That Unstoppable Feeling
They felt unstoppable, SoBe said. Even after Ancheta's home was raided, in December 2004, and FBI agents confiscated his computer, "he was back online within a day" and the two continued their botnet activities. He felt the same invulnerability after Ancheta was locked up.
"It doesn't matter," SoBe insisted in the days immediately following his arrest. "James can get off, and go back to doing it and in under a month he will be making 3x what he made and be able to cover his tracks much better."
SoBe and Ancheta didn't know it immediately following the raids, but thanks to several slip-ups, they had been under the watchful eye of FBI agents, who were quietly building a case against the two hackers. The first mistake was Ancheta's brazen advertisements on #bots4sale, an act that moved him to the top of investigators' to-do list.
"Up to then, we hadn't seen anything as blatant," FBI agent Ken McGuire said in a 2006 interview. "Anybody who's blatant enough to advertise in internet message boards that you have botnets to sell is someone you want to clear off."
Not long afterwards, the pair came to the attention of investigators again, this time because of software bugs in rxbot, the package the two had appropriated and modified to build their bot empire. To keep the botnet growing, their zombie machines automatically looked for new machines on nearby networks to compromise. But as it turned out, their software was a little too aggressive.
Jeanson James Ancheta
"If it scanned its own subnet, its possible it would keep going and scan out of its subnet, potentially scanning a DoD network," SoBe explained. According to court documents, that's exactly what happened. SoBe and Ancheta's software ended up infiltrating machines belonging to the China Lake Navel Air Facility, the Defense Information Security Agency and Sandia National Labs.
"A lot of good evidence came from the military computers," McGuire said. "It was an excellent break in the case because it permitted us further analysis."
Douche Bags and Backdoors
For their part, SoBe and Ancheta didn't seem to grasp the severity of their error at the time. In August 2004, an associate warned Ancheta by IRC chat to be sure "to filter out shit though like .gov and .mils" when his malware sought new victims. But two months later, when SoBe told Ancheta "hey btw there are gov/mil on the box if you want to get rid of them," Ancheta responded "rofl," according to court documents.
Another big blunder was SoBe's decision to lease a server using his real name and address. The pair used such boxes to host web servers and an IRC daemon that each of their bots reported to. By changing the topic in the IRC channels, they could cause the zombies to connect to other servers under their control and install any software they happened to host there. SoBe said he used his real identity "since i still dont approve of fraud."
SoBe was also convinced that investigators were able to infiltrate his botnet through a secret backdoor that had been built into their IRC daemon. He had gotten the program from Jonathan Hall, a hacker who in 2004 was charged - but never convicted - in a separate botnet investigation dubbed Operation Cyberslam.
The "server was in my name and [investigators] had a backdoor to gain oper status thx to some douchebags not telling us about it," SoBe complained bitterly.
In an interview, Hall said he viewed the source code for the daemon and had indeed spotted a backdoor. "It was plain as day," he said. The program was originally designed by Lee Graham Walker, another defendant in Operation Cyberslam, and over several years it went through multiple modifications, both by him and others, who used it as means to conduct secure communications over IRC.
Eventually, another hacker made additional changes to make it suitable for bot herding, but before she did, she "backdoored the hell out of" it, Hall said. As a result, anyone who knew about the secret feature could gain access by typing "/system foo foo," "/system bar bar," or any similar combination.
It remains unclear if the FBI ever learned of the backdoor and used it in their investigation. And ultimately, it probably doesn't matter: SoBe and Ancheta left tracks in enough places that they would almost certainly have been caught either way.
Next page: SoBe finds the seduction of exploit-writing too powerful to pass up