advertisement

Print

Complaint Dropped Against DDoS Mafia

by Brian McWilliams, author of Spam Kings
02/04/2005

Federal authorities in Los Angeles have dismissed a criminal complaint (PDF) filed last August against four men accused of performing distributed denial-of-service (DDoS) attacks for hire.

On January 18, a magistrate judge for the Central District of California granted a prosecution motion to dismiss without prejudice the complaint against Paul Garrett Ashley, the operator of Creative Internet Techniques (CIT), also known as FooNet, and three alleged accomplices, Jonathan David Hall, Joshua James Schichtel, and Richard Roby. (The complaint against a fourth man, Lee Graham Walker of the United Kingdom, was not dismissed and is still pending, according to authorities.)

The defendants were originally accused of carrying out attacks on behalf of Jay Echouafni, a Massachusetts businessman who sold satellite TV gear via his website. At an August 26, 2004 press conference, Attorney General John Ashcroft said the attacks cost the victims, who were competitors of Echouafni, over $2 million in lost revenue and mitigation efforts.

Media reports last summer referred to Echouafni and his henchmen as the "DDoS mafia."

Arif Alikhan, head of the Cyber and Intellectual Property Crimes Section for the Central District of California, said the government chose to dismiss the charges because it hadn't indicted the defendants by a required deadline.

Related Reading

Spam Kings
The Real Story behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements
By Brian McWilliams

"Charges could still be brought. This just allows us to talk to defense attorneys and negotiate things before having to bring an indictment against a particular individual," said Alikhan.

Echouafni, head of Orbit Communications, was indicted separately last summer by a grand jury. Despite putting up $750,000 bail, Echouafni apparently fled the country, which has landed him a place on the FBI's most-wanted fugitives list. Although Ashley and his alleged accomplices were not required to post bail, Alikhan said prosecutors have no concerns that they will become fugitives.

An affidavit filed by FBI special agent Cameron Malin said Ashley subcontracted the DDoS attacks to the other defendants, who controlled "botnets" of several thousand compromised "zombie" computers. The men directed the zombies in October 2003 to flood victims' sites with bogus traffic, in violation of the U.S. Computer Fraud and Abuse Act.

The FBI affidavit said the author of the Agobot internet worm had provided a customized version of the program to Walker, who released it to create a botnet of approximately 10,000 computers. In addition, Roby admitted to releasing a variant of the Spybot worm, as well as a modified Agobot worm, in order to build a private botnet of 15,000 infected PCs. Schichtel controlled a more modest network of 3,000 zombies, according to the affidavit.

At one point, the DDoS-for-hire attacks caused noticeable collateral damage. An October 10, 2003 attack targeted the DNS servers of Speedera, which hosted one of Echouafni's competitors, and resulted in service disruptions affecting Amazon.com and the Department of Homeland Security.

Andrew Kirch, a security administrator for the Abusive Hosts Blocking List, said he and other operators of spam blacklists also blame FooNet for instigating DDoS attacks against them in 2003. What's more, domain registration records show that FooNet formerly provided web hosting to Carderplanet.net, a notorious website frequented by phishing criminals.

Ashley did not respond to interview requests. His attorney, Richard A. Cline, declined to comment on the case. Kirch said he recently spoke with Ashley, and he believes Ashley is remorseful and hopes to arrange a plea agreement with prosecutors.

"I also think [Ashley] has a lot to answer for. I hope that when all is said and done, the people that destroyed thousands of hours of effort on the part of anti-spammers to provide [blacklists] face their justice for that crime," said Kirch.

FooNet's ability to completely clean up its operations appeared in doubt Friday. A network address registered to the company was reportedly used to host a recent phishing scam site. The site, w-a-m-u.net, (a screen grab is available here) was designed to steal bank account information from Washington Mutual customers.

Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.


Return to the O'Reilly Network.