Network News

X My Profile
View More Activity

Botnet Operator Sentenced to 37 Months in Prison

A California man whose online criminal ring hacked into hundreds of thousands of computers and disrupted operations at a U.S. hospital and several military installations was sentenced Friday to 37 months in prison for his crimes.

Christopher Maxwell, 21, of Vacaville had pleaded guilty to running a criminal hacking operation that used computer viruses to seed infected Microsoft Windows computers with adware that earned he and his co-conspirators more than $100,000 in commissions, according to a Justice Department complaint.

Maxwell had infiltrated computers in U.S. military installations around the globe, including the headquarters of the 5th Signal Command in Manheim, Germany; the Directorate of Information in Fort Carson, Colo.; the Navy Network Information Center in Pensacola, Fla.; the Navy Computer and Telecommunications Area Master Station, Central Europe, in Naples; the Defense Department's Bureau of Medicine and Surgery in South Carolina; the headquarters of the Commander in Chief, U.S. Pacific Command, in Hawaii; the Defense Investigative Service in Maryland; the U.S. Central Command at MacDill Air Force Base in Florida; and the Health Care Systems Support Activity in San Antonio.

The details of Maxwell's operations were remarkably similar to that of Jeanson James Ancheta, another 21-year-old Californian who in May was sentenced to an unprecedented four years and nine months in prison for hacking into millions of computers in order to generate adware commissions.

In that case, Anchetta admitted that he used Internet worms to seize control over a massive numbers of PCs running the Windows OS. He used those computers as an installataion base for online ad-serving software that netted him more than $61,000 and a BMW sports car. Ancheta also pleaded guilty to breaking into computers at the weapons division of the U.S. Naval Air Warfare Center in China Lake, Calif., and the Defense Information Systems Agency, causing roughly $15,000 worth of damage.

In both cases, the judges appeared eager to use the accused to send a strong message to other criminal hackers who might be involved in such activities. According to a Justice Department statement, the judge presiding over Maxwell's case said a prison sentence is necessary as "deterrence for all those youth out there who are squirreled away in their basements hacking."

While I wholeheartedly agree that these guys deserve the tough sentences they received, I wonder whether the sentences themselves will serve as much of a deterrent. For one thing, I know for a fact that there are still plenty of young criminal hackers engaging in this kind of activity; most are pretty careful to avoid infecting computers that appear to be located at certain types of online domains that might attract the worst kind of attention (such as those associated with the U.S. military and other parts of the federal government).

There is also relatively little chance that most of these guys will get caught -- especially if they reside outside of the United States, as many do. I see this problem as somewhat analogous to the illicit drug trade. There is just too much money to be made here (and with far, far less risk to life and limb), and no shortage of potential victims.

The math makes the profit motive plain to see. According to government documents, in just the first two weeks of February 2005, Maxwell and his buddies were able to infiltrate more than 629,000 computers. Most of the adware companies pay "affiliates" between 2 and 40 cents per piece of adware gets installed using a unique number that identifies the distributor. Assuming, for the sake of this example, that Maxwell could install adware on each of these hijacked machines at the lowest going rate, he stood to gain more than $12,500 from that install run. The government claims that overall, Maxwell made more than $30,000 total from installing adware on machined he'd hacked.

In February, I profiled a young man of the same age who was running an identical operation, getting paid by shady online marketing companies a few pennies for each piece of online ad-serving software he installed. This kid, who claims he has since retired from the business, told me he was making between $6,000 to $10,000 each month installing multiple pieces of adware on Windows computers he had hacked.

By Brian Krebs  |  August 28, 2006; 3:52 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Paris Hilton Accused of Phone Phreakiness
Next: Sun Acknowledges Security Hole in Patch Process


wow. I was kind of tempted to try it until I seen the sentence.

Posted by: hogboss | August 28, 2006 4:37 PM | Report abuse

With the illicit drug trade, there's a pretty clear solution, many people would say: legalize the damn things and regulate the hell out of 'em. Is there any analogous solution to this botnet crap, or are we just stuck with all these losers?

Posted by: h3 | August 28, 2006 5:24 PM | Report abuse

h3 - interesting suggestion, but since security issues like this are inherently predatory (for lack of a better term; it's Monday afternoon!), I don't think a sensible analogy could be made. Something like drug use is a victimless crime, while taking over someone's computer is, by definition, not.

Posted by: S. H. | August 28, 2006 5:30 PM | Report abuse

There are a couple of possible solutions, neither of which are as uncomplicated or as easy as they might sound. One would be to go after the source...the companies paying people to install adware while looking the other way when obviously fraudulent installs make them tons of money. The other is for ISPs to do a far better job than they do now in identifying, quarantining and helping to remediate bot-infested machines. User education is important but tons of new, uninformed users go online for the first time every day.

Posted by: Bk | August 28, 2006 5:31 PM | Report abuse

Sadly a good friend of mine worked for something very similar and got caught, but he made a deal with our District Attorney and he was granted immunity for his testimony to give up his employer.

Posted by: DT | August 29, 2006 12:20 PM | Report abuse

Re BK's comment above: The FBI has a term for it: Follow the Money." If there was a way to learn who these advertisers are, perhaps we could shame them into stopping. What's that? There is no shame? Oh yeah. I forgot.

Posted by: Pete from Arlington | August 29, 2006 1:03 PM | Report abuse

Very easy to fix this problem. Death penalty for the adware hackers. Kill a few of em should stop the rest from daring to try again.

Posted by: Yen-lung Wong | August 29, 2006 3:04 PM | Report abuse

All sentences in criminal cases like this should include the provision that any money attributable to future books, articles, or movies about the hacker should go to a fund to repay his victims expenses in dealing with the problems he caused. I'd like to see some civil suits filed as well.

Posted by: tdb | August 30, 2006 8:17 PM | Report abuse

Sometimes a bit of government regulation is beneficial. Electric power companies and airlines are examples that I think run fairly well under US regulation.

I propose that Internet users request that Congress step in and instigate a 10 cents per email fee to be paid to the ISP providing their connection to the Net. The ISP would likewise be permitted to collect 10 cents for every email they receive. From this receipt, the ISP would remit 5 cents to the account to which the email is addressed, and keep the change to support their ISP services.

Posted by: Richard B. Britton Charlottesville | September 8, 2006 11:28 AM | Report abuse

With a 25 year free run, the Net has gotten nothing but worse, so technology is apparently unable to stop the criminals. Sometimes a bit of government regulation helps. For example, electric power companies and airlines run fairly well under US regulation, and with none, I doubt they would be as safe and efficient.

I propose that Internet users request that Congress step in and instigate a fee - let's say 10 cents/email - that we would pay to the ISP providing our connection to the Net. The ISP would likewise be permitted to collect the same fee for every email they receive from the Net. From this receipt, the ISP would remit half (5 cents) to the account to which the email is addressed, and keep the change to support their ISP services.

This Net Control would be run entirely by the ISPs. They would of course have to transfer a good deal of money back and forth, and charge heavy mail sources a varying monthly fee.

Posted by: Richard B. Charlottesville | September 8, 2006 11:47 AM | Report abuse

Can I Use Casey Computer To Play Online Blackjack- [URL][/URL]; 92b434c3d78d5545 374b41af49 7e25838359927fb2 Bankruptcy On Credit Report

Posted by: ecfica | September 15, 2006 12:20 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company