SAN FRANCISCO – A 20-year-old hacker admitted Monday to surreptitiously seizing control of hundreds of thousands of Internet-connected computers, using the zombie network to serve pop-up ads and renting it to people who mounted attacks on Web sites and sent out spam.
Jeanson James Ancheta, of Downey, Calif., pleaded guilty in Los Angeles federal court to four felony charges for crimes, including infecting machines at two U.S. military sites, that earned him more than $61,000, said federal prosecutor James Aquilina.
Under a plea agreement, which still must be approved by a judge, Ancheta faces up to 6 years in prison and must pay the federal government restitution. He also will forfeit his profits and a 1993 BMW. Sentencing is schedule for May 1.
Prosecutors called the case the first to target profits derived from use of "botnets," large numbers of computers that hackers commandeer and marshal for various nefarious deeds. The "zombie" machines' owners are unaware that parasitic programs have been installed on them and are being controlled remotely.
Botnets are being used increasingly to overwhelm Web sites with streams of data, often by extortionists. They feed off of vulnerabilities in computers that run Microsoft Corp.'s Windows operating system, typically machines whose owners haven't bothered to install security patches.
A November indictment charged Ancheta with 17 counts of conspiracy, fraud and other crimes connected to a 14-month hacking spree that started in June 2004 and that authorities say continued even after FBI agents raided his house the following December.
"Part of what's most troubling about those who commit these kinds of offenses is they think they'll never be caught," said Aquilina, who spent more than a year investigating Ancheta and several of Ancheta's online associates who remain uncharged co-conspirators.
Ancheta's attorney, federal public defender Greg Wesley, did not immediately return phone calls seeking comment.
Ancheta has been in federal custody since his November indictment. He previously worked at an Internet cafe owned by a relative and had hoped to join the military reserves, according to his aunt, Sharon Gregorio. Court documents suggested he had a taste for expensive goods, spending $600 a week on new clothes and car parts.
The guilty plea comes less than a week after the FBI released a report that estimates viruses, worms and Trojan horse programs like the ones Ancheta employed cost U.S. organizations $11.9 billion each year.
November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on Web sites.
Ancheta one-upped his hacking peers by advertising his network of "bots," short for robots, on Internet chat channels.
A Web site Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of Web site.
In July 2004, he told one chat partner he had more than 40,000 machines available, "more than I can handle," according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half.
In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 "different nefarious computer users," according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said.
Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Fla., whom prosecutors identified by his Internet nickname "SoBe," Ancheta infected more than 400,000 computers.
Ancheta and SoBe signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.
Prosecutors say Ancheta and SoBe then installed the ad software from the two companies — Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired last year by 180Solutions of Bellevue, Wash. — on the bots they controlled, pocketing more than $58,000 in 13 months.
"It's immoral, but the money makes it right," Ancheta told SoBe during one online chat, according to the indictment.
"I just hope this (Loudcash) stuff lasts a while so I don't have to get a job right away," SoBe told Ancheta during a different conversation.
Aquilina, the assistant U.S. attorney prosecuting the case, wouldn't say whether authorities plan to charge SoBe or any of the people accused of renting out Ancheta's bots, many of whom are described as "unindicted co-conspirators."
During the course of their scheme, Ancheta and SoBe infected U.S. military computers at the China Lake Naval Air Facility and the Defense Information System Agency headquartered in Falls Church, Va., according to a sworn declaration signed by Ancheta.