Do we have confirmation that BBC paid to acquire the botnet? That's our
assumption as well (http://research.zscaler.com/2009/03/botnets-for-
everybody.html) but the article is a bit vague, discussing how they
'acquired' a botnet, without providing specifics.
Michael Sutton
VP, Security Research
Zscaler
http://research.zscaler.com
Guest editorial by Roel Schouwenberg
As Dancho Danchev pointed out, the BBC leased itself a botnet. I couldn’t quite believe it when I read it. The BBC, arguably one of the very best TV producers in the world, surely should have known better? There are so many things wrong about this that I hardly know where to start.
Firstly, given their figures, they seem to have spent quite an amount of money purchasing the botnet. Regardless of how much the total sum was, they sponsored the underground economy. Paying money to criminals (for illegal goods) is not only unethical but also considered illegal in most countries. The BBC broke the law right there and then already, not when they actively started using the botnet.
Secondly, their usage of the botnet. Again, this is not just unethical but also illegal. It’s unlikely that the BBC purchased a botnet of which all machines were located in the UK. They had not only to think about their own local laws, but also international laws. Though I’m inclined to believe they broke UK law, they definitely broke laws for countries such as the Netherlands. Did they check the geographical locations of all the infected machines before purchase? Unlikely.
[ SEE: Is there no end to the AutoRun madness? ]
Thirdly, we have the BBC’s claim of the so called ‘destruction’ of the botnet. Changing wallpapers does not destroy a botnet. In this particular case, the only/most likely destruction of the botnet would have been by giving all the bots an uninstall command. Though certainly not all bots have such a command built-in. Playing devil’s advocate, I could argue that if they went as far as changing the wallpapers, then what stopped them from having all the bots download some ‘cleaner’ utility that would remove the bot? Let it be clear though that I would have strongly condemned such action.
Fourthly, why did the BBC bother GMail with their spam ‘test’? Surely they could have just as easily used the BBC’s mail server? Theoretically it should be possible for Google to claim abuse of their services by the BBC. Wouldn’t that be fun?
Fifthly, the thing that probably bothers me most. They actually had an Internet security company helping them out during a part of the process! This means that at least part of this ‘experiment’ could have been stopped prematurely, if not all of it if they were contacted before the BBC purchased the lease to the botnet. It’s beyond me that this company would let this moment of (bad) publicity go before ethics. It’s not only a disgrace to them but it affects the broader anti-malware community as well. McAfee, on the other hand, was very quick to distance itself from the BBC’s actions.
This case is actually nothing new and simply another example of a bigger issue. A few months ago, a Dutch publication hired a ‘security expert’ to write a backdoor. Some 15,000 machines got infected by it and were subsequently used to brute force the e-mail account of someone in the Dutch government. The BBC is neither the first nor the last to conduct this kind of act.
It will certainly come as no surprise that the vast majority of anti-malware vendors will be happy to advise magazines and TV stations about how to handle related to (anti-)malware. But, as this case illustrates, not all vendors have an equal set of ethical standards. One way to fix this problem is to contact a person or company who has a good tradition of ethical standards. Another is to simply contact a couple of people or companies. You could even contact the Anti-Malware Testing Stardards Organization (AMTSO). While focused on anti-malware testing, I think I speak for the entire group that the anti-malware industry and others involved want to do whatever they can to prevent mishaps like these to occur again in the future.
I certainly hope the involved parties have learnt their lesson and will not repeat this act of incompetence again.
* Roel Schouwenberg is a senior anti-virus researcher for Kaspersky Lab (Disclosure: Ryan’s employer). He is a member of the company’s Incident Response & Research Team and focuses on attacks targeting banks and other financial institutions.
