Computer Crime Research Center


Cybercriminal and the army of zombies

Date: August 30, 2005
Source: PC WORLD
By: Tom Spring

In 2004, after months of putting a virtual tail on a hacker who called himself Pherk, FBI agent Timothy Nestor had the guy right where he wanted him.

Though unsure of Pherk's identity, Special Agent Nestor was tracking every digital footstep the hacker took as he wreaked havoc on dozens of businesses by shutting down their online storefronts.

Pherk's modus operandi was to commandeer an army of 2000 zombie computers and use those PCs simultaneously and repeatedly to request Web pages from the sites; the surge in queries would overwhelm the sites' servers, knocking the businesses offline. What the hacker didn't know was that Nestor, supervisor of the FBI's Cyber Crime Squad in New Jersey, had isolated one of the zombies and was now following the perpetrator's every online move.

Eventually the accumulating evidence of these illegal Web activities enabled the FBI to trace the attacks to 17-year-old Jasmine Singh Cheema. Nestor then obtained a search warrant; and in early December 2004, six FBI agents and two New Jersey state police officers barged into the Edison, New Jersey, home of Cheema's parents. According to Nestor, the 17-year-old Cheema sat at the family's dining room table and confessed everything to the FBI as his mother hovered nearby.

On the increase
Pherk's technique of crippling a Web site by flooding it with information is called a distributed denial of service (DDoS) attack. Despite being illegal, such attacks are on the rise. And not surprisingly, the number of PCs infected with malicious code that turns PCs into zombies has risen as well - from 3,000 during the first quarter of 2005 to 13,000 during the second quarter, according to a report from anti-virus firm McAfee.

Big-time criminals aren't always responsible for these crimes. Authorities said Cheema's attacks were aimed at a handful of Web sites that competed with, a small online sports memorabilia business. Business owner Jason Arabo, himself only 18 at the time, is alleged to have given Cheema some of his company's imitation classic sportswear as payment for Cheema's work. Arabo, was arrested in March and charged with conspiracy to commit the attacks. If convicted, he faces up to five years in prison and fines totaling as much as US$250,000.

The agency said that it obtained the image from an online dating site. Cheema pleaded guilty in New Jersey Superior Court to two counts of computer theft by hacking online businesses; on August 12, he was ordered to serve five years in youth detention and to pay $32,000 in restitution.

According to the New Jersey state attorney general's office, Cheema generated the attacks by compromising PCs throughout the world with a virus. The infected PCs then sent the victims' systems trillions of packets of data per hour, overwhelming them.

What disturbed law enforcement officials most about the Cheema case was the extent of the damage his attacks caused in spite of their simplicity. Investigators report that Cheema infected 2000 computers just by making available on a file-swapping network a file advertised to be a picture of Jennifer Lopez naked. Instead of opening an image, though, people who clicked the file installed a Trojan horse that exploited PCs with poor virus and firewall protection. The PCs then became clandestine members of Cheema's zombie army.

Catching a cybercrook
The FBI's number three national priority today (after terrorism and counterintelligence) is cybercrime. In one of the FBI's sixteen U.S. cybercrime squads, located in a nondescript office building in Somerset, New Jersey, members spend their workdays tracking down crimes ranging from Web site defacement to network break-ins to DDoS attacks to child pornography to the online sale of pirated software, music, or videos.

Other types of cybercrime are more common than zombie PC attacks, sometimes called botnet attacks. But because armies of zombie PCs are often massive and have the potential to inflict severe damage on victims, some law enforcement officials say that thwarting botnet infections and attacks have become their number one priority.

"The number of cases we see, like the Singh [Cheema] case, are becoming far more frequent," Nestor says.

According the FBI, most of the PCs Cheema hijacked were located on college campuses in Massachusetts and Pennsylvania. He directed those PCs to go after a handful of sites, probably without realizing that his attacks would have such widespread consequences. The ripple effect from the attacks launched by Cheema's so-called botnet army of PCs ultimately reached 120 online companies, including major retailers, banks, and pharmaceutical businesses as far away as Europe, according to the FBI.

"If one teenager can jeopardize over a hundred Web sites from his parent's house, imagine what groups of seasoned cybergangs can do," Nestor says.

Global problem
Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs that are controlled by groups of people dispersed around the world, says Christopher Painter, deputy chief of the Computer Crime section of the U.S. Department of Justice. Most perpetrators are adults who execute extremely sophisticated assaults. "They don't brag, and they cover their tracks very well," Painter says.

One notorious cybergang, called Shadowcrew, reportedly had 4,000 members scattered across the United States, Brazil, Spain, and Russia.

Money is these cybergangs' primary motivation, says Larry Johnson, special agent in charge of the Criminal Investigative Division of the U.S. Secret Service. The asking price for temporary use of an army of 20,000 zombie PCs today is $2000 to $3000, according to a June posting on, an electronic forum for hackers.

Marshalling their armies of zombie PCs, online extortionists may threaten to crash a company's Web site unless they are paid off. "Hackers are not shy about asking for $20,000 to $30,000 from companies. The [companies] know it's far cheaper to pay the hackers than to get knocked offline and lose hundreds of thousands of dollars in lost business," Johnson says.

Many of these extortionists may go unreported because businesses are unwilling to volunteer evidence of their coercion to law enforcement officials, Johnson says. Commonly, corporations don't want to admit to their customers, stockholders, and business partners their networks were ever vulnerable to an attack.

According to a 2004 survey conducted by the Computer Security Institute, a membership association and education provider that serves the information security community, only about 20 percent of computer intrusions are ever reported to law enforcement agencies. The Secret Service, Johnson says, receives between 10 and 15 inquiries per week from businesses owners who believe they may be the target of a cyberattack.

Cooperation is key
Despite the low percentage of attacks that are reported to law enforcement officials, the evidence needed to arrest the perpetrators is often available, says James Burrell, supervisory special agent of the Boston FBI's cybersquad. In labs like his, agents conduct high-level computer forensics on PCs, analyze malicious code, break encrypted files, and pore over server logs looking for clues.

"For us, it's all about traceability," Burrell says. The evidence the FBI needs may be available for only a short time, and it may be located on a server halfway across the globe. For these reasons, he says, it's vital that local, state, federal, and foreign agencies share information.

The FBI has 48 legal attache offices across the globe, and agents in those offices can assist with cybercrime investigations when leads take the case outside of the United States. The Justice Department says that cracking cross-boarder cases involves using international organizations like the G8 24/7 High Tech Point of Contact Group, whose member countries designate an always-available contact for providing investigative assistance in computer crime cases. Started in 1998 by eight highly industrialized nations, the group now consists of more than 40 countries that share data and coordinate field work.

When cases are cracked, international organizations like the International Criminal Police Organization (Interpol) help with extraditing criminal defendants across borders.

According to the U.S. Secret Service, its investigations take it outside the United States in about half of the botnet cases it pursues. Though the agency relies on existing relationships with foreign law enforcement agencies, it also works with the CERT Coordination Center, a federally funded computer security incident response team and with the International Botnet Task Force, whose members include private and governmental agencies.

Can they be stopped?
Despite some success, law enforcement officials say that cybercrime is extremely hard to get a handle on. That's because it thrives in countries like Russia and China that have weak computer crime laws or lax enforcement. In such cases, catching cybercriminals outside U.S. jurisdiction becomes nearly impossible.

When U.S. prosecutors do bring cybercrooks to justice, they increasingly file charges under updates to the federal criminal code. The Computer Fraud and Abuse Act, for example, provides for a maximum sentence of 20 years in prison. Still, some critics argue that too few computer crime laws exist and that the government underfunds cyber-security programs.

Congressman Dan Lungren, R-California, chairman of the Homeland Security Subcommittee on Economic...
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo