07 Sep 2012

30-month prison time for US man selling access to botnets

Joshua Schichtel, the hacker who commanded-and-controlled a botnet of at least 72,000 computers and rented access to whomever wanted to use the compromised systems, was sent yesterday to prison.

The US Department of Justice agreed upon a 30-month prison time for the Arizona bot-master. In addition to his prison term, Chief U.S. District Judge Royce C. Lamberth of the District of Columbia ordered Schichtel an extra three years of supervised release.

According to the US Department of Justice, last year in August, Schichtel pleaded guilty “to one count of attempting to cause damage to multiple computers without authorization by the transmission of programs, codes, or commands, a violation of the Computer Fraud and Abuse Act."

Schichtel received money in exchange for access to a botnet of infected computers. The DOJ released details on how “individuals who wanted to infect computers with various different types of malicious software (malware) would contact Schichtel and pay him to install, or have installed, malware on the computers that comprised those botnets,” enabling criminals to remotely control up to 72,000 compromised systems.

Although the extent of his customer base or of the compromised systems is still unclear, at least one customer is known to have paid $1,500 to get malicious software installed on approximately 72,000 computers. Apparently the hacker received significant sums of money to help clients set up customized botnets by installing preferred malware on a specified number of bots to be used in targeted attacks.

This wasn’t Schichtel’s first encounter with the law. In 2004 he was charged with conspiring to initiate a DDOS-type attack against some e-commerce websites but “the charges were dropped because the government’s deadline to obtain an indictment passed” according to oreillynet.