The British Botnet Corporation

By Larry Seltzer  |  Posted 2009-03-14 Print this article Print

There are some things you just don't do in security research or you become part of the problem. Controlling and modifying other people's machines, even if they are "bots" in a botnet, is one of them. This is what the BBC did.

Not many in the security community are impressed with the BBC's cheap trick of buying a botnet and using it to demonstrate what botnets can do. I'm as disappointed with Prevx, the security vendor who cooperated with the stunt.

Despite the BBC's assertion that no laws were broken, I'm more impressed with those who cite the Computer Misuse Act to claim the contrary. To do what the BBC claims to have done they must have violated this act. One can argue the merits of various parts of the act, but as a general matter it's not good for vigilantes to go about violating people's computers to make a self-serving point. The act is clear that unauthorized actions on a computer (like sending e-mail from it or changing the wallpaper) are violations, and of course they should be. They also may have exposed themselves to civil liability by involving ISPs in their fake, demonstrative DDOS.

What they did was wrong on a number of levels, not least of which is that it seems they paid for the privilege of using a real botnet. Who did they pay? Is it right to reward the herders of a botnet by giving them business? What will those herders do with the money paid by the BBC?

How do responsible security researchers work? It's not exactly the same field as botnet research, but I think you can get a good sense of good principles from the Fundamental Principles of Testing for the AMTSO (Anti-Malware Testing Standards Organization): Never create new malware and protect the public networks from the research at all times.

Alex Eckelberry, CEO of Sunbelt Software, commenting on this in a post to the funsec mailing list, says it well:

... malware researchers routinely deal with botnets for analysis purposes. It would be considered a high crime indeed to allow a spambot to actually send spam to the outside world, even for "testing" purposes. And, shutting down a botnet yourself, even with the best intentions, is simply not a good idea. You don't know what accidental harm you may cause. You also don't really know what's on the user's system that will simply restart the whole process.
In the end the BBC states that they notified the owners of the systems involved that they were infected. They didn't provide details on how they did this (I wonder why, he said sarcastically), but our reporting indicates that they did this by modifying the user's wallpaper to include a note about it. Well-intentioned as it may have been, this alone is a violation of the Computer Misuse Act. It's also a common technique of rogue anti-malware products; they use any avenue they can get to try to get the user to "fix" their problem by buying the premium program.

This last analogy may seem cheap and unfair, but I think it illustrates how close you tread to the dark side when you go down this path. You end up using the tools that the bad guys use because they're what's available. And like Eckelberry says, you never know what will happen as a result, and it will be your fault. I hope the BBC stops defending its actions and apologize as it should. This sets a terrible example.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel