Nugache worm creator gets off with one year of home confinement and a fine

Apr 30, 2009 09:43 GMT  ·  By

A federal judge has decided for Jason Michael Milmont, the 20-year-old VXer who admitted to be the creator of the Nugache worm, to spend one year of home confinement, followed by five years on supervised probation. Additionally, he has to pay around $37,000 in restitution.

The Nugache worm spawned one of the first ever peer-2-peer botnets, and, when it was launched in 2006, it was considered a game-changer announcing the next step in malware evolution. P2P botnets imply that every compromised machine in the swarm acts as a peer for the others. This basically removes the need of having a central command-and-control server, which is susceptible to takedown efforts.

To make things worse, Nugache-infected machines communicated with each other using an encrypted channel, making it even harder for researchers to fight it. At that time, all these techniques were considered groundbreaking and were later employed by other infamous worms, such as Storm or Conficker, the top two most-successful in history.

Even more impressive was the fact that such a highly complex malicious code was the work of then 17-year-old Milmont, a resident of Cheyenne, Wyoming. "There was speculation that a Russian criminal mastermind must be behind the Nugache malware attack, so it may surprise some to see a teenager from Wyoming taking the rap for this cybercrime," Graham Cluley, senior technology consultant at Sophos, commented in 2008, when Milmont pleaded guilty.

The teen is said to have had control of between 5,000 to 15,000 compromised computers at any given time and, at least on one occasion, to have used them to launch a Distributed Denial of Service (DDoS) attack against an unnamed company in California. The Nugache worm, which was being propagated via e-mails, network shares, and instant messengers, also included a keylogging component.

This allowed Milmont to steal credit card information and passwords for various accounts, which he then used to purchase goods online. The shipments were being made to vacant homes in Wyoming, in order to hide his real identity.

The botnet herder faced a maximum sentence of five years in jail and a fine of $250,000, but the prosecutors recommended a lighter sentence in exchange for his assistance. "This young man has quite a bit of talent and we asked that he turn that talent toward good. He's helped us somewhat toward that," John Powell, a spokesman for the US Attorney's office in Cheyenne, shared, according to The Register.