FBI arrests 20-year-old suspected zombie king, reports Sophos

November 04, 2005 Sophos Press Release

Zombie computers under the remote control of a hacker can send spam or plant unwanted software. Image copyright (c) Sophos
Zombie computers under the remote control of a hacker can send spam or plant unwanted software.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis center, have welcomed the news that the FBI has arrested a 20-year-old man suspected of running a zombie network.

US Attorney spokesman Thom Mrozek said the prosecution was unusual because Jeanson James Ancheta, who lives in the Los Angeles suburb of Downey, was accused of profiting from his attacks by installing adware on a network of innocent third-party compromised computers. According to prosecutors, some of the computers attacked were at the Weapons Division of the US Naval Air Warfare Center in China Lake, California and at the US Department of Defense.

Ancheta is said to have made have made nearly $60,000 from installing adware on the zombie computers, using the profits to pay for computer servers to carry out additional attacks and a luxury BMW car. As a side business Ancheta is also alleged to have sold access to the zombie network to spammers, who used the third party computers to launch spam campaigns.

Ancheta was arrested after being lured to the FBI's offices in Los Angeles to pick up computer equipment seized in an earlier raid. He has been charged with conspiracy, attempted transmission of code to a protected computer, transmission of code to a government computer, accessing a protected computer to commit fraud and money laundering. If convicted of all counts, Ancheta could face a maximum term of 50 years in prison.

"Zombie botnets are a growing security problem as they pump out spam campaigns, steal information, or launch attacks against corporate networks," said Graham Cluley, senior technology consultant for Sophos. "In this case it appears they were being primarily used for displaying unwanted pop-up advertisements, filling the pockets of the hacker with cash."

Zombie computers - are your PCs under someone else's control?

Zombie computers can be used by criminal hackers to launch distributed denial-of-service attacks, spread spam messages or to steal confidential information. SophosLabs estimates that more than 60 percent of all spam today originates from zombie computers. In May, the Sober-Q Trojan horse and Sober-N worm worked in tandem to infect and hijack computers around the world, programming them to spew out German nationalistic spam during an election.

As spammers become more aggressive, collaborating with virus writers to create armies of zombie computers, legitimate organizations with hijacked computers are being identified as a source of spam. This not only harms the organization's reputation, but can also cause the company's email to be blocked by others.

Sophos ZombieAlert™ advises service subscribers when any computer on their network is found to have sent spam to Sophos's extensive global network of spam traps, and provides rapid notification to customers if their Internet Protocol (IP) addresses are listed in public Domain Name Server Block Lists (DNSBL). This information helps customers locate, disinfect, and protect these systems from future attacks.

Sophos continues to recommend that computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.