When a shadowy Nigerian national with the nickname Mr. O finagled his way into the vast files of data broker ChoicePoint in 2003, he struck a mother lode of confidential information -- by internal ChoicePoint estimates, records of up to 4.3 million individuals.
By the time ChoicePoint publicly disclosed what was then the largest data-security breach, the FBI and Los Angeles police were investigating, lawmakers demanded hearings, and ChoicePoint vowed to remake itself. Some privacy advocates insisted the incident would underscore the dangers of data theft and ID fraud.
And yet, data breaches got bigger and broader in the intervening years, as Internet-based commerce and social networking inexorably expand. Since ChoicePoint, online scammers have repeatedly victimized corporations and their customers. The most audacious was the theft of records of as many as 94 million credit card transactions from giant retailer TJX, parent of 2,500 TJ Maxx and Marshall's stores.
Amid the wholesale rip-off of consumer data through cybercrime, USA Today reporters Byron Acohido and Jon Swartz began investigating the evolution of hacking from harmful pranks to a $100 billion-per-year criminal enterprise worldwide. Their resulting book, Zero Day Threat, examines the con men and cybercrooks who are exploiting security holes in online banking and shopping services.
What is more, the book asserts the real culprits are the stars of our financial and technology industries, corporations like Wells Fargo and Bank of America and the Big Three credit reporting agencies, Equifax, TransUnion and Experian, as well as tech giants Microsoft, Google and Apple. These corporate stalwarts have leapt headlong into exploiting the Internet for profits, and, in doing so, created fresh criminal opportunities, which, for self-serving reasons, they proactively downplay to the public.
In this excerpt, the authors explain how Mr. O illegally gained access to personal data stored by ChoicePoint, and how he distributed it to a shadowy network of cybercrooks.
- - -
Chapter 6: Predators and Opportunists
Exploiters
October 26, 2004, North Hollywood, California
Traffic was heavy and it was raining hard. Detective Duane Decker waited patiently in his unmarked police sedan, eyes glued on the entrance to the Copymat at 6464 Sunset Boulevard. Decker watched for a man who looked liked he might have a Caribbean or West African accent.
The sting was about as simple as any Decker had orchestrated in eighteen years of police work. Assigned to the Identity Theft Detail of the Southern California High Tech Task Force, the veteran Los Angeles County deputy sheriff was trying to help ChoicePoint, the giant data-aggregation company, spring a trap to snare a suspected fraudster. Identifying himself as James Garrett, the suspect had called ChoicePoint to inquire about the status of a new account he was trying to set up that would allow his start-up collections agency, Hollywood-based MBS Financial, to access data dossiers on individuals, presumably deadbeat debtors. Bryce Wyburn, the ChoicePoint representative who took the call, noticed that James Garrett sounded an awful lot like John Galloway, of Beverly Hills–based Gallo Financial Services, who had called earlier with a nearly identical query.
Decker advised Wyburn to ask Garrett to supply a fax number and stand by to receive a document that needed to be filled out to open the MBS Financial account. Wyburn did as advised, and Garrett obliged, giving Wyburn a fax number, which Decker then traced to the Copymat on Sunset Boulevard. All Decker had to do was sit tight and wait for "Mr. Garrett" to show up at the Copymat to pick up his fax.
At 11 a.m., a tall black man with a thin mustache and close-cropped hair entered the Copymat. The man wore a blue jacket as protection against the pelting rain. He walked with a limp. Decker followed him in and stood off to the side. The detective observed the man request, receive, and pay for a fax addressed to James Garrett. He spoke with an accent Decker recognized to be West African. Decker identified himself and asked the man to step into a nearby hallway.
Panic etched the suspect's face. In the hallway he dropped a sheaf of papers: the fax he'd just picked up, plus the original ChoicePoint account applications for MBS Financial, signed by James Garrett, and Gallo Financial, signed by John Galloway. Within minutes, the man divulged his true identity, Olatunji Oluwatusin, forty-three, an expatriate of Nigeria. Oluwatusin claimed he was picking up the fax for a white man named "Bobby." But he couldn't describe Bobby or say where Bobby lived or what Bobby did for a living. Upon patting down the suspect, Decker found Oluwatusin in possession of five cell phones and three credit cards in other people's names.
Using his own cell phone, the detective dialed 818-261-3063—the number Mr. Garrett had used to speak to Wyburn. One of Oluwatusin's five phones began ringing. Decker advised Oluwatusin of his rights. The tall man who walked with a limp began whimpering. "He didn't want to go to jail," Decker says. "He had never been in jail."
Oluwatusin complied with Decker's request to take police to his apartment in a sprawling, upscale complex near the intersection of Magnolia and Lankershim boulevards in North Hollywood. The apartment was tastefully furnished, the living room dominated by a plasma TV, at the time a $5,000-plus luxury item. On the kitchen counter Decker found a printout of a data dossier, freshly downloaded from ChoicePoint, for someone named Anthony Munrue, along with a receipt for storage unit B-245 at a nearby Public Storage facility. Oluwatusin agreed to take police to the storage unit. There Decker found two electricity generators, three laptop PCs, a half dozen television sets, and several printers. The detective noted that the shipping labels were cut off each box, making it impossible to trace them back to where the property was purchased.
This wasn't a first-of-its-kind case for Los Angeles County. In September 2002 Bibiana Benson, thirty-nine, a Nigerian expatriate living in Sherman Oaks, pleaded guilty to unlawful use of identification and was sentenced to fifty-four months in federal prison. Her brother, Adedayo Benson, thirty-eight, of Encino, later pleaded guilty to conspiracy charges and received a sixty-six-month sentence.
Bibiana had obtained sensitive information about people by opening accounts under false pretenses with ChoicePoint, Advantage Financial, and Equifax. With help from Adedayo, she sold identity profiles for $40 to $60 apiece. Such profiles typically consisted of names, Social Security numbers, addresses, phone numbers, dates of birth, and other personal data. The Bensons also used identity profiles to hijack funds from existing bank accounts, and to open new accounts. According to court records, Bibiana Benson controlled identity profiles for 10,000 individuals, which she used to tap into credit and payment systems at twenty-three financial institutions, from which she stole more than $935,000.
Oluwatusin picked up where the Bensons left off. Investigators who pieced together his wide-ranging criminal activities took to calling him Tunji or Mr. O. "He was the CEO of an illegal business," says Detective Sergeant Josh Mankini. Ensconced in his plush North Hollywood apartment, Mr. O ran a lean operation. In the ninety days prior to his capture, he had made and received some 12,000 cell phone calls to a serpentine network of data suppliers and data buyers in Canada, Germany, and Holland and throughout the United States. "When I saw the data on this case, my head nearly exploded," says Decker, shaking his head in disbelief.
To get basic identity information, such as names and billing addresses, Mr. O relied on a specialist who controlled insider thieves working at U.S. Postal Service mail-sorting centers. The postal workers "would grab envelopes with credit cards, which are easy to spot, by the hundreds," says FBI Special Agent Alice Tsujihara, who worked on the case. With names, billing addresses, and credit card numbers thus supplied, Mr. O had everything he needed to set up a matrix of shell collection companies, like MBS Financial. He would then order fuller data dossiers from ChoicePoint. He used copy centers, such as Kinko's and Copymat, as bases of operation, routing e-mail, regular mail, and faxes through such places. Mr. O shuttled among at least fifteen copy centers in the Los Angeles area. He paid for everything with stolen or fraudulently set-up credit card accounts.
Mr. O and the Bensons may be off the street; but law enforcement officials fully expect the data they and others stole from ChoicePoint to continue surfacing in scams indefinitely. Jane Robison, spokeswoman for the Los Angeles County district attorney's office, says of Mr. O: "He was just a small piece of it. We honestly don't know how many are involved in this."
Detective Decker commends credit bureaus and data brokers for erecting ten-foot walls to protect their databases. Trouble is, he says, the crooks have eleven-foot ladders. Scammers, like Mr. O, "are so smart, they could make a lot of money in whatever they do," says Decker. "But they don't want to work a forty-hour week. They'd rather drive around in Escalades with a ton of cash."
Enablers
Predatory Banking Fees
Financial industry lobbyists and banking spokespersons love to herald the benefits of easy credit. But they are far less effusive when it comes to outlining the many ways financial services companies profit from the nation's rising dependence on household debt. Yet the financial industry was recently forced to do just that by the Government Accountability Office. Founded in 1921 as the investigative arm of Congress, the GAO is often referred to as the Watchdog of Congress and the Taxpayers' Best Friend. Called upon to make nonpartisan recommendations "for the benefit of the American people," the agency is tasked with uncovering examples of government profligacy, but also with drawing attention to questionable business practices in the commercial sector.
In a report issued in September 2006, titled Credit Cards—Increased Complexity in Rates and Fees Heightens Need for More Effective Disclosures to Consumers, the GAO unraveled the complex matrix of interest rates and penalty fees that are part and parcel of the built-for-speed credit-issuing and payments system. The report exposed industry practices that baffle all save for the financial companies profiting from the system—and criminals grateful for the chance to test the system for security holes.
It used to be that credit cards were fairly easy to understand. They came with an annual fee, a fixed interest rate, and modest penalties. Today, the annual fee has been replaced with promotional interest rates for opening an account spring-loaded to trigger a dizzying array of higher rates and onerous penalty fees. That single-digit or zero interest rate you get by responding to an introductory offer is full of trip wires. Cash advances and balance transfers not covered by the promotion come at steep rates. Miss a payment by one day or spend slightly over your credit limit, and your base rate can double or triple, along with triggering a penalty fee of up to $30.
Banks refer to maximum credit card interest rates as the "default penalty rate." The GAO found that the default penalty rate for twenty-eight popular credit cards was 27.3 percent in 2005, up from 23.8 percent in 2003. Seven cards charged default penalty rates over 30 percent. The system is skewed toward guiding the consumer into paying a tier of different rates and keeping high-rate balances on the books as long as possible.
The most common way banks do this is by allocating payments to the chunk of outstanding balance generating the lowest interest income. So a payment of $100 sent to pay down a balance of $1,000 in store purchases carried at 13 percent and $1,000 in cash advances at 21 percent goes entirely to pay down the lower-rate portion. Interest of 21 percent continues to accrue against the cash advances until such time as the lower-interest chunk is paid down to zero, which could be months or years.
To trip up card users who routinely pay off all or most of their balances each month, some banks resort to "double-cycle billing." Normally, paying off $990 of a $1,000 bill means the consumer got to use $990 of the bank's funds interest free for a month. But some banks treat the $1,000 charge as if it exists across two thirty-day billing cycles. The card user gets billed for interest on $1,000 for the first cycle—even after sending in the $990 payment—then gets billed interest on $10 for the second cycle.
Using the more conventional single-cycle method (and assuming an interest rate of 13.2 percent), the bank would have been able to bill the card user just eleven cents for a two-month loan of $10. However, a double-cycle billing allows the bank to charge $11.02 at the end of the second cycle. In examining twenty-eight popular cards from the six largest credit card issuers, the GAO found that two of the six resorted to the double-cycle billing method between 2003 and 2005.
Then there are the hidden fees. It would be a simple thing for banks to decline transactions that put a consumer over his or her credit limit, a common occurrence during the Christmas shopping season. Instead, the system is programmed to approve transactions that exceed an individual's credit limit, then assess a penalty and jack up the interest rate as a consequence. Fee trip wires lurk everywhere. A card user hustling to avoid a late payment fee by paying by phone or computer runs into fees for phone and online payments. Cash advances, balance transfers, and overseas transactions trigger fees of 3 percent of the amount dispersed. Stopping a payment, requesting rush delivery of a credit card, and asking for a duplicate of records all trigger fees.
Exactly how much banks profit from such practices is unknowable since banking regulations do not require such detail in public disclosures of banking operations. The GAO estimates that about 70 percent of credit card industry revenues comes from interest charges and that "the portion attributable to penalty rates appears to have been growing."
None of this is clearly delineated to the average consumer. The GAO found that disclosures published by four of the largest credit card issuers were "poorly organized, burying important information in text or scattering information about a single topic in numerous places. The design of the disclosures often made them hard to read, with large amounts of text in small, condensed typefaces and poor, ineffective headings to distinguish important topics form the surrounding text."
The predicament of René Rodríguez of Juana Diaz, Puerto Rico, as reported by USA Today banking reporter Kathy Chu, has become all too common. In August 2006, Rodriguez misplaced his Citibank credit card statement and for the first time in years sent in a late payment. Citibank slammed him with a $39 late fee, eliminated his interest-free grace period, and raised his interest rate to 24 percent. All told, the slipup cost Rodriguez nearly $100.
The policy "is perplexing," Rodríguez told Chu. "It's probably somewhere in the contract, and whether it's fair or not, once the company puts it there, you're stuck."
Citibank spokesman Samuel Wang told Chu that the information about the bank's billing policy "is clearly described in the terms and conditions provided to the card member." The bank "encourage(s) our card members to carefully review all communications that we provide."
Despite Wang's inference that Rodriguez was oblivious, the GAO found that he wasn't alone. In a survey of 112 credit card users, the agency found that "many failed to understand key terms or conditions that could affect their costs, including when they would be charged for late payments or what actions could cause issuers to raise rates."
Expediters
__ "The money makes it right." __
Take an impulsive young male with too much time on his hands and a warped sense of right and wrong. Give him a computer and Internet access. Watch what happens. Socrates gravitated to phishing scams and money laundering. Here's what happened to three other young men of his generation, none of whom had any ties to organized crime. Each simply acted on his own initiative, taking advantage of free technology and free guidance widely available on the Internet.
Jeanson James Ancheta flunked out of Downey High School near San Diego in December 2001. He briefly tried an alternative program, then a private school, before quitting high school all together, eventually earning a high school equivalency certificate. He took a job as an attendant in an Internet café, and expressed an interest in joining the military reserves.
Instead, in June 2004, Ancheta discovered Rxbot, one of more than 12,800 variants of the Sdbot family. Rxbot, which can be downloaded for free from numerous Web sites, does the basics: It scans the Internet for Windows PCs with unpatched vulnerabilities. When it finds one, it implants itself and begins scanning for others, with no action required by the PC user.
Ancheta quickly figured out how to use Rxbot to gain control of tens of thousands of PCs. With the drive of an entrepreneur spurred by a ripe opportunity, he began offering his bots for sale on a private chat channel he called #botz4sale. Over a period of about three months, Ancheta completed more than thirty transactions, selling up to 10,000 bots at a time to at least ten different clients, who paid him modest amounts via his PayPal account. His buyers indicated that they planned to use the bots in DDoS attacks against rival bot masters, or to disrupt and harass business rivals. His total revenue from bot sales rang in at about $3,000.
By August 2004, Ancheta was ready for a bigger challenge—and bigger profits. He signed up as an affiliate of adware distribution companies Gammacash Entertainment and LOUDcash, both based in Quebec, Canada. (LOUDcash would be purchased in 2005 by adware giant 180solutions, based in Bellevue, Washington; 180solutions now does business as Zango.)
As an adware affiliate, Ancheta could earn twenty-five cents or more each time he installed one of Gammacash's or LOUDcash's adware installer programs on a PC. He was required by the terms of his affiliate's contract to make sure he had the permission of the PC owner to do so. But it was widely known at the time that adware distributors rarely enforced this requirement.
Ancheta shifted his focus to marshalling botnets for his own personal use—to spread adware. He shut down #bots4sale and told past clients he had no bots to sell. In actuality, Ancheta had set up a new chat channel—#syzt3m#—known only to himself. He also began to rent space on computer servers from several Internet hosting companies including EasyDedicated International, The Planet, and Sago Networks. Each time Rxbot infected another PC, it planted a bot instructed to report over #syzt3m# to a command-and-control program running on one of Ancheta's rented servers.
Soon, Ancheta had ready access to several botnets; each reported back to, and awaited instructions from, one of his command-and-control servers. Ancheta kept the adware-installing program stored on a completely separate rented server. The crucial moment came when he would direct a command-and-control server to grab copies of the adware program and download them onto each of the bots in a given botnet.
Manipulating tens of thousands of bots aligned in separate networks took constant monitoring. Subsisting on junk food, the rail-thin Ancheta usually began his workday shortly after waking around 1 p.m. and continued nonstop until 5 a.m. the next day. He soon took on an apprentice, an admiring juvenile from Boca Raton, Florida, nicknamed SoBe, who was fourteen at the time.
Communicating via AOL's free AIM instant messaging service, Ancheta trained SoBe to manage his portfolio of botnets over command channels assigned innocuous names, like #honda and #imports, to fool security officers monitoring traffic for the Internet hosting companies. He once bragged to SoBe that hacking Internet-connected PCs and loading them up with adware was "easy, like slicing cheese."
But it was slightly more complicated than that. To make steady cash implanting adware, Ancheta had to be careful not to assign too many bots to a particular server, lest he overpower the server. The command-and-control servers he rented usually topped out at about 20,000 bots. Ancheta paid SoBe to manage several botnets of between 17,000 and 23,000 compromised PCs, and to moderate the downloading of adware so as not to raise security officers' suspicion. PC users botted by Ancheta would see a rash of pop-up ads and might notice a drop-off in computer performance.
Sometimes the traffic flow got away from SoBe. Once an administrator from the hosting service contacted Ancheta to notify him that suspicious traffic was moving on chat channel #syzt3m. The accurate name of the channel was actually #syzt3m#. That gave Ancheta and SoBe a good laugh. Ancheta messaged SoBe,
they forgot the # rofl [rolling on the floor laughing] so we are cool. I'm gonna msg them saying 'this irc network was investigated by my staff and we have removed the suspicious channel related to this' hahaha always works.
Ancheta regaled SoBe with stories about his tricked-out 1993 BMW 325is and his extensive wardrobe:
my average spending is $600 a week, every friday I buy new clothes and every week I buy new parts for my car.
A few weeks later, during a discussion about doing affiliate work for adware companies other than Gammacash and LOUDcash, Ancheta advised SoBe,
it's immoral but the money makes it right.
By then SoBe was helping Ancheta cash regular checks, as much as $7,996 from Gammacash and $2,305 from LOUDcash; in six months they would pull in $58,357.86, according to a federal indictment. SoBe inquired in an instant message chat about their earnings,
i wonder how long itll last?
Ancheta, his sage mentor, replied,
i'm estimating 6 more months to 8 months, hopefully a year.
Ancheta's undoing came sooner than that—at the hands of a client he once sold bots to. The client turned FBI informant. Federal agents raided Ancheta's home on December 10, 2004, and confiscated a generic desktop PC and an IBM laptop. Yet Ancheta continued to receive adware payments through March 2005. In a second raid on May 25, 2005, agents confiscated a Toshiba laptop. Still, Ancheta continued his activities through August 2005.
Ancheta pleaded guilty in January 2006 to federal charges of hijacking hundreds of thousands of computers and selling access to others to spread spam and launch Web attacks. U.S. federal judge Gary Klausner in Los Angeles sentenced Ancheta to fifty-seven months in prison, with this admonishment: "Your worst enemy is your own intellectual arrogance that somehow the world cannot touch you on this."
On Sunday afternoon, January 9, 2005, the tech-services desk phone at Seattle's Northwest Hospital and Medical Center began ringing incessantly. Computers throughout the 187-bed hospital had become unusually balky. By the next morning, the hospital was in full crisis mode: doctors' pagers fell silent; patient records were inaccessible; key cards failed to open the operating room doors; PCs in the intensive care unit shut down; lab tests ground to a halt.
"I could see everybody was very frightened," Robert Steigmeyer, Northwest's chief financial officer, later told Baseline magazine. "You saw the worry and concern in everybody's eyes."
A bot had run amuck through the hospital's computer system. This one was being controlled by Christopher Maxwell, then an eighteen-year-old community college student living with his parents in Vacaville, California. From July 2004 to July 2005, Maxwell and two juvenile partners living in other states would earn more than $100,000 using botnets to spread adware, according to indictment papers.
The bot Maxwell used was a close cousin to Sven Jaschan's Sasser worm, the virus killer that had stormed the globe just a few months earlier in May 2004. Like Sasser, Maxwell's bot aggressively searched the Internet for any Windows PCs with the LSASS security hole not yet patched. Maxwell directed newly infected PCs to report to a command-and-control server over the #test chat channel. But instead of renting servers, like Ancheta, Maxwell and his underaged partners hijacked servers from the Department of Defense and California's Colton Joint Unified School District in California.
Maxwell's downfall was that he used a sledgehammer instead of a scalpel to break into PCs. Upon infecting computer number one at Northwest Hospital, his bot took note that the PC's Internet Protocol, or IP, address—its location on the Internet—began with the prefix 172.16. The bot then began sending out repeated requests to connect to any PC whose IP address began with 172.16; all of the hospital's 1,100 PCs did. However, across the Internet some 65,000 IP addresses began with 172.16. Infected PC number one soon found others nearby to infect. Those others, in turn, found others to infect. Soon 150 hospital PCs were infected, each reaching out to the 65,000 other PCs whose IP address began with 172.16. By the time 150 hospital PCs were infected, the simultaneous, overlapping requests overwhelmed the local network.
"This scanning configuration caused each infected computer to repeatedly send millions of network packets across the hospital's network indefinitely," FBI special agent David Farquhar wrote in a report. "The inefficient scanning was so detrimental to network performance that it prevented the IRC bots from fully infecting every vulnerable computer on the network. In addition to disrupting the botnet's ability to spread within the hospital's network, the scanning also caused widespread disruptions to legitimate network programming used by the hospital."
Farquhar, a member of the FBI's Northwest Cyber Crime Task Force, traced the original infection to a NetZero dial-up Internet account using the home phone number at Maxwell's parents' home. Appearing before U.S. District Court Judge Marsha J. Pechman in Seattle, Maxwell, holding back tears, asked for probation in lieu of prison time. "I am a twenty-one-year-old boy with a good heart and I made a mistake," Maxwell told the judge. "I never realized how dangerous a computer could be. I thank God no one was hurt." Maxwell received a thirty-seven-month prison sentence, plus three years of supervised release. Pechman said she hoped to deter "all those youth out there who are squirreled away in their basements hacking."
Farid Essebar, a skinny Russian-born resident of Morocco, lived a world apart from Jeanson Ancheta and Christopher Maxwell. Yet thanks to the built-for-speed global payments system and the budding business of online advertising, he could avail himself of the same source of mad cash as the Americans: Canadian and U.S. adware distributors in 2005 were chomping at the bit to pay affiliates to spread adware, wherever they were located, no questions asked.
Essebar surfaced in hacking circles in the spring of 2005 at about the same time a hot new e-mail virus family, called Mytob, emerged. Mytob combined features of Mydoom with botlike functionalities. Essebar, who went by the online moniker Diabl0, using the numeral zero instead of the letter o, was among dozens of neophyte hackers trying their hands at coming up with improved variants of Mytob.
At the time, David Taylor was on the lookout for Mytob variants in his role as the University of Pennsylvania's information security specialist. As part of his work protecting the university's computer systems, he had set up a test PC to receive infections so he could analyze them. In June 2005, Taylor purposely clicked on a Mytob e-mail attachment. He watched as the virus opened a back door and began trying to self-replicate. Then it did something Taylor had never seen before: it lowered the security settings on the PC's Internet Explorer browser so pop-up ads could get through; then it began installing adware.
Mytob also implanted a bot instructed to report back over a chat channel being controlled by someone using the screen name Diabl0, who happened to be actively monitoring the channel at the time. Taylor struck up a chat with Diabl0:
*[Diabl0] wht u think about this new worm? :o [emoticon for surprise] *
[Taylor] it is pretty good...the variables using the domain from e-mail and then adding the 'www' in front is good. i would imagine you will get a lot of bots
[Diabl0] soon adding logo of domain :p [emoticon for blowing a raspberry]
[Taylor] really?
[Diabl0] yes
[Taylor] that would be interesting...just curious how you could do that...would be hard
[Diabl0] i got more than 200 complaints in last dedicated server :p i guess you too sent complaints
[Taylor] they are probably not going to send you any Christmas presents. it is hard work cleaning up after getting infected with worm like this. it costs money
[Diabl0] no very easy. that worm spread only for money
[Taylor] you should think about joining the other side of this...lots of fun fighting hackers...the thrill is even better
[Diabl0] no
Taylor archived his chat with Diabl0 and thought little of it, until a startling series of events unfolded three months later. Because vulnerability researchers were turning up so many security holes in Windows, Microsoft had taken to issuing patches on the second Tuesday of every month. When Microsoft issued a patch for a particularly worrisome vulnerability on Patch Tuesday, the clock started ticking. The security community would take bets on how long it would be before a hacking group reverse engineered the patch to create a proof-of-concept exploit for the new hole in PCs that didn't apply the patch—and how long after that before someone began using the exploit to infect Windows PCs.
The gap had been steadily closing. In the summer of 2003, the MSBlast worm started spreading twenty-six days after Microsoft issued the patch for the RPC hole, and in the spring of 2004, Sven Jaschan's Sasser worm hit just thirteen days after the LSASS patch was announced. On August 9, 2005, Microsoft issued a patch for a critical vulnerability in the plug-and-play feature that allows peripheral devices to connect quickly to Windows 2000 servers, widely used in corporate settings.
Within ten hours, an Austin, Texas, white hat research group calling itself the Metasploit Project posted a proof-of-concept exploit for the plug-and-play vulnerability. In the tech-security community, Metasploit was something of a lightning rod. Founded by HD Moore, a tech-security prodigy who's now about twenty-five, Metasploit often posts proof-of-concept exploit code faster than anyone else.
Moore insists that his intentions are altruistic. He says his aim is to provide technicians with information in real time, so they can accelerate the process of stiffening their defenses. The underlying assumption is that black hats are working just as fast to break into newly discovered holes. But Moore acknowledges the obvious. "Some people will use it to test their defenses; some will use it break into systems," he says.
Sure enough, the following Saturday—just four days after Patch Tuesday—the first plug-and-play worm, dubbed Zotob, emerged. Besides rapidly spreading itself to unpatched Windows 2000 servers, Zotob did exactly what Mytob did: it lowered the infected PC's browser security setting, installed a mechanism to download adware, and connected to a chat channel controlled by none other than . . . Diabl0.
"To the untrained eye Mytob and Zotob can appear quite different: one travels via e-mail, the other mostly by exploiting a Microsoft security hole," Sophos senior virus analyst Graham Cluley said. "But when closely examined, the similarities become clear. It appears whoever wrote Zotob had access to the Mytob source code, ripped out the e-mail-spreading section and plugged in the Microsoft exploit."
For a few days Zotob spread slowly and largely unnoticed, planting adware on newer Windows 2000 servers. But by the start of the next workweek, Zotob began to snake into older servers lacking the latest upgrade service pack. Corporate machines at Canadian bank CIBC, American Express, and Daimler Chrysler began to reboot repeatedly. The same thing began to happen at ABC News, the New York Times, and CNN. Anyone watching CNN's afternoon anchor Wolf Blitzer that day might have thought a digital Armageddon was under way. Blitzer reported excitedly that a mysterious computer worm had taken out many of the news network's computer systems in Atlanta, New York, and other bureaus around the country. The newscast showed a CNN computer constantly rebooting.
Diabl0 had failed to craft Zotob to work with Windows 2000 servers not equipped with the latest service pack, says Peter Allor, director of intelligence at IBM Internet Security Systems. "Zotob had a quality assurance problem," says Allor. Diabl0 "neglected to test it adequately."
As part of Bill Gates's Trustworthy Computing initiative, Microsoft had assembled a crack group of sixty-five virus hunters, paralegals, and lawyers, called the Internet Safety Enforcement Team, or ISET. The ISET virus hunters reversed engineered Zotob and flushed out a trail to a hacker named Diabl0 in Morocco. Microsoft took the information to the FBI, whose agents collaborated with local authorities to arrest Essebar in his home. An alleged coconspirator, Atilla Ekici, twenty-one, nicknamed Coder, was captured in Turkey. The arrests took place on August 25, just twelve days after Zotob first appeared.
Ekici had paid Essebar with stolen credit card numbers to create the Mytob variants and Zotob worm primarily to spread adware, perhaps also to use later in other profit ventures, such as spreading phishing e-mail or launching extortionist DDoS attacks. Later, a third suspect, Achraf Bahloul, twenty, a friend of Essebar, was arrested in Morocco. Bahloul was sentenced to a year in jail, while Essebar received a two-year sentence.
When news broke of Diabl0's arrest, David Taylor, the college security specialist, stepped forward to supply the FBI with a copy of the transcript of the little chat he'd had with Diabl0 a few months earlier. "I really thought that he was immature," says Taylor. "He was asking me what did I think about his new bot, with all these smiley faces. Maybe he didn't realize what he was doing was so bad."
- - -
Reprinted with permission of Sterling Publishing Co., Inc., from Zero Day Threat by Byron Acohido and Jon Swartz. Copyright © 2008 by Byron Acohido and Jon Swartz. Zero Day Threat is available from Barnes & Noble.
