The home of the alleged ringleader of an international group of cybercriminals said to be responsible for infecting more than one million computers has been raided by police.
The raid was conducted earlier this week at the New Zealand residence of the alleged 'botmaster', known online as AKILL. It was part of a joint effort by New Zealand police and the US Federal Bureau of Investigation.
While the FBI believes the raid has helped breakup the botnet network, AKILL has not been arrested, an FBI spokesman said.
AKILL is an 18-year-old New Zealand man who lives in the province of Waikato, said Detective Inspector Peter Devoy of the New Zealand Police. With the help of an FBI agent in New Zealand, local authorities raided his house on Wednesday. "We've seized his computers and we'll be forensically analysing them over the next few days," he said.
Botnets are networks of infected computers that can be remotely controlled by criminals to perform a range of illegal activities, such as hosting phishing sites or launching online attacks against victims. Typically the owners of these infected computers don't even realise that their systems are being misused. In the past few years, criminals have become increasingly sophisticated in their use of botnets, making it harder for law enforcement to figure out who exactly is controlling the botnet networks.
AKILL infected PCs using malware known as Akbot, which has been known in the antivirus community for about two years, Devoy said.
Authorities are unsure of the current size of the AKILL botnet, but it was powerful enough to inadvertently take down a server at the University of Pennsylvania in February 2006. That's when a University of Pennsylvania student named Ryan Brett Goldstein, 21, allegedly conspired with AKILL to launch a 50,000-computer botnet attack against several IRC (Internet Relay Chat) servers and a computer security website called ssgroup.org. The botnet was set up to retrieve instructions from a university server, which eventually crashed under the load, according to investigators.
Goldstein's motive was revenge. According to court documents, he wanted to take down IRC discussion forums, in particular one known as TAUNET, which had banned him in early 2006.
AKILL agreed to train his botnet on Goldstein's targets after Goldstein offered AKILL login rights to a website and malicious Trojan Horse software, according to Michael Levy, chief of computer crimes with the US Attorney's Office for the Eastern District of Pennsylvania. "Did he pay him? It's in internet currency: 'Here's some tools for your kit bag,'" he said. "Did he send him money through this Paypal account? No."
During the course of an FBI probe, investigators linked Goldstein to AKILL and began cooperating with New Zealand authorities. US authorities are also investigating two other US residents in connection with the botnet, Levy said.
AKILL, who allegedly is part of an elite botnet group called the A-Team, is also being investigated by the Dutch Independent Post and Telecommunications Authority for his role in an adware scheme thought to have infected 1.3 million computers, New Zealand Police said.
The New Zealand raid was one of several actions undertaken by the FBI since June as part of its 'Operation Bot Roast', an effort to crack down on botnets. Since Bot Roast's inception, the FBI has charged or convicted eight men, executed 13 search warrants and uncovered more than $20m in economic damages relating to botnets, the agency said.
FBI Director Robert Mueller called botnets the "weapon of choice of cyber criminals", in the statement. The FBI said that internet-related fraud cost $200m in 2006.
This is the first time a serious cybercrime investigation has been linked to New Zealand, which has avoided other crime trends because of its geographic isolation. "It's a cultural change for us," said Andrew McAlley, a spokesman with the New Zealand Police. "I think it's going to take time for New Zealanders to come to grips with the ramifications of it."
(Jeremy Kirk in London contributed to this story.)
For more security news, reviews and tutorials, see Security Advisor