interesting to reverse engineer the code and see) in order to make a quick buck (which is easy to do on IRC's underbellies) Anyone who pays attention at all to botnet or other malicious writers knows that if attention is directed to your code, it's fairly easy to track you down. It is also notable that this happened in 2006, and so it took this long for law enforcement to build a good enough case against them. Anyway, interesting at least to me, as I've been training up on computer forensics so its interesting to look at things like this.

Re:

[codepunk]

Forgive me if I am less than impressed, 30 minutes with a compiler and a few lines of code. Not like they pulled of some amazing feat, what is impressive is that they got caught.

Re:

[pookemon]

$0.15 != 0.15 cents.

$0.15 == 15 cents.

You need to carry the one...

Verizon reference

[ub3r n3u7r4l1st]

http://www.youtube.com/watch?v=D2isSJKntbg [youtube.com]

According to Verizon rep, 0.002 dollar = 0.002 cent. So your parent is right.

Re:

[DrScotsman]

I wish someone told me beforehand that you get troll moderation for making the joke and funny moderation for explaining the joke. I must be new here.

Yeah, I have a question...

[Viol8]

Have you grown up yet?

Obligatory free software rant

[SpaghettiPattern]

Obligatory free software rant: I bet he didn't even consider making his software free.... <Rant about proprietary software being evil.> and then <Cheap shot at him being imprisoned instead of free.>

Another clear example of why crime is WRONG

[redelm]

The attempted sales price (U$0.15/machine, would presumably be negotiated down 0.10-0.12) is ~100x less than users would pay to not be infected, and about 1000x less than it will take to remove the malware. Any person who buys and uses the botnet will generate similar economics.

This is an obvious clear loss to humanity -- the crooks gain _very_ much less than the damage they cause. A negative sum game.

The same might be said of Goldman-Sachs: even without the front-running and counter-dealing, they mispri

Fire up the barbie!

[A nonymous Coward]

That should be the punishment -- fry, fry, fry. I know what the smoker should be.

That has to be a record of some sort

[Provocateur]

I mean, like 3 first names.

Oh,wait...

Re:

[HTH NE1]

Man, using their full names like that? It's as if their crimes were equivalent to presidential assassination or serial killing.