FEATURES
Articles > FooNET/HTTPD/CIT updates and information
GigeServers, new FooNET?
Yes, admin.net-abuse.sightings.
You can take a girl out of trailer park but you can't take the trailer park out of the girl.
Complaint dropped against DDoS mafia:
Federal authorities in Los Angeles have dismissed a criminal complaint (PDF) filed last August against four men accused of performing distributed denial-of-service (DDoS) attacks for hire.
On January 18, a magistrate judge for the Central District of California granted a prosecution motion to dismiss without prejudice the complaint against Paul Garrett Ashley, the operator of Creative Internet Techniques (CIT), also known as FooNet, and three alleged accomplices, Jonathan David Hall, Joshua James Schichtel, and Richard Roby. (The complaint against a fourth man, Lee Graham Walker of the United Kingdom, was not dismissed and is still pending, according to authorities.)
The defendants were originally accused of carrying out attacks on behalf of Jay Echouafni, a Massachusetts businessman who sold satellite TV gear via his website. At an August 26, 2004 press conference, Attorney General John Ashcroft said the attacks cost the victims, who were competitors of Echouafni, over $2 million in lost revenue and mitigation efforts.
Media reports last summer referred to Echouafni and his henchmen as the "DDoS mafia."
Arif Alikhan, head of the Cyber and Intellectual Property Crimes Section for the Central District of California, said the government chose to dismiss the charges because it hadn't indicted the defendants by a required deadline.
"Charges could still be brought. This just allows us to talk to defense attorneys and negotiate things before having to bring an indictment against a particular individual," said Alikhan.
Echouafni, head of Orbit Communications, was indicted separately last summer by a grand jury. Despite putting up $750,000 bail, Echouafni apparently fled the country, which has landed him a place on the FBI's most-wanted fugitives list. Although Ashley and his alleged accomplices were not required to post bail, Alikhan said prosecutors have no c
oncerns that they will become fugitives.
An affidavit filed by FBI special agent Cameron Malin said Ashley subcontracted the DDoS attacks to the other defendants, who controlled "botnets" of several thousand compromised "zombie" computers. The men directed the zombies in October 2003 to flood victims' sites with bogus traffic, in violation of the U.S. Computer Fraud and Abuse Act.
The FBI affidavit said the author of the Agobot internet worm had provided a customized version of the program to Walker, who released it to create a botnet of approximately 10,000 computers. In addition, Roby admitted to releasing a variant of the Spybot worm, as well as a modified Agobot worm, in order to build a private botnet of 15,000 infected PCs. Schichtel controlled a more modest network of 3,000 zombies, according to the affidavit.
At one point, the DDoS-for-hire attacks caused noticeable collateral damage. An October 10, 2003 attack targeted the DNS servers of Speedera, which hosted one of Echouafni's competitors, and resulted in service disruptions affecting Amazon.com and the Department of Homeland Security.
Andrew Kirch, a security administrator for the Abusive Hosts Blocking List, said he and other operators of spam blacklists also blame FooNet for instigating DDoS attacks against them in 2003. What's more, domain registration records show that FooNet formerly provided web hosting to Carderplanet.net, a notorious website frequented by phishing criminals.
Ashley did not respond to interview requests. His attorney, Richard A. Cline, declined to comment on the case. Kirch said he recently spoke with Ashley, and he believes Ashley is remorseful and hopes to arrange a plea agreement with prosecutors.
"I also think [Ashley] has a lot to answer for. I hope that when all is said and done, the people that destroyed thousands of hours of effort on the part of anti-spammers to provide [blacklists] face their justice for that crime," said Kirch.
FooNet's ability to completely clean up its operations appeared in doubt Friday. A network address registered to the company was reportedly used to host a recent phishing scam site. The site, w-a-m-u.net, (a screen grab is available here) was designed to steal bank account information from Washington Mutual customers.
Please review latest FooNET fiasco at SecurityFocus via http://www.securityfocus. ... /news/9411
Copy of Securty Focus article:
A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors, in what federal officials are calling the first criminal case to arise from a DDoS-for-hire scheme.
Jay Echouafni, 37, is a fugitive from a five-count federal indictment in Los Angeles charging him with aiding and abetting computer intrusion and with conspiracy. As CEO of the online satellite TV retailer Orbit Communication Corp., Echouafni allegedly paid a business associate to recruit members of the computer underground to cripple three online stores, resulting in long periods of downtime and an estimated $2 million in losses to the businesses and their service providers.
Paul Ashley, 30, of Powell, Ohio, is named in a separate criminal complaint as Echouafni's go-between in arranging two of the attacks. Ashley was the network administrator of the Web and IRC hosting company CIT/FooNet, run from his home, which was shuttered sometime after being raided by the FBI last February. Three other Americans and one U.K. citizen are charged with actually carrying out the attacks.
"This is an example of a growing trend: that is, denial of service attacks being used for either extortionate reasons, or to disable or impair the competition," says FBI supervisory special agent Frank Harrill. "It's a growing problem and one that we take very seriously, and one that we think has a very destructive impact and potential."
'There are DDoS attacks all the time organized on IRC, but this is certainly the first case where you have a corporate executive who was using the services of another person to launch attacks against competitors.'
-- Prosecutor Arif Alikhan
According to an FBI affidavit filed in the case, Echouafni was a client of CIT/FooNet's hosting services when he made a deal with Ashley, then the owner,
in October of last year. Echouafni allegedly paid Ashley $1,000 to snuff out two competing websites that he claimed had stolen some of his content and were staging DDoS attacks against his company.
Ashley in turn used his connections in the underground, and in at least one case the promise of free CIT/FooNet server, to recruit three associates to do the dirty work: Joshua Schichtel, Jonathan Hall, and Lee Walker, known online as "Emp," "Rain," and "sorCe" respectively. Each of the three apparently had sizable "botnets" at their disposal, meaning they could each command thousands of compromised PCs to simultaneously attack a single host -- Walker alone had control of between 5,000 and 10,000 computers through a customized version of the Agobot worm, according to the FBI affidavit. Schichtel's network of 3,000 zombies was more modest, and he quietly subcontracted the job to Richard "Krashed" Roby, who allegedly took the assignment in exchange for a free shell account.
The attacks began on October 6th, with SYN floods slamming into the Los Angeles-based e-commerce site WeaKnees.com, crippling the site, which sells digital video recorders, for 12 hours straight, according to the FBI. The company's hosting provider, Lexiconn, responded by dropping WeaKnees.com as a client, sending the company to more expensive hosting at RackSpace.com.
RackSpace fought back, but the attackers proved determined and adaptive. In mid-October the simple SYN flood attacks were replaced with an HTTP flood, pulling large image files from WeaKnees.com in overwhelming numbers. At its peak the onslaught allegedly kept the company offline for a full two weeks. (The company declined to comment on the case).
RapidSatellite.com, which sells satellite TV receivers, was hit at the same time and with similar results. The company responded by quickly moving their electronic storefront to the distributed content delivery services of Speedera, only to be crippled three days later by an attack on that provider's DNS servers, which for an hour also blocked access to other Speedera-hosted sites, including Amazon.com and the Department of Homeland Security, according to the FBI affidavit. RapidSatellite then moved to Akamai, but were out again within a week when the attackers switched to an HTTP flood attack, running massive numbers of queries through RapidSatellite.com's search engine.
Behind the scenes Ashley was allegedly micromanaging the assault. A chat log recovered from Schichtel's hard drive shows Ashley admonishing his subordinate to stay on top of his portion of the attack: "u gotta keep ane [sic]eye on it...cuz they could null route the ip and change the dns...and it would be back up." When Schichtel asks, "what did they do to you?," Ashley replies with an answer fit for Tony Soprano. "[F]---ing with us...well, a customer."
"Operation Cyberslam"
In December, the alleged DDoS conspirators' informal relationship became more corporate, when Echouafni purchased CIT/FooNet from Ashley, and kept Ashley on as network administrator at $120,000 a year salary. Ashley, in turn, formally hired Hall to perform "security" for the company -- which the FBI suggests was a euphemism for launching more DDoS attacks against Echouafni's enemies.
In Feburary, Echouafni -- now the boss -- phoned Hall directly to order an attack on a new target, according to the government: another satellite T.V. retailer called Expert Satellite. Hall dutifully launched a SYN flood against the new victim, but the results didn't please his CEO; Echouafni contacted Hall repeatedly to inform him that the site had resurfaced, and to express his disappointment. "Echouafni also implied that [Hall]would be fired if he did not launch the attacks," reads the affidavit
By then, law enforcement was making progress on the investigation they code named "Operation Cyberslam."
FBI cyber crime agents had spotted what appeared to be reconnaissance for the HTTP flood attacks in WeaKnees.com's October log files, originating from a shell hosting company called Unixcon. Unixcon traced the activity to an account that had been established with a stolen credit card number, but an FBI source, whose identity is protected in the affidavit, fingered U.K. resident and Unixcon administrator Lee "sorCe" Walker as the culprit.
Walker was already known to the FBI from an investigation earlier in the year, when one of Walker's IRC enemies complained that Walker had DDoSed him. The Bureau even had Walker's home address. An FBI agent traveled to the U.K. in February to accompany London police as they raided Walker, who admitted to the WeaKnees.com and RapidSatellite.com attacks, and fingered Ashley as his handler, according to the affidavit.
The Bureau raided Ashley's home on Valentine's day. Before they hauled away CIT/FooNet's servers -- an act that would briefly cause controversy in the hosting community -- Ashley allegedly admitted to the attacks, and named all three of his cyber button men and Echouafni. Echouafni was arrested in Massachusetts, and released on $750,000 bail secured by his house. "We've alleged in the indictment that Echouafni was the manager, organizer and leader of the group," says assistant U.S. attorney Arif Alikhan, head of the Los Angeles computer crimes section, who's prosecuting the case.
He's also missing. According to court records, last month Echouafni's attorney won a motion to permit Echouafni's wife and children to "travel freely within and outside of the United States of America," and to have their passports returned. That was Echouafni's last action in court: the government says he's disappeared, and officials believe he's likely in Morocco. "He's a native of Morocco, and he was arrested in March as he returned from Morocco into the U.S.," says the FBI's Harrill. Echouafni's attorney did not return a phone call.
The Echouafni investigation was one of a handful of cases specifically cited Thursday by U.S. Attorney General John Ashcroft in announcing what the Justice Department called "Operation Web Snare -- a tallying of over 150 recent and ongoing federal criminal cases relating to computers or identity theft. Ashcroft said the case illustrates "the increased use of the Internet to damage rival businesses and communicate threats for commercial advantage."
"I think it's the first case of its kind involving a DDoS for commercial advantage or for hire," says Alikhan. "There are DDoS attacks all the time organized on IRC, but this is certainly the first case where you have a corporate executive who was using the services of another person to launch attacks against competitors."
Confirmed information
All information below was provided to us via very reliable source's:
FooNET was raided because of legal issues (read SF article avaible above).
FooNET/CIT/HTTPD is no longer in bussiness.
FooNET owner paid packet kiddies to take down competition.
FooNET housed dozens of drone IRCDs for packet kiddies.
Copy of official restoration of service statement from CIT:
We have restored service at Equinix's Chicago Data Centers.
We are in the same facilities as MSN and many fortune 500 companies. The facility has multi OC192 connections to the backbone.
The FBI has begun retuning equipment to CIT which is being shipped to our new facilities in Chicago.
At this time CIT will continue to provide dedicated DDOS Protected web hosting only.
CIT provides reliable and scalable solutions for customers of all sizes and services.
Located in Equinix's Chicago Data Centers , CIT has access to all the major carriers without the need for local loop circuits.
Our Chicago staff is focused first and foremost on customer satisfaction, and will take every action necessary to accommodate each customer.
Unlike many large ISPs, CIT prides itself in its ability to provide personalized service to each customer if a customer calls twice for assistance,
they can usually speak to the same representative. Our sales and support teams are allowed a great deal of flexibility to work together
to resolve each customer's needs on an individual basis. Our success and rapid growth can be attributed to the satisfaction of our
customers - word-of-mouth referrals account for a large portion of the new business we receive each month.
The IRC Network will remain down until further notice.
Copy of official raid statement from CIT:
Dear Customers of FOONET/CIT
We regret to tell you that on Saturday February 14, 2004 at approximately 8:35 AM, FOONET/CIT's
data center in Columbus, Ohio temporarily ceased operations.
Here are the facts of what occurred:
The FBI executed a Search Warrant regarding the IRC network that we host. According to the FBI search warrant, some one hosted in our network hacked and attacked some one else.
After several hours of attempting to track down, inspect and audit the terabytes of
data that we host it was determined by the FBI that it was more efficient to
remove the equipment from our site and transport it to the FBI local laboratories
for inspection.
This was completed at 7:00 pm CST same day.
The FBI has informed us that as soon as the data has been safely copied and inspected the
equipment will be promptly returned.At this point the FBI has not indicate
d when they will be completed with their inspection.
If you need access to your data please contact Robert White, e-mail address rwhite@fbi.gov
We are extremely sorry and quite honestly horrified that this has occurred.
We are doing everything possible to get this back on track and have our services available
to you as quickly as possible.
Paul and family are OK, although shaken by these series of events.
They are home and still waiting for the blessed event of their new child's birth.
We would appreciate if you do not attempt to contact us directly since,
we are focusing on restoring services and rebuilding machines that are missing hard drives.
Please check back here often, because we have an update we will post on this site.
Thanks again for your understanding.
How to get your server back
If anyone is a customer, - you can email rwhite@fbi.gov or rwhite3@leo.gov and
give him your server info, and ask them to mirror your drive and give you access to it, apparently they will do it.
