FBI catches three bot herders - but nets remain

By Gregg Keizer, Computerworld

An FBI operation against cybercrime has identified more than 1 million hijacked personal computers and led to the arrest of three men on charges ranging from spamming to infecting IT systems at hospitals.

The FBI’s "Operation Bot Roast" anti-botnet sweep is an ongoing effort to disrupt the bot trade and identify botnet controllers, the law enforcement agency said.

"Bot" is the term for an infected personal computer. A "botnet" is a large number of hijacked PCs controlled by a hacker, called a "bot herder." Botnets are used by spammers, criminals launching distributed-denial-of-service (DDoS) attacks and malware authors looking to spread their applications.

"The majority of victims are not even aware that their computer has been compromised or their personal information exploited," James Finch, FBI assistant director for the cyber division, said in a statement.

With the help of the CERT Coordination Centre at Carnegie Mellon University, the FBI is also trying to notify the owners of the million-plus infected computers. "Through this process, the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity," the agency said.

That's exactly how authorities uncovered bots controlled by the three men recently arrested, including longtime spam king Robert Soloway in Seattle last month. Besides Soloway, prosecutors have charged James Brewer and Jason Downey.

According to indictment papers filed yesterday in court, Brewer compromised more than 10,000 computers worldwide, including machines at two area hospitals, between October and December 2006.

"The 'bots' caused the infected computers to, among other things, repeatedly freeze or reboot, causing significant delays in the provision of medical services," the indictment states. It took the hospitals more than 1,000 man-hours to clean up after the infections.

Downey, meanwhile, was charged two weeks ago with running a botnet that conducted DDoS attacks using an IRC (Internet relay chat) server called Yotta-Byte.net. Last year, that server was one of several that anti virus company Sophos linked with ongoing attacks by the Agobot worm.