<http://online.wsj.com/article_print/0,,SB110176932097886077,00.html?mod=home%5Fpage%5Fone%5Fus> The Wall Street Journal November 30, 2004 PAGE ONE Virus for Hire Growing Number Of Hackers Attack Web Sites for Cash Entrepreneur Asked a Team To Mastermind Strikes Against Rivals, U.S. Says WeaKnees on Its Knees By CASSELL BRYAN-LOW Staff Reporter of THE WALL STREET JOURNAL November 30, 2004; Page A1 On Oct. 6, 2003, an electronic attack overwhelmed the Web site of WeaKnees.com, an online seller of digital video recorders. As the attacks escalated over several weeks, the e-mail system was knocked out, customers couldn't access the Web site, and the Los Angeles retailer says it suffered about $200,000 in lost sales and costs for fixing the system. U.S. law-enforcement officials who later investigated the electronic assault came to a disturbing conclusion: It wasn't masterminded by a typical hacker, motivated by the thrill of the crime. Instead, the attack on WeaKnees appeared to be the work of a new breed of cyber-mercenaries who are paid to unleash viruses. The man who allegedly made that payment is Jay R. Echouafni, a 37-year-old entrepreneur from Sudbury, Mass. Rebuffed by WeaKnees over a proposed business deal, Mr. Echouafni attacked the company's Web site, according to law-enforcement authorities. In August 2004, Mr. Echouafni was indicted by a federal grand jury in Los Angeles on charges of criminal conspiracy and launching destructive computer attacks against WeaKnees and two other firms. Mr. Echouafni has since fled, a prosecutor says. Five other defendants are named in a criminal complaint for their alleged role in the attacks, but haven't yet been indicted. Traditionally, computer hackers have invented viruses primarily for the sake of the bragging rights. But now hackers are mixing with fraudsters and organized-crime rings, law-enforcement officials say. Increasingly viruses are being used illegally for financial gain, and they are becoming part of the modern criminal's toolbox. "The things that used to be just nuisances have been picked up by financial criminals," says Alan Paller, director of research at the SysAdmin, Audit, Network, Security Institute, known as SANS, an organization for computer-security professionals in Bethesda, Md. The Internet's growth has led to a surge in cyber-crime, including identity theft and online fraud. The Federal Bureau of Investigation ranks cyber-criminals as its third-biggest priority after terrorists and spies. The United Kingdom's National Hi-Tech Crime Unit has made more than 100 arrests related to major computer crimes since it was set up three years ago. The U.S. Department of Justice employs about 38 attorneys in its computer-crime section, up from three a decade ago. About half focus on viruses and other computer intrusions. The toll of viruses on business, in terms of lost revenue and repair costs, could hit $17.5 billion this year, up from an estimated $13 billion in 2003, according to Computer Economics Inc., a research firm in Aliso Viejo, Calif. It isn't known how much of that stems from financially motivated attacks, but law-enforcement officials say that their frequency is rising sharply. The growth in such attacks is driven by a new family of viruses that lets a person control large numbers of computers in order to, say, attack a corporate Web site. About a year ago, a Russian gang started using a network of virus-infected computers to shut down legitimate British gambling sites and blackmail the operators into paying hundreds of thousands of pounds, according to the U.K.'s high-tech crime unit. Computer viruses are notoriously hard to track. Mr. Echouafni's trail, for example, runs from Massachusetts and California to Germany and Britain. In a phone call made recently from an unknown location, Mr. Echouafni denied the federal charges. "I had nothing to do with the attacks," he said. He said that he had been the target of Web attacks himself, and that he had reported them to the FBI. Mr. Echouafni declined to comment further on the allegations. A prosecutor confirmed that the FBI had received Mr. Echouafni's report. Jay Echouafni, who also goes by the first name Saad, is of Moroccan origin, according to a U.S. prosecutor. A heavy-set man with green eyes, he came to the U.S. as a teenager and became an American citizen, the prosecutor says. Until recently, he lived in Sudbury, an affluent suburb of Boston, with his wife and their three children. They occasionally returned to Morocco where Mr. Echouafni maintained business interests, added the prosecutor. Mr. Echouafni's company, Orbit Communications Corp., sold gear such as set-top boxes that receive signals for satellite-TV systems, according to court filings. He also dabbled in software development, the prosecutor says. Former business acquaintances describe him as bright, hard-working and computer-savvy. He could also be tough. "We had lots of problems with him," says Lee Taylor, chief executive of Perfect 10 Satellite Distributing Inc., a company in North Little Rock, Ark., that sold millions of dollars of equipment to Mr. Echouafni over the past few years. Mr. Echouafni often would badger the distributor's employees to lower their prices, according to Mr. Taylor. The case against Mr. Echouafni and his co-defendants is in its early stages and not all the facts are known. Some alleged participants couldn't be reached. But the case provides an early glimpse into the burgeoning world of viruses-for-hire. Business Proposal In early 2003, Mr. Echouafni approached WeaKnees.com with a business proposal: In a move that would have broadened his company's product range, Mr. Echouafni wanted to distribute upgrade kits sold by WeaKnees, which extend the recording time of digital video recorders, says Michael Adberg, co-owner of WeaKnees. Mr. Adberg says he turned down the proposal in part because he worried it would give Mr. Echouafni significant control over WeaKnees's business. Apparently annoyed by the rejection, Mr. Echouafni contacted Paul G. Ashley, owner of a Powell, Ohio, company with whom he did business, according to the indictment. Mr. Ashley's company rented out large computers that run Web sites, the indictment says. Mr. Echouafni said that some competitors were bothering him and asked Mr. Ashley to attack their Web sites, according to the indictment and complaint. Three companies were targeted, including WeaKnees and Rapid Satellite, a Miami company that directly competed with Mr. Echouafni's business of selling home satellite-TV systems, according to the indictment. Mr. Ashley sent their Web addresses to Lee G. Walker, a business associate who lived in the U.K., according to the complaint. Mr. Walker's weapon of choice for the job was a piece of malicious computer code known as a bot virus, the complaint alleges. Richard Cline, a lawyer in Columbus, Ohio, for Mr. Ashley, said neither he nor his client had any comment. Mr. Walker couldn't be reached. With a bot virus, a single person can hijack the power of thousands of far-flung computers. Security experts believe that most spam is sent using bots. The approach makes it easy for cyber-criminals to cover their tracks since they act through other people's computers. The popularity of high-speed Internet connections that are always kept on has also promoted the spread of bots. In Internet chatrooms, access to bot-controlled computers can be purchased for anywhere from a few cents to $1 per machine. Of the 100,000 viruses and worms that exist in cyberspace, bots are among the fastest spreading. Two years ago only 200 bot-virus variations existed; today, there are about 4,000, according to F-Secure Corp., a Finnish antivirus software maker. Mr. Walker later confessed to law-enforcement officials that he used computers infected with a bot virus named "Agobot," according to the complaint. Its creator was Axel Gembe, an unemployed 22-year-old who named the virus after his own nickname "Ago." Mr. Gembe is a self-taught computer whiz from a modest background who lives near Germany's border with Switzerland. Mr. Gembe gained notoriety in the hacker world last fall for breaking into the systems of a U.S. videogame developer, Valve Corp., and stealing code for the sequel of a popular computer game called "Half-Life." Key parts of the game were leaked via the Internet, causing millions of dollars in damage, Valve says. German police arrested Mr. Gembe in May for his alleged role in the theft of the videogame code and for his involvement in the attacks that Mr. Echouafni allegedly instigated. Mr. Gembe hasn't been charged with any crime. Police say they are still investigating. In an e-mail response to questions, Mr. Gembe admits to taking the videogame code but denies leaking it. He also acknowledges writing Agobot, but says that he doesn't know how Mr. Walker obtained the virus. Mr. Walker used 5,000 to 10,000 hijacked computers to attack the WeaKnees and Rapid Satellite sites, according to the U.S. complaint. After initial assaults shut down the Web sites, Mr. Echouafni contacted Mr. Ashley by phone and praised him and others for doing "a good job," according to the indictment and a prosecutor. He also paid Mr. Ashley $1,000, the complaint says. Mr. Echouafni acquired Mr. Ashley's company and retained him as a systems administrator, for an annual salary of $120,000, according to the indictment and criminal complaint. Mr. Ashley transferred $900 to Mr. Walker in England, the prosecutor says. Around the same time, Mr. Ashley allegedly recruited another hacker, Joshua J. Schichtel from Chandler, Ariz., and asked him to launch his own attacks against the Web sites, according to the criminal complaint, which also names Mr. Schichtel as a defendant. Pressing the Attack "Destroy it...heheh," Mr. Ashley wrote Mr. Schichtel in an electronic message, according to the complaint. When Mr. Schichtel told him that one of the companies had changed network addresses six times, Mr. Ashley told him to keep attacking the site, the complaint says. Mr. Schichtel couldn't be reached for comment. The attacks against WeaKnees ran from early October until mid-November 2003, according to the complaint. During that time, the Web site was periodically shut down, making it difficult for customers to reach the company, says WeaKnees. In early October 2003, Rapid Satellite's site also was attacked. While Nick Molina, chief executive of Rapid Satellite's parent, WebClick Concepts Inc. of Miami, was struggling to get his systems running again, he says he received an unusual call. Mr. Echouafni offered to host Rapid Satellite's site for $5,000 a month. In an interview, Mr. Molina contends that Mr. Echouafni wanted "to see the pain I was going through" and "extort money from me." The three target companies, in total, suffered more than $2 million in lost revenue and costs, according to the complaint. The FBI, meanwhile, traced digital fingerprints left by the hackers to the company that Mr. Walker worked for, and then to Mr. Walker himself, according to the complaint. When U.S. and British law-enforcement agents interviewed Mr. Walker on Feb. 11, he admitted launching the attacks, according to the complaint. Three days later, FBI agents searched Mr. Ashley's home in Ohio, and he, too, confessed, according to the complaint. Mr. Ashley, Mr. Walker and Mr. Schichtel are among five defendants named in the criminal complaint. None of them has been indicted. The FBI eventually gathered enough evidence to go after Mr. Echouafni. When he learned about the Ohio search, Mr. Echouafni and his family flew to Morocco, the FBI says. He and his wife returned to Boston on an Air France flight on March 11, where he was arrested by waiting FBI officials, the agency says. Sometime after that, Mr. Echouafni jumped bail; prosecutors believe he has fled the country. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'