20-year-old zombie king pleads guilty - faces 4-6 year jail sentence

Sophos Press Release

Jeanson James Ancheta profited from his attacks, making more than $61,000

Ancheta exploited zombie computers to send spam and plant unwanted software. Image copyright (c) Sophos
Ancheta exploited zombie computers to send spam and plant unwanted software.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis center, have welcomed the news that a 20-year-old man has pleaded guilty to seizing control of hundreds of thousands of zombie computers, using them to display cash-generating adverts, and renting them out to hackers to send spam campaigns and launch denial of service attacks.

Jeanson James Ancheta, from the Los Angeles suburb of Downey, profited by installing adware on a network of innocent third-party compromised computers. According to prosecutors, some of the computers attacked were at the Weapons Division of the US Naval Air Warfare Center in China Lake, California and at the US Department of Defense.

Ancheta made over $61,000 from installing adware on the zombie computers, using the profits to pay for computer servers to carry out additional attacks, new clothes, and a luxury BMW car. As a side business Ancheta also sold access to the zombie network to spammers, who used the third party computers to launch spam campaigns and distributed denial of service (DDoS) attacks.

"There are a number of ways in which zombie botnets can generate healthy profits for hackers: they can install advertising pop-ups which generate income through affiliate schemes, rent out the network for hackers who wish to blackmail websites with DDoS attacks, or use them to steal information or pump out spam campaigns," said Graham Cluley, senior technology consultant for Sophos. "Hackers engaged in these kind of activities are guilty of a serious crime, and should be punished accordingly."

Ancheta is likely to face up to 6 years in prison for his crimes, and will forfeit the profits he made from his life of crime, including his luxury car. Sentencing is expected in May 2006.

Zombie computers - are your PCs under someone else's control?

Zombie computers can be used by criminal hackers to launch distributed denial-of-service attacks, spread spam messages or to steal confidential information. SophosLabs estimates that more than 60 percent of all spam today originates from zombie computers. In May 2005, the Sober-Q Trojan horse and Sober-N worm worked in tandem to infect and hijack computers around the world, programming them to spew out German nationalistic spam during an election.

As spammers become more aggressive, collaborating with virus writers to create armies of zombie computers, legitimate organizations with hijacked computers are being identified as a source of spam. This not only harms the organization's reputation, but can also cause the company's email to be blocked by others.

Sophos ZombieAlert™ advises service subscribers when any computer on their network is found to have sent spam to Sophos's extensive global network of spam traps, and provides rapid notification to customers if their Internet Protocol (IP) addresses are listed in public Domain Name Server Block Lists (DNSBL). This information helps customers locate, disinfect, and protect these systems from future attacks.

Sophos continues to recommend that computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.