Security Pro Admits to Hijacking PCs for Profit
A Los Angeles security professional has admitted to infecting more than a quarter million computers with malicious software and installing spyware that was used to steal personal data and serve victims with online advertisements.
John Kenneth Schiefer, 26, variously known online as "acid" and "acidstorm," agreed to plead guilty to at least four felony charges of fraud and wiretapping, charges punishable by $1.75 million in fines and nearly 60 years in prison.
Investigators say Schiefer and two minors -- identified in the complaint only by their online screen names "pr1me" and "dynamic" -- broke into about 250,000 PCs. On at least 137,000 of those infected systems, Schiefer and his cohorts installed programs that allowed them to control the machines remotely. The malicious "bot" programs also allowed the attackers to steal any user names and passwords that victims had saved in Internet Explorer.
Schiefer is thought to be the first in the United States to be accused of violating federal wiretapping laws by operating a "botnet" -- the term for a large grouping of hacked, remotely controlled computers -- according to Mark Krause, an assistant U.S. attorney in Los Angeles.
In an exclusive interview with Security Fix, Schiefer said he's been experimenting with computers and writing software in one form or another since 1991, when he first discovered Internet relay chat(IRC) forums, a vast sea of text-based communications networks that predates instant-messaging software. There are tens of thousands of IRC channels all over the world catering to almost every imaginable audience or interest, including quite a few frequented exclusively by hackers, virus writers and loose-knit criminal groups. IRC channels have traditionally been among the most popular means of controlling botnets.
For the past several years, Schiefer has acted as an administrator for "#bottalk" and "#rizon," two of the more active hacker chat rooms on IRC, where the discussion ranges from pop culture to methods for improving the latest bot programs and identifying which Web sites most recently got hacked.
Schiefer said he and his friends spread the bot programs mainly over AOL Instant Messenger (AIM). By using malicious "spreader" programs such as Niteaim and AIM Exploiter, Schiefer and his co-conspirators spammed out messages inviting recipients to click on a link. Anyone who took the bait had a "Trojan horse" program downloaded to their machine, an invader that then tried to fetch the malicious bot program.
Schiefer admits he and friends used several hjacked PayPal accounts to purchase Web hosting that helped facilitate the spreading of their bot programs.
Schiefer's employer -- Los Angeles-based Internet telephony provider 3G Communications -- let him go in March 2006 after he filed a series of disability claims. His job at the time was to help secure communications networks for businesses.
Schiefer claims that he stopped all of the malicious activity in early January 2006.
"Ever since then, I've been more trying to create a positive thing and trying to prevent crap like this happening," he said. "I kind of saw the error of my ways and decided I'd had enough."
Later that month, federal agents raided his home, seizing computer equipment and other evidence.
Schiefer also said he had installed adware on machines he and his friends controlled, making a 20 cent commission each time they installed a piece of software from TopConverting, a now defunct adware company formerly owned by Simpel Internet, a marketing company based in the Netherlands.
Schiefer acknowledged that in mid-2005, he made more than $19,000 in commissions from TopConverting by installing to hijacked computers. The government claims he made the money installing adware over a period of a month in June 2005. Schiefer said he earned that sum in less than one week's time.
Schiefer admitted that he spent most of that week's earnings the following month entertaining himself and friends at DefCon, a massive hacker and security research conference held annually in Las Vegas.
Interestingly, I featured TopConverting in a February 2006 story I wrote for The Washington Post Magazine, which chronicled the exploits of "0x80," a hacker who -- like Schiefer -- made thousands of dollars a month installing adware on machines he had seeded with bot programs.
From that story: "Majy says TopConverting, which did not respond to requests for comment for this article, paid him an average of $2,400 every two weeks for installing its programs. He got 20 cents per install for computers in the United States and five cents per install for PCs in 16 other countries, including France, Germany and the United Kingdom. A nickel per install doesn't sound like much, unless you control a botnet of tens of thousands of computers."
According to an FBI informant who asked not to be named, Schiefer was a member of Defonic, a hacker group that included the individuals identified in the paragraph above as Zach "Majy" Mann, as well as "0x80". Another member of Defonic --- Cameron "cam0" LaCroix -- earned his reputation after breaking into Paris Hilton's cell phone account and later leading the group in breaching data giant LexisNexis, a stunt in which cam0 and several others pulled sensitive records on more than 310,000 people, including a number of Hollywood celebrities.
Most former members of the Defonic crew are now either in jail or have only recently been released from prison.
Schiefer said he regrets his actions, and hopes that the cooperation he has shown with law enforcement in the case so far will lighten his sentence.
"I don't think anyone should feel sorry for me," Schiefer said. "What I was doing was wrong [and] stupid, and I got caught."