BBC botnet buy: What were they thinking?

BBC botnet buy: What were they thinking?

Summary: Guest editorial by Roel SchouwenbergAs Dancho Danchev pointed out, the BBC leased itself a botnet. I couldn't quite believe it when I read it.

TOPICS: Malware, Legal, Security

Guest editorial by Roel Schouwenberg

As Dancho Danchev pointed out, the BBC leased itself a botnet. I couldn't quite believe it when I read it. The BBC, arguably one of the very best TV producers in the world, surely should have known better? There are so many things wrong about this that I hardly know where to start.

Firstly, given their figures, they seem to have spent quite an amount of money purchasing the botnet. Regardless of how much the total sum was, they sponsored the underground economy. Paying money to criminals (for illegal goods) is not only unethical but also considered illegal in most countries. The BBC broke the law right there and then already, not when they actively started using the botnet.

Secondly, their usage of the botnet. Again, this is not just unethical but also illegal. It's unlikely that the BBC purchased a botnet of which all machines were located in the UK. They had not only to think about their own local laws, but also international laws. Though I'm inclined to believe they broke UK law, they definitely broke laws for countries such as the Netherlands. Did they check the geographical locations of all the infected machines before purchase? Unlikely.

[ SEE: Is there no end to the AutoRun madness? ]

Thirdly, we have the BBC's claim of the so called 'destruction' of the botnet. Changing wallpapers does not destroy a botnet. In this particular case, the only/most likely destruction of the botnet would have been by giving all the bots an uninstall command. Though certainly not all bots have such a command built-in. Playing devil's advocate, I could argue that if they went as far as changing the wallpapers, then what stopped them from having all the bots download some 'cleaner' utility that would remove the bot? Let it be clear though that I would have strongly condemned such action.

Fourthly, why did the BBC bother GMail with their spam ‘test’? Surely they could have just as easily used the BBC’s mail server? Theoretically it should be possible for Google to claim abuse of their services by the BBC. Wouldn’t that be fun?

Fifthly, the thing that probably bothers me most. They actually had an Internet security company helping them out during a part of the process! This means that at least part of this ‘experiment’ could have been stopped prematurely, if not all of it if they were contacted before the BBC purchased the lease to the botnet. It’s beyond me that this company would let this moment of (bad) publicity go before ethics. It’s not only a disgrace to them but it affects the broader anti-malware community as well. McAfee, on the other hand, was very quick to distance itself from the BBC’s actions.

This case is actually nothing new and simply another example of a bigger issue. A few months ago, a Dutch publication hired a ‘security expert’ to write a backdoor. Some 15,000 machines got infected by it and were subsequently used to brute force the e-mail account of someone in the Dutch government. The BBC is neither the first nor the last to conduct this kind of act.

It will certainly come as no surprise that the vast majority of anti-malware vendors will be happy to advise magazines and TV stations about how to handle related to (anti-)malware. But, as this case illustrates, not all vendors have an equal set of ethical standards. One way to fix this problem is to contact a person or company who has a good tradition of ethical standards. Another is to simply contact a couple of people or companies. You could even contact the Anti-Malware Testing Stardards Organization (AMTSO). While focused on anti-malware testing, I think I speak for the entire group that the anti-malware industry and others involved want to do whatever they can to prevent mishaps like these to occur again in the future.

I certainly hope the involved parties have learnt their lesson and will not repeat this act of incompetence again.

* Roel Schouwenberg is a senior anti-virus researcher for Kaspersky Lab (Disclosure: Ryan's employer).  He is a member of the company’s Incident Response & Research Team and focuses on attacks targeting banks and other financial institutions.

Topics: Malware, Legal, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Payment?

    Do we have confirmation that BBC paid to acquire the botnet? That's our
    assumption as well (
    everybody.html) but the article is a bit vague, discussing how they
    'acquired' a botnet, without providing specifics.

    Michael Sutton
    VP, Security Research
    • LOL!

      "ZScaler Defines a New Standard for In-The-Cloud Security"

      LOL! talk about one of the most over used "promises".

      Something tells me they do not set any standards... ;)
  • RE: BBC botnet buy: What were they thinking?

    Dear Roel, this article is ridiculous. While most readers of this blog are very familiar with botnets you can be sure that the overwhelming majority of people out there do not. Think security experts make so much noise about this that most people are aware of the threat? Think again: robust findings in political science show that a sizeable percentage of the US electorate cannot identify the presidential candidates in a presidential election; and when they can, again a sizeable percentage fail to identify the candidates' party. If after a 2 years long, multi-billion dollars publicity campaign people still fail to answer those basic questions, just think how things like botnets, worms, zero-day exploits etc are completely beyond the average user's grasp.

    The BBC did a public service in trying to raise awareness of this issue; while their method may not have been entirely ethical, sometimes you have to make a lot of noise to get heard.
  • Tradition of the 4th Estate

    The press has always taken this kind of role. Going undercover and exposing how criminality works is what journalism is all about. Doing semi-legal activities in search of the story is also how the press does things (sometimes). It is the obligation of the press to go around the system - and sometimes that means going around the law . . .

    My personal opinion is that this could have been handled much more professionally. They could have gotten the information they needed without breaking (so many) laws. Although I disagree with their methods - doing this was not "wrong".
    Roger Ramjet
  • RE: BBC botnet buy: What were they thinking?

    It is so easy to preach the message of justice and
    purity of purpose, the world in reality consists far
    more of shades of grey than the black and white world
    you seek to paint in your blog.

    In the end you have painted ethics as a simple
    question of right and wrong - and then narrowed right
    and wrong simply to the statute of law.

    Never J-walked across the road?
    Never exceeded the speed limit?
    Never broken an item on a shop shelf and then tucked
    it to the back?

    At least the BBC's journalists have tried their best
    to act for the greater good of all. Lady Godiva
    showed the ethical world stretches further than a
    literal reading of law.
  • RE: BBC botnet buy: What were they thinking?

    I'm still waiting to see a botnet for sale on eBay.
  • RE: BBC botnet buy: What were they thinking?

    Great!!! thanks for sharing this information to us!
    <a href="">seslisohbet</a> <a href="">seslichat</a>