The Good Samaritans Dilemma
The ability to infiltrate and seize control of Kraken's C&C mechanism left the company with an ethical dilemma that has prompted a discussion of whether infected computers used in denial-of-service attacks and spam runs should be cleansed without the owners' consent. "On the technical side, we have proven that it can be done. From our proof-of-concept, it would have been one more click of a button to shut down the communication between the people sending commands to these [infected] computers," Pierce said."We never hear from the infected system again and neither can the actual botnet owner's command-and-control servers," Amini said, arguing that cleansing should be used to help slow the botnet epidemic. "We have the ability to successfully redirect infected systems. We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie." Pierce agreed. "If you have a wild person driving on the street, putting everyone else at risk, you don't just turn the other way," he said, calling for industrywide discussion about a more proactive, vigilante-type approach to fighting botnets. David Endler, director of security research at TippingPoint, is on the other side of the fence. "The reality is that you really don't know what you're modifying," Endler said in an interview. "It's a very tricky situation. What if that end-user system is performing a critical function? What if that target system is responsible for someone's life support? Who is to say what is more beneficial? It really is a moral and a legal quandary." He cited liability issues as one of the key reasons TippingPoint opted to leave the compromised computers untouched within the Kraken botnet. "There could be life-threatening repercussions [so] you have to walk away and err on the side of caution," Endler said. "If you see someone breaking a window to go into someone's house, that really doesn't give you the right to break another window and go in after them." Pierce said he sees it another way: "If you see someone mugging someone across the street, you just don't watch and walk away." Andrew Hay, product manager at Q1 Labs, a network security management company, said the concept of tampering with a user's machine without consent, even if it's to remove malicious software, is "ethically questionable." "I couldn't in good conscience send any command to a machine without the user's knowledge and approval," Hay said. "Ethically speaking, we just can't make that decision regardless of if it's right or whether it's the best thing to do for the good of the Internet."
Essentially, the infected system would be connecting to TippingPoint's fake Kraken server and receive a command to kill the target process handing the communication.