How a regular IT guy helped catch a botnet cybercriminal

Veteran cybercrime investigator Bob Burls looks back on a case where the diligence of an IT guy helped convict a botmaster who had made tens of thousands of dollars.

It’s not enough for the authorities to discover who is behind a malware attack. To secure a successful conviction, it’s also necessary for victims to report that a crime has taken place.

As the following case demonstrates, any member of the computer-using public could be the vital piece of the jigsaw which helps bring about the downfall of a cybercriminal.

IT guy with pocket protector. Image from Shutterstock

In November 2006 a particularly aggressive piece of malware came to the notice of Scotland Yard’s Computer Crime Unit. The malware in question was an IRCBot, with worm-like properties detected by Sophos as W32/Vanebot-R.

Close examination of the malware revealed that it used various propagation vectors to spread:

  • MS SQL servers “protected” by weak passwords
  • Network shares
  • A critical security vulnerability in Microsoft Server Service that could allow remote code execution (MS06-040)
  • Instant Messaging

Runtime analysis revealed that the malware connected to an IRC server at the domain

The malware connected to an IRC server

The domain registrant for was shown as:

John Durst
2307 E 23rd St
Panama City
Florida 32405
United States

(Note that all Google mail accounts require usernames to have a minimum of six characters – so the fact that the email address associated with the domaim only has five makes it instantly suspicious)

However, there was a problem that needed to be overcome before an investigation could be initiated.

The malware had not come to the police’s notice via an allegation, and in order to initiate an investigation it was necessary to determine whether the malware had been distributed and had been released into the wild.

As a result, the police contacted the malware experts at SophosLabs, and asked if any customers had been hit by the malware.

Sophos confirmed that it had received samples of the malware from customer sites, and initiated contact with an IT professional (“Chris” – not his real name) at one of the firms.

As a result, “Chris” contacted police and described how the malware had affected his company’s network.

“Chris” worked for a global manufacturing company with a presence in the UK and various European countries, as well as the United States. The malware had spread across the company’s European network affecting network shares and generating a high incidence of network traffic.

The IT professional had, by good fortune, retained copies of the malware in addition to logs of the incident. Up until this point the incident had not been reported to the authorities by any victim of crime.

The company struck by the malware claimed that it had infected a significant number of the computers on its European network.

Police officer, courtesy of ShutterstockAs the server domain had been registered in the United States, UK police had no power to start an investigation in America.

So, the United States Secret Service was formally notified and a joint investigation involving the American and British authorities began.

This incident constituted offences falling under Section 3 of the Computer Misuse Act 1990 in the UK; unauthorised Modification of a Computer.

The US Federal Law applicable in this case was offences under Title 18 United States Code, Section 1030 (a) (5); Intentionally Causing Damage to a Protected Computer.

A US Secret Service Agent sent an official request to the domain registrar who reported that the registrant was a 21-year-old man named Robert Matthew Bentley of Panama City, Florida, who had supplied the registration email address containing the name lsdigital@ and a billing contact under what transpired to be his real name at Gmail.

Following the service of additional requests, including Federal Search Warrants, the Secret Service was able to confirm that Bentley was LSDigital.

It also revealed communications between Bentley and Dollar Revenue, an adware company based in The Netherlands that paid affiliates to place their software on vulnerable computers.

Bentley was apparently profiting from infecting computers by taking part in an adware affiliation scheme.


"Dollar Revenue offers high payouts per install and converts internet traffic from any country into real income. There is no better way to convert your traffic into money!"

What is an adware affiliate scheme?

Affiliate adware companies pay a small amount of money every time their adware program is installed on a computer.

A person signs up as an affiliate and is sent a unique piece of adware tied to their membership reference.

Adware programs often include an invitation to download and install a free program which is attractive to the end-user.

Every time an adware program is installed on a computer the membership reference is transmitted to the adware company and the affiliate is paid an amount depending on the location of the computer ranging between US $0.30 and US $0.01.

Dollar Revenue payout rates per computer in different countries

This relatively small amount of money accumulates as more installations of the unique affiliate adware programs are installed.

For example, if each computer within a 1000 strong computer botnet is directed to install the affiliate adware; the botmaster will receive 1000 installation fees, depending on the geographical location of the infected computers.

So, if all of the infected computers were in Canada, for instance, the botmaster would receive US $200.

This type of affiliation activity was seen as one of the first models of monetising botnets.

In 2007, Dutch Telecommunications Regulator OPTA fined Dollar Revenue one million Euros following the installation of adware on 22 million computers.

The conscientious efforts by “Chris” the IT guy at the victim company, who had by this time made a formal allegation of crime, had not only preserved the evidence by keeping copy of the IRCBot but had assisted in the identification of the scope of damage caused by the malware.

As the witness had archives of his anti-virus software’s logs it was possible to analyse them and determine the spread of the malware as it propagated across the company network. This information was crucial in determining the impact and range of the malicious activity.

The conclusion of the joint Metropolitan Police Computer Crime Unit and United States Secret Service investigation was:

  • Robert Bentley had registered the domain, which was configured with an IRC server and had controlled a botnet.
  • Infected computers connecting to the IRC server at were covertly directed to install adware originating from Dollar Revenue, coded with Bentley’s membership reference.
  • Bentley had profited from illicit payments from Dollar Revenue


On 6th March 2008, Robert Matthew Bentley pleaded guilty to conspiracy to commit computer fraud and computer fraud, contrary to Title 18 United States Code, Section 1030 and was sentenced to 41 months imprisonment, and told to pay fines amounting to US $65,000.

Assistant US Attorney Tomas P Swaim stated at sentencing that the co-ordinated efforts of American and European law enforcement led to the successful result.

Press release about Bentley's conviction

This account is a prime example of how the IT industry, security vendors and law enforcement agencies can collaborate, share information and work together in order to bringing offenders to justice.

Never underestimate the importance of reporting a computer crime to the authorities – even if you suspect that the perpetrator may be based far overseas. Your report could make all the difference.

Further reading:

Naked Security gratefully acknowledges the assistance from Thomas P Swain of the Northern District of Florida United States Attorney’s Office and the United States Secret Service with this article.

Police officer and IT guy with pocket protector images from Shutterstock.