The first botnet hijacker aka the Zombie King

Hacking Alias: ir Resilient

Jeanson Ancheta didn’t have the usual path that many hackers had in the old days but he carved his path through the use of his botnet army. This is the story of the first person to plead guilty to federal charges of hijacking computers for profit.

Early life

Jeanson James Ancheta was born in Downey, California in 1985. 

In 2001 he decided to drop out from the Downey high school in California, where he attended the last couple of years.

He later proceeded to enter an alternate program for students with academic or behavioral problems and eventually earned a high school equivalency certificate. He worked at an internet café at the time, but he wanted to join the military according to his family. 

However, his life path would go in the opposite direction of what he wanted to be when he discovered the botnet world.

Jeanson James Ancheta mugshot - source: theregister.com

The Botnet world.

In June 2004, Ancheta while surfing on the Web, he found the quite common computer worm rxbot. Its malicious code is designed to spread widely across the Internet with ease.

What was likely to lure Ancheta into using it, was that it was quite easy to customize it and play with its features. After that, he began secretly hijacking tens of thousands of computer machines nationwide, including two military servers. 

He managed to set up a channel in IRC called “botz4sale” to rent his botnet army in order to make some money from it. He set up guidelines/manual on how many zombies would be needed to crash corporate websites depending on size and added rent rates with a minimum of 10K zombie machines at four cents apiece. The manual would also include the malicious code that would allow the botnets to spread or propagate.

By the end of July, he controlled at least 100,000 bots.

In a 3 months span starting in June 2004, he rented out his machines to 10 clients, profiting around 3000$ by payments made through PayPal.

Botnet diagram - source: anura.io

SoBe, Partner in crime 

SoBe (nickname), a partner-to-be with Ancheta, was a 16-year-old boy at the time from Boca Raton, a town in Florida. He quitted school and spent much of his days coding in C++ while frequently chatting with hackers on IRC rooms.

In August 2004, He met Ancheta in a channel called “bottalk” who typically went under the nickname “ir Resilient”. SoBe noticed that Ancheta was not one of the many people in the chat that were lying about their profits from the bots they had.  He had proof that he had sizable botnets under his control by sending screenshots of his hundreds of exploit messages with unique IP addresses etc.

In SoBes’ words about Ancheta “You can’t really lie about that when you take screenshots proving you have well over 70K,”. “It’s hard to fake hundreds of exploit messages with unique IP addresses and a picture of him in a channel with 60,000 users.” SoBe also had Ancheta’s myspace account where he would post pictures of his tuned-up BMW and partying with his friends, “he wasn’t your average computer nerd” SoBe explained, “he would go out and have fun”.

Their relationship grew stronger over time and it wasn’t all about business. They were making fun of hacking vulnerable servers and leaving their digital signatures via graffiti before leaving.   

Graffiti of SoBe and Ancheta on a compromised website - source: theregister.com

Bot business

On the business side of things, they were about to grow Anchetas’ botnet army to more than 400,000 computers and launch a new scheme of business. 

Ancheta recruited SoBe to help him launch the new scheme, where they would install adware on the botnet army of compromised computers and use them to generate pay-for-click affiliate fees. They signed up with multiple online advertising agencies such as Gamma Entertainment of Montreal and Loudcash. 

Their new business scheme was an instant success, and in about 13 months (even after the first raid from the FBI) they pocketed more than 60K dollars. “It’s immoral, but the money makes it right,” Ancheta told SoBe during one online chat.

First raid from the FBI at Ancheta’s home

Through their many resources, the FBI managed to find the chat room where Ancheta web price for his bot was listed and proceeded to open an investigation.  Their agents posed as potential clients and bought some bots, promising to them that they’d be” enough to drop a site”. 

They tracked in and raided his home in December 2004 where FBI agents confiscated his computer. 

Back to business

After his home was raided, Ancheta was back online within a day. They both SoBe, and Ancheta felt unstoppable and continued their botnet activities as nothing happened.

Following the raids, the FBI never stopped monitoring their actions and were quietly building a case against the two hackers.  Ancheta was still naively advertising on the “bot4sale” channel and that alone got him a place at the top of the list of the investigators.

Bugs/backdoors and naive mistakes

The rxbot, the software where the two young hackers build their bot empire was filled with bugs. To keep their botnet growing, they set their zombie machines automatically to look and compromised new machines on nearby networks. 

Rxbot was too aggressive when infiltrating machines resulting in compromising computers that were belonging to the Sandia National Labs, China Lake Naval Air Facility, and the Defense Information Security Agency.

Because the evidence came from military computers it was an excellent break in the case for the FBI because it permitted them to dig further. 

The two partners didn’t seem to realize their mistakes at the time. They were even warned back in August 2004 to filter out domains like “.gov” and “.mils “ from their botnet, not to compromise government domains and raise suspicion. 

SoBe made a rookie mistake when he decided to lease a server using his real identity. They hosted those servers and an IRC daemon (IRCd, server software that implements the IRC protocol) that each of their bots reported to, by changing the topic in the IRC channels, they could cause their bots to connect to other servers under their control and install any software they happened to host there.

SoBe later admitted that he was convinced that the IRC daemon had a built-in backdoor. He had gotten the program from Jonathan Hall, a hacker who was charged but never convicted in a separate botnet investigation. 

Hall also confirmed that when he viewed the source code for the daemon, he indeed spotted a backdoor. 

As a result, anyone who knew about the secret feature could gain access by typing “/system foo foo,” “/system bar bar,” or any similar combination.

The FBI never admitted it, but in the end, the two young hackers left tracks all over the place that would be difficult not to get caught for good. 

Second raid and arrest 

In May 2005, the FBI raided both hackers’ homes.  FBI agents raided the SoBe family’s three-story house in Boca Raton, Florida.

SoBe was injured from a recent motorcycle accident when agents grabbed him and seized thousands of dollars worth of computers, video games, and other electronics while his parents were looking without knowing what their son did.

At the same time, in the Los Angeles suburb of Downey, California, FBI agents raided for the second time the home of Ancheta in 6 months.

FBI managed to disabled the servers that SoBe and Ancheta were using in May and after gathering enough evidence, they arrested Ancheta in November 2005. 

SoBe being a minor at the time of Ancheta’s arrest and during the time that they committed their illegal activities, he didn’t get arrested, but he remained on a probation period until the whole case would be resolved.

FBI report for SoBe's home raid - source: theregister.com

Sentences

In November 2005, Ancheta was charged with 17 counts of conspiracy, fraud, and other crimes connected to a 14-month hacking spree that started in June 2004 and even continued when FBI agents raided his house for the first time in December 2004.

Ancheta’s attorneys took the guilty plea when the FBI released the report that the estimated damages caused by the worms and trojan horse software employed by Ancheta’s botnet cost U.S organization $12 billion.

The long indictment offered an unusually detailed glimpse into the world where hackers were bragging in online chat groups about their prowess in taking over zombie machines and herding them into large armies of spam email and arsenal for so-called DDoS attacks on websites.

On May 9, 2006, Ancheta pleaded guilty to 4 felony charges of violating multiple U.S codes sections like United States Code Section 1030, Fraud and Related Activity in Connection with Computers, specifically subsections (a)(5)(A)(i), 1030 (a)(5)(B)(i), and 1030(b).

 He received 57 months in prison, forfeit his BMW, and more than $60K in profits. He was forced also to pay restitution of $15K to the U.S. federal government for infecting the military computers.

Aftermath

The whole story immediately rocked chat rooms where hackers spent time chatting about hacking activities. 

SoBe was also shocked when the charges became public but the charges for Ancheta were fair.

“But it’s not going to stop anyone from doing bots. I think at most he should’ve faced a fine, probation, etc. not be sentenced to jail for stupid shit that didn’t hurt anyone if you think about it.” SoBe said. They were hackers out there making more than what Ancheta did in 6 months in one month and doing it for years, but they’d never been caught.

Over the next agonizing year-and-half, SoBe was worrying over the prospect of being indicted, while Ancheta was in prison, first in a federal facility in California and then at the federal correctional institution in Allenwood.

SoBe had no touch with Ancheta while the latter was in prison and continued to live at home with his parents. 

In 2007, and after a long investigation, the FBI agents got links to hackers connected to the botnet crimes, SoBe was one of them and federal prosecutors told him that he was going to be charged and suggested to plead guilty. Three months later, in February 2008, he pleaded guilty to delinquency charges resulting from his surreptitious installation of adware on hundreds of thousands of computers.

SoBe’s name remains unknown due to the reason of being a minor at the time of the crimes.

Closing thoughts

Their story was one of a kind, as both were at a really young age when they committed their crimes and Ancheta was the first person to be indicted for crimes related to profit from botnets. Their whereabouts remain unknown as they vanished without leaving a clue as to what they are doing today.

Some lessons to take from the story is of course not to be a botnet zombie king, but more importantly to secure your devices from being compromised and be used by any botnet hackers. Just keep your machine updated, have a typical anti-virus software up to date, and install the latest security updates for your operating system. Do not download any attachments or click on unusual links in messages, always check that they come from trusted sources. 

You can also monitor your network traffic if you have a suspicion of being compromised, by using analytics and data-collection solutions you can automatically detect abnormal behavior. 

Doing all the above does not mean that you are completely safe (as you can see that every day a zero-day is found and supply chain attacks are on the rise ), but you are a step ahead of people who ignore those warnings.