April 29, 2009, 8:52 PM — A 20-year-old man from Cheyenne, Wyoming, has been sentenced to five years' probation for creating what researchers called one of the most sophisticated botnet networks of hacked computers in recent years.
Jason Milmont pleaded guilty last year to creating the Nugache worm, which infected between 5,000 and 15,000 computers in 2007. He used the worm to build a botnet of infected computers and stole online account information and credit card numbers from his victims, according to his plea agreement. He then used the information to buy goods and services, court fillings say.
Milmont had been facing five years in prison when he was sentenced Tuesday in U.S. District Court in Cheyenne. In addition to the probation, he was ordered to pay US$36,859 restitution in monthly payments of $250, according to court documents.
Judge William Downes "told the young man that he had quite a bit of talent and hoped he would use it for good," according to John Powell, a spokesman for the U.S. Attorney's Office in Cheyenne. Milmont was initially charged in California but the case was transferred to Wyoming for sentencing, Powell said.
Milmont was just a teenager when he created his botnet. He used advanced cryptographic techniques and created a novel way of controlling the botnet via peer-to-peer networks, said Dave Dittrich, a researcher with the University of Washington. "It was a completely different way of controlling a bunch of computers and makes it much harder to find the person who was controlling them," he said.
Other botnets, including Conficker and Storm, have adopted similar techniques, he said, adding, "in some ways, Nugache is more successful in using peer-to-peer for command and control than Conficker."
Dittrich began studying Nugache while working on a grant, but as he learned about its inner workings he became so fascinated by the worm that he kept up the work in his spare time.
He said Wednesday that he was "a little surprised" to discover it had been written by only one person, a teenager in a remote western U.S. state.
Milmont's case is similar to that of another botnet teenager, Owen Walker, who avoided jail time last year after pleading guilty to running a massive botnet. Walker was reportedly given a contract job with New Zealand telecommunications company TelstraClear.
According to Milmont's father, Chris Milmont, his son, like Walker, was socially awkward -- suffering from Asperger syndrome -- and had become heavily involved in computers. At age 16, Jason Milmont lost his hearing in one ear and was diagnosed with a brain tumor, which his father said made him more withdrawn. "We definitely saw a major change in his behavior."
Chris Milmont found out about his son's activities when federal agents knocked on his door to search his son's computer. "Part of his character is he doesn't talk much. He didn't communicate well."
