Alleged Botnet Crimes Trigger Arrests on Two Continents

The FBI has confirmed that U.S. adware developer 180solutions is the American business whose cooperation with law enforcement played a part in the October breakup of a European botnet scheme. Dutch authorities say three men were arrested in connection with a scheme in which hundreds of thousands of computers were allegedly infected with malicious computer code and then used as zombie PCs to commit additional crimes.

In a similar case, a federal grand jury yesterday indicted Jeanson James Ancheta of Downey, California. The indictment, filed in U.S. District Court in Los Angeles, alleges Ancheta wrote and disseminated malware that assembled armies of infected PCs (known as bots, because they essentially become programmed to function as automatons or robots), then sold access to those PCs to hackers and spammers.

Ancheta also allegedly used the botnets (or networks of bots) to generate income from the surreptitious installation of adware on the infected computers, according to the indictment. U.S. prosecutors say the botnets in the American case involved roughly 400,000 PCs.

(Editor's note: In August, PC World reported on the increasing use of botnets for global crime purposes in a five-part series titled Web of Crime. In the series, we detail how botnets work, and how your PC could unknowingly become part of a crime scheme. We also interviewed other firms that experienced extortion demands and distributed denial of service (DDoS) attacks designed to stifle their business.)

Details on Both Cases

In the Netherlands case, published reports say that authorities believe the botnet may have consisted of more than a million zombie PCs. According to information provided by the Dutch prosecutor's office, the three men were charged with illegal access to computers, damage to digital networks, installation of adware and spyware, illegal access to PayPal accounts, and receiving stolen goods.

In the American case, U.S. prosecutors charge that Jeanson James Ancheta of Los Angeles, as well as an unnamed co-conspirator, used a botnet to disseminate and install adware from two firms: Loudcash and Gammacash. The unauthorized installations resulted in regular payments of thousands of dollars per month from both firms to Ancheta and his cohort, who authorities believe is based in Florida, prosecutors said.

Loudcash is now owned by 180solutions, but Sean Sundwall, 180solutions' director of corporate communications, says that "according to our records, [Ancheta] stopped installing our software sometime in January 2005, prior to our acquisition of CDT/Loudcash." In his blog today, Sundwall says that 180solutions will happily cooperate with authorities in the Los Angeles case.

Based in Redmond, Washington, 180solutions develops advertising software, or adware, and, like many other online marketing firms, relies on a network of affiliates--individuals and companies that the firm pays to distribute the adware.

The software displays advertising on PCs: Each time a PC user clicks an ad or buys an advertised product, the affiliate receives a small commission. 180solutions says its affiliates are bound by contract not to engage in illegal means of forcing users to install the adware on PCs.

In August, 180solutions sued seven of its affiliates for using malware to install its adware surreptitiously on infected PCs.

Cooperation in Europe Case

Published reports at the time of the the October 6 bust in the Netherlands also alleged that the men who were arrested had extorted money from an unidentified American company and--using their botnet--engaged in a DDoS attack against it.

With the permission of the FBI, Redmond, Washington-based 180solutions has now acknowledged it is that company. Sundwall said the extortion attempt against the firm apparently began after a disagreement with an affiliate.

The FBI says 180solutions has an ongoing, cooperative relationship with law enforcement. Sources at the FBI's Seattle field office who are familiar with the investigation of the Dutch botnet, and who requested anonymity, said an agent told 180solutions that a Dutch affiliate of 180solutions was under investigation before the alleged attacks took place.

"We reached out to them earlier this year for the purpose of establishing an ongoing working relationship, because we knew this kind of activity was going on," said the FBI source. "We knew they were a victim, and were in a position to provide us with this information."

Extortion Threat, DDoS Attack

Sundwall said 180solutions discovered a large number of software installations on PCs, and determined that one of its affiliates had apparently violated its contract with 180ssolutions. The company then tried, unsuccessfully, to contact the affiliate: "He was nonresponsive, so we shut him off," Sundwall says.

Then things quickly took a turn for the worse. "He demanded money," Sundwall says. "We initially said no."

But then "the threat was, 'you can shut me down, but look what I can do to you,'" Sundwall says. Sundwall said the 180solutions' Web server that runs the Loudcash.com site came under an extremely heavy, two-hour DDoS attack.

"He came back and said, 'I'm not kidding, I can shut you down, I want the money,'" Sundwall says. The attacks continued sporadically for a number of days and the company then contacted the FBI for assistance.

"At the advisement of law enforcement, we paid," Sundwall said. The affiliate wasn't especially greedy: The amount of money he asked for "was not a huge sum, not quite five digits," After the payment, "we turned over all that evidence to the FBI, and at that point we experienced no more DDoS attacks," Sundwall says.

The Slip-Up

Sundwall said the extortionist had given 180solutions identifying information, including bank account numbers, so that the funds he demanded could be wired to him. The information pointed directly to a "person of interest" that could be arrested, FBI sources say. Also, instant messaging and e-mail logs of threats correlated with logs of attacks against 180solutions' Loudcash.com site.

Armed with a Dutch bank account number, the FBI reached out to the office of its legal attache in the Netherlands, who informed the Dutch authorities.

"[The Dutch police] had already had their eye on these guys, but when they heard we had bank account numbers, their jaws dropped," Sundwall says.

Teamwork Paid Off

Dutch Internet service provider XS4All and the Netherlands Government Computer Emergency Response Team, GovCERT.nl, joined the investigation. "The subjects were arrested, in general, for activity related to operating IRC botnets, and the denial of service attack that was launched using the botnet," the FBI source says.

Both 180solutions and the FBI stressed the importance of the cooperation. Cyber crimes "cannot be addressed by just one law enforcement agency in any one particular country," the FBI source says.