Hacker Launches Botnet Attack via P2P SoftwareJune 29, 2008 – 11:51 AM
A 19-year-old hacker is agreeing to plead guilty to masterminding a botnet to obtain thousands of victims’ personal data in an anonymous scheme a federal cybercrime official described Friday as the nation’s first such attack in which peer-to-peer software was the “infection point.”
The defendant, Jason Michael Milmont, launched the assault last year from his Cheyenne, Wyoming residence, and anonymously controlled as many as 15,000 computers at a time, said Wesley L. Hsu, chief of the Cyber and Intellectual Property Crimes Section for federal prosecutors in Los Angeles. As part of the deal, in which a judge could hand him up to five years imprisonment, Milmont has agreed to pay $73,000 in restitution, the government said.
“It’s the first time that we know of that peer-to-peer software was used as the infection point,” Hsu said in an interview with Threat Level.
The malware infection became commonly known as the Nugache Worm, which embedded itself in the Windows OS.
According to the plea agreement, the worm was installed in various ways. The first incarnation of infections came from a website Milmont created that offered free installation of Limewire, the popular peer-to-peer file sharing program. He embedded that software downloads with his malware.
“Any time you download something from the internet, it’s possible somebody has appended software to it that isn’t supposed to be there,” Hsu said.
Hsu said Milmont is expected soon to enter his plea to one count of unlawfully accessing computers in a Wyoming federal court. Milmont’s attorney, Robert R. Rose, did not immediately respond for comment.
Another incarnation of the infection included using AOL instant messenger as the delivery point of his malware. The malware would spread itself via chats, with a message asking a buddy to view a photo on a website such as MySpace.com or Photobucket.com. The user would be taken to a spoofed website, and would become infected with the Nugache Worm, the plea deal said.
“All of the data stored on the compromised machines would be available to defendant, including, but not limited to, credit card information,” according to the plea agreement.
The agreement also said that he took control of financial accounts of his victims.
“After obtaining this information from a victim’s computer, defendant used his/her financial institution’s online user name and password to access the account online,” the agreement said. “Defendant then changed the victim’s e-mail address to a similar e-mail that he controlled and the mailing address to an address in Cheyenne, Wyoming, typically an address that was listed for sale.”
He would also change the telephone number on a victim’s account to a number he controlled using Skype. “He paid for this service by using the credit card numbers harvested from his botnet,” the plea agreement said.