United States v. Ancheta

United States of America v. Ancheta (U.S. vs. Ancheta, 06-051 (C.D. Cal.)) is the name of a lawsuit against Jeanson James Ancheta of Downey, California by the U.S. Government and was handled by the United States District Court for the Central District of California. This is the first botnet related prosecution in U.S history.

Case summary
Ancheta violated the prohibited acts of accessing and transmitting malware with the intent and consequence of disrupting interstate and foreign commerce. The case was the first prosecution in the United States of America where an individual was sentenced to prison for profiting from the use of botnets that were used maliciously to launch destructive denial of service attacks and sending of large quantities of spam across the internet. The 57-month prison sentence for Ancheta was the longest in history for a defendant who has spread malware.

Ancheta pleaded guilty to conspiring to violate to the Computer Fraud and Abuse Act causing damage to computers used by the federal government of the United States in national defence and accessing a protected computer without authorization for the purpose of commit various types of fraud. Between the dates of June 25, 2004 and September 15, 2004 in Los Angeles county Ancheta and others knowingly conspired to violate, and  of US Code. This refers to knowingly causing the transmission of a program, information, code or command and as a result of such conduct cause damage without authorization to a computer used in interstate and foreign commerce and communication and cause loss during a one-year period aggregating at least $5000 in value. Secondly Acheta and others conspired to violate, , and of US Code. This refers to access without authorization a computer used in interstate and foreign commerce and communication, and intentionally intimate the transmission from and through that computer multiple commercial electronic email messages that affect interstate and foreign commerce. Finally Ancheta was charged for laundering of monetary instruments under and faced criminal forfeiture under  and.

Internet bots and botnets
Jeanson James Ancheta at the time of this crime was a 20-year-old high school drop-out. He found the rxbot software online and decided that he was going to use it to create a botnet army. Once established, he set up a website where he would rent his computer zombies to hackers so that they could employ them to fulfill whatever malicious job they had planned. Ancheta used at least one computer system at his place of residence and accessed the Internet from a dial up telephone line to configure and command the botnet and conduct any business communication. A co-conspirator residing in Boca Raton, Florida referred to as SoBE was also involved, as he had previous experience launching computer attacks.

An internet bot is a program that infects a computer and enables remote control of that computer. A security vulnerability in the computer system is exploited by the hacker in order to install and run the malware; in this case a worm. The program installs itself and is set up to run as a background process or daemon which remains undetectable to the computer user. The infected computer is often referred to as a zombie computer and was what Ancheta depended on as the building block of his botnet army. Ancheta engaged these computers to function in unison in a network formation; this is referred to as a botnet and the controller is called the bot herder. Ancheta's primary purpose of engaging large numbers of computers was to amplify the attack and reduce the time taken to execute it. Their greatest value is they provide a relatively high level of anonymity.

In 2005, the Federal Trade Commission in conjunction with 35 government agencies organized an initiative to encourage Internet service providers to actively monitor, identify and quarantine customers whose computers appeared to have been compromised, transformed into zombies, or appear to be under the remote control of hackers. One of the largest botnet implementations around that time (2005) was found by Dutch Police where a botnet of over 1.5 million computers was under a crime ring's control. These zombie computers were often employed as a response to anti-spam laws and spam filtering. Spammers started hiring virus writers and hackers to help them architect armies of zombie computers to send spam email from unsuspecting users' computers around the world. In February 2012, the Federal Communications Commission unveiled yet another plan that calls on Internet service providers to take specific steps to combat online threats from botnets.

IRC setup and worm development
In July 2004 Ancheta obtained access to a server from an internet hosting company, set it up as an IRC Server utilizing the IRCd program, and created a channel on IRC which he controlled remotely. Ancheta developed a computer worm which when installed and executed would report back to the IRC channel he controlled, scan for other computers with similar vulnerabilities, and leave itself open itself up for future unauthorized control. Ancheta initially developed this worm by modifying an existing Trojan called rxbot. While DDOS attacks were one use case for these botnets, another major purpose was to use them as a proxy server for email spam propagation. In 2004 it was reported that unsolicited email had doubled from late 2003, rising from 310 billion message to 700 billion messages. Worms like Conficker originally found in 2008 still remain a threat and is significantly more sophisticated, disallowing updates and communicated through encrypted channels.

Profiting
Ancheta advertised the sale of bots for the purpose of launching distributed denial-of-service (DDoS) attacks or to send spam. He sold access to the bots in clusters, usually up to 10,000 at a time. Ancheta acted as a consultant and advised the buyer on the exact number of bots they would need to successfully accomplish the designated attack. He would offer separate channels for an additional cost to assist in the control and direction of the bots, providing temporary control over the channel to the buyer. Around the time of this crime, it was estimated that an average botnet was 20,000 computers in size. He also profited from sale of the developed worm which he would configure for best propagation. Buyers also had the option of using their own malware to launch the attack and not use the worm he was offering. Ancheta accepted all payments through PayPal, where he would misleadingly describe the nature of the transaction as hosting, web hosting, or dedicated box services.

Case legal details
In total there were 17 different counts in this case.

Conspiracy to commit an offense or defraud a US agency
Count 1 was in violation of. This refers to the conspiracy between Ancheta and others to commit an offense or to defraud a US agency. This violated, and  of US Code.

Fraud and related activity in connection with computers
Counts 2 through 11 were in violation of, and

Counts 2, 3 and 4 involved intentionally causing damage while accessing an unauthorized computer belonging to King Pao Electronic Co and Sanyo Electric Software which if completed would have caused damage exceeding $5000 and launching a distributed denial of service (DDOS) attack to a company (whose name remains confidential) which if completed would have caused damage exceeding $5000. In furtherance of the conspiracy Ancheta committed various overt acts, including payments to accomplices, directing numerous computers to adware servers controlled by Ancheta himself. These servers were where unsuspecting users would be redirected to download the malware. Counts 5 and 6 included knowingly causing the transmission of malicious code to protected computers belonging to the Naval Air Weapons Station China Lake and the US Defense Information Systems Agency; both used for justice, national defence, and national security. NAWS China Lake is a major Navy research, testing and evaluation facility and DISA provides IT and communication support the President and other top executive staff of the US Government.

Count 7 through 11 were in violation of and. Ancheta knowingly accessed without authorization, computers involved in interstate and foreign commerce by installing adware without notice, or consent with the sole intent to defraud. Between 8,744 and 53,321 computers (different for each count) were accessed without authorization and monetary amounts between $1306.52 and 7966.10 (different for each count) accepted as payment for services.

Laundering of monetary instruments
Counts 12 through 16 were in violation of. Knowing that property involved in a financial transaction represents the proceeds of some unlawful activity, Ancheta conducted financial transactions that involved the proceeds of specified unlawful activity and those proceeds were further used with the intent to promote more unlawful activity. Proceeds from selling worms and the rental of the botnet were being passed as legitimate online transactions such as payments for web hosting or dedicated box services. Anchta was also transferring the same payments to internet hosting companies for additional access to the servers used to commit further fraud. From November 2004 to May 2005 varying amounts of funds were transferred from Wells Fargo Bank to FDCServers and Sago Networks.

Criminal forfeiture
Count 17 was in violation of and. Ancheta was required to forfeit all property involved in the offence. This included $2998.81 generated from the sale of internet bots and proxies and deposited into a Wells Fargo account, approximately $58,357.86 in proceeds generated from the surreptitious install of adware on protected computers linked to a PayPal account owned by Ancheta, a 1993 BMW 325 IS, and all property used to commit or facilitate the commission of the above violations including desktop computers, laptops and hard drives.

Summary of laws applied

 * Conspiracy to commit offense or to defraud United States
 * Criminal Forfeiture
 * Criminal Forfeiture
 * Fraud and related activity in connection with email
 * Fraud and related activity in connection with email
 * Fraud and related activity in connection with email
 * Computer trespassing in a government computer
 * Committing fraud with a protected computer
 * Damaging a protected computer (including viruses, worms)
 * Damaging a protected computer (including viruses, worms)
 * Conspiracy to violate (a)
 * Laundering of monetary instruments