Researchers at TippingPoint Technologies’ Digital Vaccine Laboratories have found a way to infiltrate and seize control of one of the world’s largest spam-spewing botnets, a breakthrough that has ignited an intense debate over the ethics of “cleaning” infected computers.
Cody Pierce and Pedram Amini, two high-profile software security researchers, cracked into the Trojan powering Kraken-a 400,000-strong botnet of infected computers-by reverse-engineering the encryption routines and figuring out the communication structure between the botnet owner and the hijacked computers.
Once they got a clear understanding of the inner workings of Kraken, the duo found that the infected computers were trying to connect to a master C&C (command and control) server by systematically generating subdomains from various dynamic DNS (Domain Name System) resolver services.
This meant the researchers could predict where the bots would be connecting upon reboot, Pierce said in an interview. “We basically have the ability to create a fake Kraken server capable of overtaking a redirected zombie,” Pierce said.
“By reverse-engineering the list of names and successfully registering some of the subdomains Kraken is looking for, we can emulate a server and begin to infiltrate the network zombie by zombie. Stated simply, Kraken-infected systems worldwide start to connect to a server we control,” Amini said in a document explaining the reverse engineering process.
The TippingPoint DVLabs team monitored Kraken connections for seven days and during that time the fake Kraken server received more than 1.8 million requests from infected systems worldwide, mostly from home broadband users in the United States, the United Kingdom, Spain and Central America.
The Good Samaritans Dilemma
The ability to infiltrate and seize control of Kraken’s C&C mechanism left the company with an ethical dilemma that has prompted a discussion of whether infected computers used in denial-of-service attacks and spam runs should be cleansed without the owners’ consent.
“On the technical side, we have proven that it can be done. From our proof-of-concept, it would have been one more click of a button to shut down the communication between the people sending commands to these [infected] computers,” Pierce said.
Essentially, the infected system would be connecting to TippingPoint’s fake Kraken server and receive a command to kill the target process handing the communication.
“We never hear from the infected system again and neither can the actual botnet owner’s command-and-control servers,” Amini said, arguing that cleansing should be used to help slow the botnet epidemic. “We have the ability to successfully redirect infected systems. We have the ability to provide an ‘update’ through the existing Kraken protocol that can simply remove the Kraken zombie.”
Pierce agreed. “If you have a wild person driving on the street, putting everyone else at risk, you don’t just turn the other way,” he said, calling for industrywide discussion about a more proactive, vigilante-type approach to fighting botnets.
David Endler, director of security research at TippingPoint, is on the other side of the fence. “The reality is that you really don’t know what you’re modifying,” Endler said in an interview. “It’s a very tricky situation. What if that end-user system is performing a critical function? What if that target system is responsible for someone’s life support? Who is to say what is more beneficial? It really is a moral and a legal quandary.”
He cited liability issues as one of the key reasons TippingPoint opted to leave the compromised computers untouched within the Kraken botnet.
“There could be life-threatening repercussions [so] you have to walk away and err on the side of caution,” Endler said. “If you see someone breaking a window to go into someone’s house, that really doesn’t give you the right to break another window and go in after them.”
Pierce said he sees it another way: “If you see someone mugging someone across the street, you just don’t watch and walk away.”
Andrew Hay, product manager at Q1 Labs, a network security management company, said the concept of tampering with a user’s machine without consent, even if it’s to remove malicious software, is “ethically questionable.”
“I couldn’t in good conscience send any command to a machine without the user’s knowledge and approval,” Hay said. “Ethically speaking, we just can’t make that decision regardless of if it’s right or whether it’s the best thing to do for the good of the Internet.”