Spanish hacker sentenced to two years in jail for DDoS attack

Sophos Press Release

Attack affected three million Spanish internet users

Garrido exploited zombie computers to launch a denial of service attack. Image copyright (c) Sophos
Garrido exploited zombie computers to launch a denial of service attack.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have welcomed the news that a hacker who stopped over a third of Spanish computer users from using the internet has been sentenced to two years in jail.

26-year-old Santiago Garrido used a computer worm to launch distributed denial-of-service (DDoS) attacks after he was expelled from the popular "Hispano" IRC chat room for not following rules. The attacks disrupted an estimated three million users of the Wanadoo, ONO, Lleida Net and other internet service providers, amounting to a third of all of Spain's internet users at the time of the offence in 2003.

Garrido, who went by the aliases "Ronnie" and "Mike25", was sentenced at a court in La Coruña and also faces a bill of 1.3 million Euros in damages (474,500 Euros to Lleida Net, 570,716 Euros to Wanadoo, 120,000 Euros to ONO, and 218,000 Euros to IRC-Hispanic).

"Many times hackers use DDoS techniques to try and blackmail the website being attacked. On this occasion, it seems the hacker was so furious about being thrown out of a chat room that he resorted to a criminal act to wreak his revenge, and affected millions of internet users," said Graham Cluley, senior technology consultant for Sophos. "Hackers engaged in these kind of activities are guilty of a serious crime, and should be punished accordingly. The Spanish Civil Guard should be congratulated for seeing this case through to its conclusion."

Zombie computers - are your PCs under someone else's control?

Zombie computers can be used by criminal hackers to launch distributed denial-of-service attacks, spread spam messages or to steal confidential information. SophosLabs estimates that more than 60 percent of all spam today originates from zombie computers. In May 2005, the Sober-Q Trojan horse and Sober-N worm worked in tandem to infect and hijack computers around the world, programming them to spew out German nationalistic spam during an election.

As spammers become more aggressive, collaborating with virus writers to create armies of zombie computers, legitimate organizations with hijacked computers are being identified as a source of spam. This not only harms the organization's reputation, but can also cause the company's email to be blocked by others.

Sophos ZombieAlert™ advises service subscribers when any computer on their network is found to have sent spam to Sophos's extensive global network of spam traps, and provides rapid notification to customers if their Internet Protocol (IP) addresses are listed in public Domain Name Server Block Lists (DNSBL). This information helps customers locate, disinfect, and protect these systems from future attacks.

Sophos continues to recommend that computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at