Dear Herr Eismann,

As I stated in the previous fax, I am now providing you details, some of which you may already have, regarding the FBI investigation into the theft of intellectual property and computer intrusion and suspect AXEL GEMBE.

Agobot Virus and Distributed Denial of Service Attacks of Websites and Internet Service Providers

Investigation by multiple United States law enforcement agencies has established since October 2002, GEMBE has been participating in the development and deployment of a malicious computer code known as Agobot/gaobot Virus. The virus works by automatically gaining unauthorized access to Internet computers, in order to use those computers to launch hundreds of Distributed Denial of Service (DDoS) attacks on victim computer networks. The targets of these attacks include well-known commercial websites such as eBay. Sales revenue and business losses, although difficult to estimate, can readily multiply into the millions of dollars. For example, Internet Service providers Tiscali UK and Aeneas Internet and Telephone, Memphis, Tennessee, USA, were each shut down by the virus for approximately four days, resulting in estimated losses of $1.6 million (USD) and $50,000 (USD), respectively.

The Investigation of DDoS Attacks

Beginning in October 2002, and continuing until February 2004, numerous Internet Service Providers (ISPs), individual computers, and business computer networks were the victims of DDoS attacks launched from other computers infected with the Agobot/gaobot virus. The virus spreads by scanning the Internet for computers vulnerable to attack. If it locates such a computer, it installs itself, leaving behind a "back door" which causes the computer to report to a communication channel controlled by the person who spawned the virus. An infected or compromised computer is called a "bot". By instructing the mass of infected bots to flood a particular computer on the internet, an individual can overwhelm the computer, effectively denying service to it.

The Unite States Service opened an investigation in January 2003, when a local ISP, Aeneas Internet and Telephone, was hit with periodic DDoD attacks over a two-month period of time. The attack peaked when Aeneas was forced off-line for approximately four days, resulting in an estimated $50,000 loss.

The investigation established that the Agobot/gaobot virus was authored, maintained, modified, and made more virulent by an individual known by the screen nickname "Ago,", who actually inserted his photograph and email address in one version of the virus.

The Agobot/gaobot virus was responsible for a DDoS attack of Tiscali UK, a large ISP. Tiscali was denied service for approximately four days, resulting in an estimated $1.6 million loss. On February 11, 2004, LEE WALKER was arrested in the United Kingdom. WALKER admitted that he and Ago had launched numerous DDoS attacks, and that Ago had authored the virus, and continued to modify and improve it. He claimed he knew Ago lived in Germany and that his first name was "Alex" or "Axel,", but could not identify him further.

Hundreds of Internet sites were victimized in the DDoS attacks launched by GEMBE and/or WALKER, using the virus authored and maintained by GEMBE. In addition, the virus was often used to attack a target by attacking Domain Name System (DNS) servers, computers which serve as part of the infrastructure of the Internet. By attacking DNS servers, the virus affected service to other Internet sites besides the specific, intended target.

According to recent information obtained by the FBI, Ago and the other authors of the Agobot/gaobot control a bot network of anywhere from 50,000 to 100,000 computers. This network is capable of traffic generating speeds of 30-35 gigabits per second. It is believed that the country of New Zealand may have been "knocked offline" (internet service was disabled) by an attack launched by the group.

Investigation has determined that Ago is selling the malicious code on the Internet. Ago utilizes the Paypal account "theago@gmx.net" to sell his malicious code.Authors of malicious code often spread worms and viruses simply for the challenge and ability to claim within their on-line community the "bragging rights" for disabling or disrupting a major ISP or business. In addition to spreading the code to anyone with the resources to purchase it, Ago is now personally profiting by the release of the code. Ago has every motivation to distribute the code to the maximum extent possible, and no motivation to stop. This makes his arrest and prosecution more urgent.

The following excerpt, quoted from the Agobot/gaobot source code, illustrates Ago's ability to enlist assistance with the creation and distribution of the malicious code:

  Quote

 

Contributions to Agobot3:

Num - Name - What

1. - Ago - Writing Agobot3 base, being the author/administrator
2. - Fight - Hosting my testing bots
3. - killer77 - Donating money to make Agobot3 as good as it is today
4. - dj-fu - Helped me finding bugs
5. - Chrono - Hosting me a site and helping find bugs
6. - harr0 - Hosting me a site
7. - ryan1918 - Hosting me a site or forum too (not yet)
8. - PhaTTy - Implementing new features into Agobot3
9. - weed - Making me high while programming

thx to anyone on this list and everyone i forgot for making Agobot3 what it is.

 

Furthermore, another "trojan" (hidden) bot has been developed and unleashed on the Internet. This bot goes by the name Phatbot. It has been determined by FBI examination to the malicious code found within Phatbot builds upon the code sued in the Agobot/gaobot. This new bot is considered to be very dangerous because it has the ability to be polymorphic on installation in an attempt to evade anti-virus signatures as it spreads from computer to computer.

Valve Software Computer Network Intrusion and Theft of Intellectual Property

GEMBE has been identified as the hacker who in 2003 gained unauthorizes access into the network of game developer Valve Software, which resulted in the theft and public dissemination of a pre-release version of Valve Software's flagship computer game, Half Life II (HL2). Based on profits from its initial version of the game, Valve Software anticipated (and has now lost) $250,000,000.00 in sales revenue from HL2.

Since the middle of February 2004, GEMBE has been communicating with Valve Software management via email, attempting to convince Valve Software that although he was the intruder, he was not responsible for the dissemination of their software. He has also aggressively sought employment with Valve Software, citing his imminent mandatory conscription as a reason for wanting to leave the EU and obtain work in the States.

GEMBE's email discussions with Valve Software have progressed to the point where some law enforcement intervention is critical. Specifically, GEMBE has expressed impatience with the slow response from Valve Software, and has remarked that he has the ability to gain control over Valve Software's network computers should he decide to do so. GEMBE is expecting a job interview with Valve Software by telephone, followed shortly thereafter by an expense-paid trip to the States. United States authorities involved with this case are concerned that if GEMBE discovers that Valve Software's employment interest is not sincere, he may retaliate. Valve Software acknowledges that GEMBE may currently have access to a computer on its network, but believes that he cannot penetrate further into its system. Still, GEMBE's skill in DDoS attacks has heightened concerns.

The Investigation of Valve Software Intrusion

Valve Software, located in Bellevue, Washington, USA, creates, produces and sells popular Internet-based computer video games. One of these games is Half-Life, an immensely popular game with sales exceeding $250,000,000. Valve Software was in the process of developing Half Life II (HL2), the widely-anticipated sequel to Half-Life, when their computer network was victimized by an unlawful intrusion.

Valve Software learned of the criminal intrusion into its computer system on October 1, 2003, when the company became aware that an internal email from one Valve Software employee to another had been posted on a public website, and later, that programming code for HL2 and other Valve Software games had been stolen and released on different websites. Valve Software employee computer passwords were also posted. Since then, a working, unreleased version of HL2 and another Valve Software game have been circulated on the Internet. HL2 is now reportedly being sold on computer disks in Russia. As a result of all this activity, Valve Software began an in-depth review of the computers on their network and found at least thirteen machines that had been compromised within their network. Valve believes the intrusion may have occurred as early as June 2003. The computers were provided to the FBI for further forensic analysis.

Forensic analysts discovered a variety of "hacker" programs installed without Valve Software's permission. Another program created a secure but unauthorized method of remote access, a "tunnel" for a hacker to use to sneak back into Valve Software's system. On one of Valve Software's networked computers, this program was configured to connect to a website in Germany. To identify the person who controlled the website, the German ISP who owns the address for the website would have to provide subscriber information. There were also instances of the Agobot/gaobot found on Valve Software victim machines.

On February 16, 2004, U.S. authorities were contacted by Valve Software after the Chief Executive Owner (CEO) received an email from an individual claiming to have been the person who hacked into the Valve Software network. The individual used the name "DaGuy" and the following email address: daguy@hush.com. That email address was provided by Hush Communications, a company located in Vancouver, Canada, which provides anonymous re-mailing services.

DaGuy claimed to have had access to the Valve Software network for approximately six months. He provided Valve Software with technical information "proving" he truly was the hacker. To date, these claims and details have been validated by the forensic analysis performed by both Valve Software and the FBI, and are also consistent with the details described in the chat logs previously provided to Valve Software.

DaGuy appears to be strongly motivated to convince Valve Software that he is not an "evil" hacker. He claimed that he had hacked into Valve Software's system only to observe their development of HL2. He claimed that he was careless during an IRC session with a friend, and that members of a group known as myg0t eavesdropped on this conversation and obtained sufficient information to enable them to use his established but unauthorized access into Valve Software's network. In fact, myg0t was responsible for the initial public dissemination of the internal Valve Software email and source code.

DaGuy has attempted to prove he could be helpful to Valve Software by providing advice regarding its network security and on February 19, 2004, DaGuy asked Valve Software's CEO if they had any job openings. On February 27, 2004, the CEO asked DaGuy if his interest was serious, and DaGuy replied that he was. On February 28, 2004, DaGuy expressed some urgency in coming to the U.S., as he was concerned about conscription. He said he needed to know as soon as possible. On March 3, 2004, the CEO apologized for not responding more quickly and promised to be more prompt. He requested a resume. He advised DaGuy that Valve Software would fly both he and his wife to the United States for a job interview. DaGuy replied that he was not married and would need funds to travel.

After days of sending emails without response, on March 6, 2004, DaGuy sarcastically asked the CEO what he meant by "prompt", and claimed he could have taken control of one of Valve Software's network computers if his intentions weren't benevolent. He wondered whether he should break into Valve Software's computer to fix it.

On March 8, 2004, the CEO advised DaGuy that Valve Software will pay for travel and relocation expenses.

On March 10, 2004, DaGuy provided a phone number (xx xxxx xxxxx) for an initial telephone intervview, pursuant to Valve Software's standard hiring procedures. Valve Software is prepared to conduct the telephone interview.

As of March 20, 2004, there was a website, www.cs-ipv6/6bone/whois/nic-hdl/ago1-6bone, which contains an FTP archive "who is" list. This list contained the following details for AGO1-6BONE:

  Quote

person: Axel Gembe
address: Schonenbergerstrasse 8
address: 79688 Schonau
phone: 49 7673 9322218
email: theago@gmx.net
mic-hdl: AGO1-6BONE
url: http://www.bastart.eu.org/
notify: theago@gmx.net
mnt-by: AGOMNT-6BONE
change:theago@gmx.net 20040128
source:6BONE

The phone number included in the above reference is the same as the one provided by DaGuy, with the exception of the last digits, to Valve Software on March 10, 2004.

Please advise me of any investigative actions. Do not hesitate to contact me if you have any additional questions.

Dear Herr Eismann,

I am providing you information regarding an FBI investigation into the theft of intellectual property and computer intrusion. Investigation indicates that the subject responsible is AXEL GEMBE, residing in Germany.

Recent developments have added urgency to this matter, as GEMBE is now communicating via email directly with a CEO of Valve Software, and is threatening to do further damage by taking control of Valve Software computers.

The information provided below is a summary of the most recent investigative development. I will send a follow-up fax with additional, detailed information regarding the entire investigation.

Immediate intervention into the criminal activities of AXEL GEMBE, of Schonan, Germany, is considered extremely urgent. GEMBE, (also known as "Ago"), as now considered by U.S. authorities to be a primary suspect in two separate, international cyber crimes of major proportions.

GEMBE has been identified as the hacker who in 2003 gained unauthorized access into

the network of game developer Valve Software, which resulted in the theft and public dissemination of a pre-release version of Valve Software's flagship computer game, Half Life II (HL2). Based on profits from its initial version of the game, Valve Software estimated $250,000,000.00 in lost sales revenue from HL2.

Since the middle of February 2004, GEMBE has been communicating with Valve Software management via email, attempting to convince Valve that although he was the intruder, he was not responsible for the dissemination of their software. He has also aggressively sought employment with Valve Software, citing his imminent mandatory military service as a reason for wanting to leave the EU and obtain work in the States.

Valve Software is cooperating with the FBI in this matter. GEMBE's email discussions with Valve Software have progressed to the point where some law enforcement intervention is critical. Specifically, GEMBE has expressed impatience with the slow response from Valve Software, and has remarked that he has the ability to gain control over Valve Software's network computers should he decide to do so.

GEMBE is expecting a job interview with Valve Software by telephone, followed shortly thereafter by an expense-paid trip to the States. On March 10, 2004, GEMBE provided a phone number (xx xxxx xxxxx) for an initial telephone interview, pursuant to Valve Software's standard hiring procedures.

The FBI is concerned that if GEMBE discovers that Valve Software's employment interest is not sincere, or if they continue to stall, he may retailiate.

Please advise me as to your anticipated investigative actions. Do not hesitate to contact me if you have any additional questions.