Ex-security pro admits running huge botnet

Computerworld - A former security researcher admitted to hijacking a quarter of a million PCs, using spyware to steal bank and PayPal account information, and making money by installing adware on the massive botnet.

John Schiefer, 26, of Los Angles agreed Friday to plead guilty to four felony counts, including accessing protected computers, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. He faces a total of 60 years in prison and fines of $1.75 million for his part in building and then using the botnet. Several others, named only by their online monikers, were listed as accomplices.

According to Assistant U.S. Attorney Mark Krause, Schiefer, also known as "Acidstorm" and "Acid," was the first to be charged under federal wiretap statutes for using a botnet.

He and his co-schemers infected PCs with malware -- likely Trojan horses, although the court papers didn't specify the malicious code -- that added the compromised systems to a botnet and then stole usernames and passwords stored by Microsoft Corp.'s Internet Explorer browser. IE, like other browsers, will save that information to speed future log-ons. Schiefer mined the data retrieved from the botnet to access multiple PayPal accounts as well as other financial accounts and then plundered them.

Some of the looted PayPal funds were used to pay for more Web hosting space and bandwidth to continue spreading the malware and adding to the botnet, prosecutors said.

Schiefer and his cohorts -- some of whom were minors -- also installed adware on more than 137,000 of the quarter-million machines in the botnet. The ad-generating software was provided by TopConverting, which at the time was an adware affiliate of a Dutch marketing company, Simpel Internet. TopConverting, also known as Crazywinnings, is now defunct, but as recently as the summer of 2006 it was well known to anti-adware experts, who said it was often installed by unauthorized drive-by downloads.

The gang collected approximately 14 cents per adware installation, or nearly $20,000, from Simpel, and repeatedly told the Dutch company that the installs were legitimate, according to the government's charges.

Schiefer rode herd not only on the botnet, but also on his accomplices, court documents showed. In June 2005, he chewed out a co-conspirator with the online nickname of "Butthead" because the malware wasn't infecting enough PCs for his liking. The underperforming malware, said Schiefer, was "sketching [him] out."

He also told Butthead to keep the number of malware-infected machines at a consistent number to avoid detection, saying, "Make sur ur running that dl on ur chans so we can keep the stats stable."

Schiefer blasted another accomplice, dubbed "Adam," for worrying about stealing money from the compromised PayPal accounts. Schiefer reminded Adam that he was a minor and then told him he should just "quit being a bitch and claim it."

Schiefer was employed by 3G Communications Corp. of Los Angeles as a security consultant until early 2006. He used both work and home computers to oversee the botnet.

An arraignment hearing has been scheduled for Dec. 3 in federal court in Los Angeles.

Read more about security in Computerworld's Security Knowledge Center.