back to article Botmaster owns up to 250,000 zombie PCs

An American computer security consultant on Friday admitted using massive botnets to illegally install software on at least 250,000 machines and steal online banking identities of Windows users by evesdropping on them while they made financial transactions. John Kenneth Schiefer, 26, of Los Angeles, pleaded guilty to four …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Pirate

    Just five minutes

    me him and a wooden baseball bat. This "guy" needs his knees

    broke I would do it for free no need for expensive jail time.

  2. Anonymous Coward
    Stop

    Technical Correction

    Go for lower the spine. Get it right and he's not only crippled for life, he's also incontinent

  3. Derek Hellam
    Thumb Up

    Why stop there?

    Wy not include the Microsoft programmers and managers too?

  4. Anonymous Coward
    Anonymous Coward

    I'm not disputing

    that this guy should spend a laughably long time in a Federal pound-me-in-the-ass prison. But it is about time that the banks and the nightmare that is paypal got serious about security. Two-factor authentication, anybody?

  5. Will Godfrey Silver badge
    Happy

    @Derek

    They are already incontinent!

  6. Gerry
    Gates Halo

    Remind Me Again...

    ..why anyone complains about Free Software?

    Possibly, just possibly, some things it does are not as slick.

    Possibly, just possibly, it's a bit more difficult to install, upgrade, whatever.

    I know this post is a catalyst for all the "just wait until Linux gets popular" responses, but seriously, when we've finished complaining about not being able to play the latest games on it, lives are getting ruined by all this other stuff.

  7. Stone Fox

    Remind me again....

    What the point of that comment is? I'm guessing pretty much everyone reading this is sufficiently tech savvy NOT to be the victim of stuff like this? and Not "get their life ruined by this stuff"?

    And when you say "a BIT more difficult, you mean... "a complete arse!"

  8. Anonymous Coward
    Pirate

    Stored Passwords

    The whole scheme worked because the victims stored their passwords on their computer rather than in their heads. Regardless of the storage scheme, stored passwords are a security vulnerability to any software running on the storage computer.

    Once again, the scheme is a low-pass filter and only nailed the stupid.

  9. Anonymous Coward
    Joke

    Yes, Gerry...

    ...I am sure that if every idiot and grandparent in the united states was running Linux there would be far fewer security problems.

  10. Herb Oxley

    Linux isn't idiot proof

    To make Linux an idiot-resistant platform, users can't be allowed to install or run ANY untrusted executable code.

    The model I have in mind is where the ISP service is bundled with an appliance which is leased as part of the service and not to be opened or base software modified by anyone except the ISP's authorized service agents.

    The device wouldn't execute any code which hadn't been signed by the ISP; thus any add-on software would have to come from the ISP or be authorized by it.

    It's too bad the "New Internet Computer" wasn't able to gain any traction in the marketplace; a device like that with Puppy Linux stored on a write-protected Flash Memory card (instead of a CD-ROM) would be ideal.

    A strict security model would make it tough for "mobile code";

    the only way mobile code can be trusted is it is limited to display APIs and a sandbox which is cleared on one of applet exit, end of user session or system restart (if session has a non-graceful ending).

  11. John Stag
    Black Helicopters

    Yes, David....

    "I am sure that if every idiot and grandparent in the united states was running Linux there would be far fewer security problems."

    Maybe not, but at least the bad guys would have to do some real work to do their thing. With Windows you just write an ActiveX control which promises free viagara and wait for them to click "yes!".

  12. Ben DAMET
    Stop

    @David Wiernicki

    You have a point there. Much more so than if all the half computer saavy users were using linux ...

    However, this is quite OT. Please avoid using this kind of treads as linux advertisment.

    It is in this case more of a application problem, storing passwords in order to replay them back in clear form without some form of secure cryptographic protocol is security wise as storing them clear. This is not an acceptable action for any software, but users want the feature.

    Linux / bsd / Z os would be no solution to that problem.

  13. Anonymous Coward
    Anonymous Coward

    Not good enough

    "He faces a maximum sentence of 60 years in federal prison and a fine of $1.75m"

    Make that 60 years and $1.75m for EACH pc in the botnet and I'll start believing its adequate.

    If 60 years and $1.75m really is the maximum, then lets be absolutely certain that it turns out to be not a day or a cent less.

  14. David Wilkinson

    Quit blamming the victim.

    I repair computers after human trash like this infects their machines. Many of these people are highly intelligent and very successful in their chosen careers.

    The sad fact is you have to be a serious computer geek (or have one advising you) to keep a Windows computer safe.

    As far as never storing passwords. I store mine encrypted within firefox. With the master password needed a program can't just steal them, but then there are keyloggers. Also ever run a password intercepting program on your computer?. Its amazing how many programs send your password out via plaintext even when the rest of the communication is using secure encryption. IF THEY CONTROL YOUR SYSTEM - THEY CAN GET YOUR PASSWORDS.

    As far a boot CDs, they will never be popular. The web is constantly evolving, which is why we need a constantly evolving platform to surf it. Now maybe a web browser which actually ran in a virtual machine might work.

    A remotely managed virtual appliance with pushed upgrades, whitelists for optional installs, manditory antivirus and antispyware scans before downloads can leave the sandbox .....

    Let some linux geeks build that. Can't trust big business. It would be AOL, Norton AV.. - spyware would be defined by who gets a cut like at most of the download sites.

  15. Rune Moberg
    Unhappy

    Restitution?

    "In agreeing to plead guilty, Schiefer pledged to pay restitution of $19,128.35, the full amount he made in affiliate fees."

    Pay to whom? The adware company? Shouldn't the victims of the adware receive this money? If anything, the adware company should be put on trial as well.

  16. Lyndon Barry
    Unhappy

    Let's be honest

    If Linux, rather than Windows, was the dominant brand, would the hackers/crackers and virus writers not bother trying to break that OS instead?

    Yes, Windows is full of holes, but it's A) Available easily B)Is the preferred OS for business use and finally, Microsoft for all their faults, have made themselves the big name in the industry by pushing out a consistent product.

    The problem with Linux becoming dominant is that there are two many flavours and too many people arguiing about which one is better.

    Linux will not get into the dominant place because it's too fractured and the average punter just doesn't understand it. To my father, for example, Windows have a clean graphical interface, he's used it for years and it does what he needs it to. Why should he change? How would convince a 70 year old that Linux is better, but it's more daunting to setup.

    If Linux producers were able to change their tactics, then Linux would be the hot target for people to exploit. The same holds true for Macs. Just because a thing hasn't been done, doesn't mean it can't be done.

  17. Joe

    My 2p worth

    Lyndon Barry is right - all OSes will have holes, I'm just glad that the Mac is still a minor player (relative to Windows) and that the hackers have little financial incentive to target me as a result. Nobody else buy a Mac, I prefer it this way! :p

    Also, I've never understood the logic of having your computer save the password... Surely it defeats the whole point of having a password? Shouldn't it be kept in your head?

  18. Anonymous Coward
    Anonymous Coward

    @Lyndon Barry

    > Just because a thing hasn't been done, doesn't mean it can't be done.

    Correct, it doesn't *necessarily* follow... but in this case, it is correct - there are no Linux viruses. Worms, yes: vulnerabilities, yes: Trojans, yes: viruses, no...

    ... I see that no-one has yet claimed the thousands of pounds on offer from Eddie Bleasedale at Netproject for anyone who can successfully infect one of their properly-configured Linux machines with a virus.

    And please remember that the "anti-virus" products advertised for Linux (ClamAV, etc.) are for removing *Windows* viruses from e-mail going through a Linux server running as an MTA... :-)

  19. Rich

    18th century assholes

    The first two anonymous cowards should get 10 years each for GBH, doubled to 20 for the aggravating factor of vigilantism. We stopped beating people for their crimes in the 19th century.

    All he did was steal money from banks - he didn't hurt anyone physically. You guys are on a par with the judges who hung people for sheep stealing.

    Why people like this share what they do with others escape me. If he'd worked alone from internet cafes and stolen mobiles he'd still be going.

  20. Anonymous Coward
    Anonymous Coward

    "Up to" 250,000 bot's?

    Is that news-speak for "a much smaller and less exciting number, but he can't prove it was only 7, so we are gonna get our jollies by sending him to jail"?

  21. Rich

    Linux viruses

    Are these machines set up with the ability to access email attachments and send emails under application control? And installed and used by end-users with no training or education in CS?

    If so, then I reckon I could bust one. A shell script with convincing instructions (save as runme, chmod u+x runme, ./runme) would about do it.

    But I bet the assumption is a locked down box and an IT geeks at the keyboard.

  22. Anonymous Coward
    Jobs Horns

    @David Wilkinson

    The firefox master password is NOT safe. If somebody gets into your machine they can retrieve both the password file (signons.txt) and the master password file (key3.db). Tools such as firemaster are freely available for them to then crack these passwords at their leisure. A program does not need to steal your passwords directly, it just needs to email these files to whoever infected you. It doesn't matter what OS you run, storing passwords locally is never a good idea, it's just more convenient.

  23. Joe Stalin
    Pirate

    User Security

    I had an interview to work with a compay that installed wireless networks in small companies. The guy doing the interviewing told me of their greatest security trick:- Don't give the end user the password! That way they couldn't mess with the setup and expose themselves to any threats. My own theory is along the same lines, give the user just enough to do the job and no more. If they complain that they can't surf ebay or download torrents then tough, they are here to work.

  24. Anonymous Coward
    Anonymous Coward

    Passwords

    According to the password nazis, we should all have different passwords for every application/site, each one a mix of alpha numeric characters and symbols, each one changed on a regular basis and none of them written down anywhere.

    How the bleeding hell are we supposed to remember all these unique passwords without having them recorded somewhere? Off the top of my head, I can think of more than 20 sites/applications that I use regularly that need passwords, and I can't remember them all when I don't change them once a month &c. God help anyone who does follow the "rules".

    Best practice it may be, but I want to be able to use the internet and software I've paid for, not spend half my life locked out while I try to remember a string of gibberish that's designed to be difficult to guess.

  25. John
    Stop

    Lyndon Barry?

    Unlike with Windows, reporting problems with Linux software in particular and open source software in general is easy. Anyone can do it, even if they've not paid any money for the right to use the software.

    Distribution makers take security problems very seriously indeed, and it's not unknown for one to be fixed in under 24 hours.

    May writers write programs as a hobby, and they take pride in getting it right. A security problem is clearly wrong.

    The onus is, of course, on users to keep their software up to date, and to practice safe internetting, but those requirements apply equally to all.

  26. Master Baker

    Solaris Containers and Zones

    Solaris (10) Containers can be used to isolate your web-process (like a VM) so that even if you do screw that particular zone/container, then your OS is unharmed.

    If you run a website you can also use containers to seperate your webserver from your pages/data - giving the webserver RO access only.

    Solaris 10 rocks!

  27. Tom
    Paris Hilton

    Re: Solaris Containers

    Sounds remarkably (exactly) like FreeBSD jails, which have existed since FreeBSD 4.0 (March 2000).

  28. john frey
    Gates Horns

    @ Rich

    "But I bet the assumption is a locked down box and an IT geeks at the keyboard."

    Your ignoring the fact that windows is always compromised very quickly under the same conditions. Yes, there have been proof-of-concept viruses for Linux, so it can be done, but they have never survived in the wild. So you think it's so easy go ahead and do it. Smarter people than you (or me) have assuredly tried it and failed.

  29. Robert Harper

    250,000 zombie PCs

    ByGerry

    not being able to play the latest games on it, lives are getting ruined by all this other stuff.

    Huh?

    To avoid ruining your life ... Develop whatever is necessary for Linux to play

    the games necessary for you to have an unruined life and contribute that knowledge to prevent others from living in agony or possibly dying from not being able to play a game.

    ===========================================================

    ByAnonCoward

    The whole scheme worked because the victims stored their passwords

    on their computer rather than in their heads.

    Huh?

    how many securely long, securely random pw's can you store in your head?

    that cannot be read as they are transmitted unencrypted by many sites and ISP's? I do not store passwords on any computer but I store them elsewhere where I can change them frequently and still remember them.

    You might encrypt (non-software) them with a simple easy to remember key. If whatever storage method you used to store them is lost or stolen you replace them from your backup and they are meaningless to their new "owner".

    ===========================================================

    HerbOxley

    To make Linux an idiot-resistant platform, users can't be allowed to install or run

    ANY untrusted executable code.

    The model I have in mind is where the ISP ...

    Yes, is not the idiot-resistantness of auto-completion and/or other features that is included in both M$ Office and in Sun's PPO that still operates after I disable it if I can find an option or preference to do so?

    The stored password being used because a person cannot remember many secure length random passwords ?

    ===========================================================

    BenDamet

    but users want the feature.

    Yes, the major problem in today's world. Goes hand-in-hand with westernisation.

    It is not a USA problem, it is the whole civilised world, as we call ourselves civilised.

    A pill to call me down, to excite me, to make me eat, to make me not eat,

    to wake me up, to put me to sleep, et cetera, If life is not easy it is not worth living.

    Many gamers make a game of beating the game, it makes life interesting.

    But it requires w o r k of some nature. Effort and a little frustration now and again, oops, cancel the thought. Effort, frustration or anything similar is forbidden.

    To store passwords off computer reasonably and keep them safe requires a little of that forbidden effort.

    ===========================================================

    DavidWilkinson

    Quit blaming the victim.

    Huh?

    It is 2007 C.E.

    If a burglar breaks into your ______ it is your fault for not having a(n) _______ that cannot be broken into. Leave the lights on in your dwelling and remove all ottomans, coffee tables, etc., so the burglar will not hurt themself while robbing you or you lose again when you or your insurance pays damages. BUT lock up securely even if you are at home - otherwise you have invited the burglar to walk in and take whatever - no crime being commited because of your invitation.

    (Anno Domini, A.D., is no longer acceptable usage)

    It IS the year 2007 C.E.

    ===========================================================

    RuneMoberg

    If anything, the adware company should be put on trial as well.

    The article states:

    <Schiefer took pains to conceal the scheme from people at Simpel.>

    The article stated he stole from them, advising his associates to <throttle> the numbers down to keep from attracting suspicion.

    Not fair unless you put ALL of the victims on trial, ROTFL.

    Forensically, that is victim talk, were you ?

    ===========================================================

    Fair Hill, Maryland

    A sensitive word, or so an accidental bleed through stated that came along with a transmission I had sent to myself one time. Quite a lengthy dialogue that contained some very interesting data. I just throw that in on occasion whenever I think my friends might be interested in a subject.

    Obviously their tracking warez pick up that phrase and other phrases as well.

    What's so sensitive about it?

    ===========================================================

    LyndonBarry

    If Linux producers were able to change their tactics, then Linux would be the hot target for people to exploit. The same holds true for Macs. Just because a thing hasn't been done, doesn't mean it can't be done.

    True.

    ===========================================================

    ByRich

    We stopped beating people for their crimes in the 19th century.

    Huh?

    Ah, yes, the media videos lie to us, genuine media coverage and/or honest home video that state otherwise. Many such (alleged criminals) just happened to be driving a truck in the place at the wrong time, private citizens, utility service personnel, police officers (as victims), firefighters, paramedics, and a few actual criminal type persons who may have commited a crime, LOL.

    (I do not mean the faked chevy pickup explosion or the rigged R. King accidental bystander at a remote location in front of the subject's house in the middle of the night with a video camera quite by coincidence videos).

    ===========================================================

    JoeStalin

    they are here to work.

    Huh? mySpace blocked by corporate computer firewall. fifth attempt to logon to myspace succeeded. myspacebots broke through the firewall. the employee who swore it was not them using the computer for personal use who had told several customers not to bother them when a customer interrupted them in the middle of something to whom I pointed out - cookies stored in so-called temporary internet files (plus ones stored in the cookie folder) bearing such info as the date, time, website and the EMPLOYEE'S name - to them.

    The employee's response was an extreme effort to get me fired - not possible because I do not work for the employee's company. All employees are advised that monitoring software is in use AND - DO NOT USE - the company computer for personal internet experiences.

    ===========================================================

    AnonCow

    Is that news-speak for "a much smaller and less exciting number, but he can't prove it was only 7, so we are gonna get our jollies by sending him to jail"?

    Huh?

    News-speak?, Newspeak?, neither !

    PLAIN ENGLISH

    Title

    <Comments on ‘Botmaster owns up to 250,000 zombie PCs’>

    article stated up to 250,000 at one time, meaning millions overall,

    quoting the defendant.

    You READ AS:

    <Comments on ‘Botmaster owns up to 250,000 zombie PCs’>

    Correctly READ AS:

    <Comments on ‘Botmaster owns up to 250,000 zombie PCs’>

    [at one time]

    The title did not imply what you inferred.

    Step 01) Read the article

    Step 02) Think about the article

    Step 03) Write a response

    Step 04) Read your response

    Step 05) Think again

    Step 06) Reread the article

    Step 07) Think again

    Step 08) Check your response

    Step 09) Revise your response if necessary

    Step 10) Think again

    Step 11) Revise your response if necessary

    Step 12) Post your response

    HTH

  30. Sir Runcible Spoon
    Flame

    @Robert Harper

    Wow, you really told them! That's the best case of making yourself look like a knob I've seen in some time :)

This topic is closed for new posts.