How a regular IT guy helped catch a botnet cybercriminal

Filed Under: Botnet, Featured, Law & order, Malware

Veteran cybercrime investigator Bob Burls looks back on a case where the diligence of an IT guy helped convict a botmaster who had made tens of thousands of dollars.

It's not enough for the authorities to discover who is behind a malware attack. To secure a successful conviction, it's also necessary for victims to report that a crime has taken place.

As the following case demonstrates, any member of the computer-using public could be the vital piece of the jigsaw which helps bring about the downfall of a cybercriminal.

IT guy with pocket protector. Image from Shutterstock

In November 2006 a particularly aggressive piece of malware came to the notice of Scotland Yard's Computer Crime Unit. The malware in question was an IRCBot, with worm-like properties detected by Sophos as W32/Vanebot-R.

Close examination of the malware revealed that it used various propagation vectors to spread:

  • MS SQL servers "protected" by weak passwords
  • Network shares
  • A critical security vulnerability in Microsoft Server Service that could allow remote code execution (MS06-040)
  • Instant Messaging

Runtime analysis revealed that the malware connected to an IRC server at the domain mang.smokedro.com.

The malware connected to an IRC server

The domain registrant for smokedro.com was shown as:

John Durst
2307 E 23rd St
Panama City
Florida 32405
United States

gunit@gmail.com

(Note that all Google mail accounts require usernames to have a minimum of six characters - so the fact that the email address associated with the domaim only has five makes it instantly suspicious)

However, there was a problem that needed to be overcome before an investigation could be initiated.

The malware had not come to the police's notice via an allegation, and in order to initiate an investigation it was necessary to determine whether the malware had been distributed and had been released into the wild.

As a result, the police contacted the malware experts at SophosLabs, and asked if any customers had been hit by the malware.

Sophos confirmed that it had received samples of the malware from customer sites, and initiated contact with an IT professional ("Chris" - not his real name) at one of the firms.

As a result, "Chris" contacted police and described how the malware had affected his company’s network.

"Chris" worked for a global manufacturing company with a presence in the UK and various European countries, as well as the United States. The malware had spread across the company’s European network affecting network shares and generating a high incidence of network traffic.

The IT professional had, by good fortune, retained copies of the malware in addition to logs of the incident. Up until this point the incident had not been reported to the authorities by any victim of crime.

The company struck by the malware claimed that it had infected a significant number of the computers on its European network.

Police officer, courtesy of ShutterstockAs the smokedro.com server domain had been registered in the United States, UK police had no power to start an investigation in America.

So, the United States Secret Service was formally notified and a joint investigation involving the American and British authorities began.

This incident constituted offences falling under Section 3 of the Computer Misuse Act 1990 in the UK; unauthorised Modification of a Computer.

The US Federal Law applicable in this case was offences under Title 18 United States Code, Section 1030 (a) (5); Intentionally Causing Damage to a Protected Computer.

A US Secret Service Agent sent an official request to the domain registrar who reported that the registrant was a 21-year-old man named Robert Matthew Bentley of Panama City, Florida, who had supplied the registration email address containing the name lsdigital@ and a billing contact under what transpired to be his real name at Gmail.

Following the service of additional requests, including Federal Search Warrants, the Secret Service was able to confirm that Bentley was LSDigital.

It also revealed communications between Bentley and Dollar Revenue, an adware company based in The Netherlands that paid affiliates to place their software on vulnerable computers.

Bentley was apparently profiting from infecting computers by taking part in an adware affiliation scheme.

dollar-revenue

"Dollar Revenue offers high payouts per install and converts internet traffic from any country into real income. There is no better way to convert your traffic into money!"

What is an adware affiliate scheme?

Affiliate adware companies pay a small amount of money every time their adware program is installed on a computer.

A person signs up as an affiliate and is sent a unique piece of adware tied to their membership reference.

Adware programs often include an invitation to download and install a free program which is attractive to the end-user.

Every time an adware program is installed on a computer the membership reference is transmitted to the adware company and the affiliate is paid an amount depending on the location of the computer ranging between US $0.30 and US $0.01.

Dollar Revenue payout rates per computer in different countries

This relatively small amount of money accumulates as more installations of the unique affiliate adware programs are installed.

For example, if each computer within a 1000 strong computer botnet is directed to install the affiliate adware; the botmaster will receive 1000 installation fees, depending on the geographical location of the infected computers.

So, if all of the infected computers were in Canada, for instance, the botmaster would receive US $200.

This type of affiliation activity was seen as one of the first models of monetising botnets.

In 2007, Dutch Telecommunications Regulator OPTA fined Dollar Revenue one million Euros following the installation of adware on 22 million computers.

The conscientious efforts by "Chris" the IT guy at the victim company, who had by this time made a formal allegation of crime, had not only preserved the evidence by keeping copy of the IRCBot but had assisted in the identification of the scope of damage caused by the malware.

As the witness had archives of his anti-virus software's logs it was possible to analyse them and determine the spread of the malware as it propagated across the company network. This information was crucial in determining the impact and range of the malicious activity.

The conclusion of the joint Metropolitan Police Computer Crime Unit and United States Secret Service investigation was:

  • Robert Bentley had registered the domain mang.smokedro.com, which was configured with an IRC server and had controlled a botnet.
  • Infected computers connecting to the IRC server at mang.smokedro.com were covertly directed to install adware originating from Dollar Revenue, coded with Bentley’s membership reference.
  • Bentley had profited from illicit payments from Dollar Revenue

dollar-memory-dump

On 6th March 2008, Robert Matthew Bentley pleaded guilty to conspiracy to commit computer fraud and computer fraud, contrary to Title 18 United States Code, Section 1030 and was sentenced to 41 months imprisonment, and told to pay fines amounting to US $65,000.

Assistant US Attorney Tomas P Swaim stated at sentencing that the co-ordinated efforts of American and European law enforcement led to the successful result.

Press release about Bentley's conviction

This account is a prime example of how the IT industry, security vendors and law enforcement agencies can collaborate, share information and work together in order to bringing offenders to justice.

Never underestimate the importance of reporting a computer crime to the authorities - even if you suspect that the perpetrator may be based far overseas. Your report could make all the difference.

Further reading:

Naked Security gratefully acknowledges the assistance from Thomas P Swain of the Northern District of Florida United States Attorney’s Office and the United States Secret Service with this article.

Police officer and IT guy with pocket protector images from Shutterstock.

, , , ,

You might like

4 Responses to How a regular IT guy helped catch a botnet cybercriminal

  1. Nigel · 471 days ago

    First, let me say thanks for a great article. It emphasizes the importance of thorough documentation.

    You wrote: "Robert Matthew Bentley...was sentenced to 41 months imprisonment, and told to pay fines amounting to US $65,000."

    That statement in the article is incorrect. The June 11, 2008 release from the U.S. Attorney's office (a portion of which is displayed in the article above) clearly states that Mr. Bentley was ordered to pay $65,000 in RESTITUTION, not "fines".

    While the concept of "fines" understandably appeals to the public's craving for revenge against those who commit crimes, it's nonetheless a concession to a widespread and rather infantile emotionalism. It has nothing to do with justice. Fines simply enrich the coffers of an already bloated bureaucracy. They do nothing to offset the losses incurred by the victims, whose interests the bureaucracy is supposed to serve first and foremost.

    Restitution, on the other hand, is a mechanism for restoring the losses incurred by victims of the crimes. Restitution costs the criminal just as much, has the same value as an example that might deter others from committing similar crimes, but also provides a measure of actual justice, rather than merely revenge.

    If we, as a society, could get our minds out of the gutter and replace our desire for punishment (revenge) with a focus on restitution (undoing the damage), we would be a lot closer to having something approaching real justice. I respectfully suggest that it’s a distinction worth making when you write articles like the one above.

    • Joe · 4 days ago

      I couldn't agree more with you! I especially agree with your last paragraph!

  2. Guest · 470 days ago

    Do hackers victimize individuals more often than they do businesses? If so, that just might explain why many people don't bother to report cybercrimes.

    The authorities might help to prosecute hackers when the victim is a business interest, but the authorities most likely will not help to prosecute hackers when the victim is a private individual - especially if the private individual cannot prove that the hacker(s) hurt them financially or physically.

    • Joe · 4 days ago

      I agree, I also think that a lot of people are unaware that they have the ability to report malicious attacks. I think on top of that they also are unaware that malicious software is illegal and a crime, most people tend to shrug it off and not worry about it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Bob Burls is a UK-based IT Security consultant who has extensive experience in Computer Incident Response, the investigation of malicious code and other aspects of internet abuse following over a decade of serving as a Detective on the Metropolitan Police Computer Crime Unit, the NHTCU and the PCeU.