Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Authorities question alleged New Zealand botmaster

New Zealand authorities are questioning an 18-year-old man who they say is the head of a gang of cybercriminals that infected 1.3 million computers worldwide and crashed servers at a U.S. university last year.

The suspect, whose name was not released, allegedly was a co-conspirator in a DDoS attack against a Philadelphia university last February. Authorities in New Zealand are conducting their investigation in conjunction with the FBI and Dutch authorities.

They believe “AKILL” — the alleged botmaster's online moniker — designed a unique, encrypted virus undetectable by anti-malware software. He used the virus to create a botnet comprised of 50,000 PCs that took down the servers at a Pennsylvania university in 2006. That DDoS attack was reported to the Philadelphia office of the FBI, which launched an investigation of its own.

"This program was viewed by the FBI as being very sophisticated malware," Peter Devoy, a Waikato, New Zealand detective, said in an online posting. "This is a relatively new type of crime that will only become more evident as time goes by."

New Zealand police also allege that AKILL is the head of a group called the A-Team, comprised of individuals from the United States and abroad. After a separate investigation, the Dutch Independent Post and Telecommunications Authority alleged that AKILL was involved with an adware scheme they say infected 1.3 million computers.

Police in New Zealand did not speculate about AKILL's motives for allegedly building a botnet of 1.3 million PCs. Researchers from vendors Sophos and Symantec, however, told SCMagazineUS.com that financial gain was AKILL's likely driving force.

“The botnet was unusually large, and that runs contrary to a lot of other botnets, which are usually 10 to 100,000 PCs," Mike Haro, a senior security analyst with Sophos, told SCMagazineUS.com, adding that botmasters tend to separate their botnets into multiple, smaller aggregations as a "risk management strategy" should one of them be taken down by law enforcement.

The potential rewards from directing a botnet enlisting 1.3 million PCs are huge, Zulfikar Ramzan, senior principal researcher for Symantec Security Response, told SCMagazineUS.com.

"There's a lot of money to be made through botnets. There are so many ways to make money with a botnet, and having more machines increases the profitability," he said. "For example, he could rent botnet PCs to spammers, phishers or those who want to host malicious code."

Ramzan noted that renting a zombie PC with a hidden keylogger can "go for $1 at the low end to $350," depending on the nature of the passwords the malware can steal. Similarly, bank and credit card numbers sell for 50 cents to $5, depending on the credit limit and other factors, such as the number of cards being sold and the financial institution involved.

“The rate for renting a botnet is 50 cents at the low end, to several dollars per machine, usually for specific period of time. So, you can imagine, with a million machines to rent, he can make pretty good money,” Ramzan said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.