BBC botnet

[stanni]

Hey,

Just watched a BBC program about hacking and security and the main topic was about bot-nets. I thought at first it would be pretty crap but they actually went and bought a bot-net themselves which contained 21,000 bots.

They also showed 2 examples of what it can do, firstly by making all the bots send spam to an e-mail account they setup and secondly doing an DOS attack against a website and shutting it down.

At the end though, they changed background images on the computers of all the effected owners to an image telling them what has happened and how to protect themselves against it and then destroyed the bot-net by sending a message to all the bots to remove the Trojan of the PC.

If you want to watch it here is the link: http://www.bbc.co.uk/iplayer/episode/b00jc...ick_14_03_2009/

[Sparda]

I can only assume the BBC have some solicitors (not as many as the American TV channels that is), of which they discussed doing this with beforehand. What they did is illegal. I can't imagine any one complaining about it though. It's still good that they brought bot nets (and organised perhaps Internet crime?) in to the media, any attention it gets is good attention.

[stanni]

I can only assume the BBC have some solicitors (not as many as the American TV channels that is), of which they discussed doing this with beforehand. What they did is illegal. I can't imagine any one complaining about it though. It's still good that they brought bot nets (and organized perhaps Internet crime?) in to the media, any attention it gets is good attention.

Yes, I did some Google-ing about the episode and yes they did get legal advice on whether it was OK, lots of people have said it is still illegal what they did though.

But as you stated, I don't think they will get in trouble for it, they are a massive company after all, they will have great lawyers LOL.

[Seshan]

Yeah I thought hacking tools where illegal over there, wouldn't that count?

[Sparda]

This isn't a tool, it's a service if any thing. By taking unauthorised control of other peoples computers (the bots) they have broken the law. Running, creating or using a bot net is illegal.

[dr0p]

Yup, what they did is technically illegal, although I doubt they're going to get sued since they didn't do anything malicious with it at all. Botnets are a lot easier to create and maintain than you would think :3

[Sparda]

Yup, what they did is technically illegal, although I doubt they're going to get sued since they didn't do anything malicious with it at all. Botnets are a lot easier to create and maintain than you would think :3

Very, get some ads on to myspace/facebook/other fairly popular web site that contain a multitude of randomising exploits old and new, you'll have your self a small bot net in no time. The finer details of not getting caught aren't important.

[DingleBerries]

Even the act of DDOSing alone was illegal, even if they had proper authority from the owner of the server... but really who is going to do anything? I am a bit upset that there has been no legal action taken.

[rtc443]

Wow looks very interesting and would love to watch but unfortunately I don't live in the uk so i cant watch online, does anyone know if the video is on another website?

[shawty]

Even the act of DDOSing alone was illegal, even if they had proper authority from the owner of the server... but really who is going to do anything? I am a bit upset that there has been no legal action taken.

Thats quite serious over here in the UK now. You can do pen testing, but if you actually gain access and make changes that is definately illegal, even if you have prior consent.

I do happen to know that the BBC labs do have there own isolated test network however, beacuse the BBC Backstage teams use it for testing, so wether they used that or not i don't know.

[dr0p]

Very, get some ads on to myspace/facebook/other fairly popular web site that contain a multitude of randomising exploits old and new, you'll have your self a small bot net in no time. The finer details of not getting caught aren't important.

Not getting caught is pretty easy too in all honesty.

[shonen]

Yeah I watched this a couple of days ago on www.securitytube.net was interesting but rather short.

I would rather have the BBC as the zombie master of my hijacked computer rather than some fuck tard skiddy who paid for em.

There was a talk at defcon a few years back about this sort of thing that I watched on youtube, from memory a bot retails for as low as 20 or so cents each.

remind me of the good old days when I went to the store and got $3 work of mixed lollies. Now days kids ask for $10 worth of bot nets =P

[stingwray]

Even the act of DDOSing alone was illegal, even if they had proper authority from the owner of the server... but really who is going to do anything? I am a bit upset that there has been no legal action taken.

Erm, sorry no, DDoSing someone which you have permission to do so is completely legal, obviously you need to have permission to use the resources as well, but there is nothing illegal about the act, penetration testers sometimes use limited DDoS to cause diversion from their other attacks.

[dr0p]

Yeah I watched this a couple of days ago on www.securitytube.net was interesting but rather short.

I would rather have the BBC as the zombie master of my hijacked computer rather than some fuck tard skiddy who paid for em.

There was a talk at defcon a few years back about this sort of thing that I watched on youtube, from memory a bot retails for as low as 20 or so cents each.

remind me of the good old days when I went to the store and got $3 work of mixed lollies. Now days kids ask for $10 worth of bot nets =P

Don't forget about the people who get payed to distribute botnet malware too ^_^

[DingleBerries]

Erm, sorry no, DDoSing someone which you have permission to do so is completely legal, obviously you need to have permission to use the resources as well, but there is nothing illegal about the act, penetration testers sometimes use limited DDoS to cause diversion from their other attacks.

Erm, no. There is alot of grey area here. The resources do not just belong to the infected computer, but also to the ISP. Now this isnt the case here but with a large/powerful enough bot, say a corporate network, you run the risk of over running the servers at the ISP. Depending on what the damage is, how long others had to go without internet, then the ISP may decide to track you down.

Seeing as they only used 60 or so bots to attack this site then it probally did not do any harm. Also you are causing a local dos on the bot computer because you are using there resources to do the attack, but you already covered that.

I dont want to argue about it, the Police And Justice Act 2006 says that if you do this with just the "the requisite intent" or "the requisite knowledge" of impairing the operation of a computer, prevent/hinder access to any program or data held on a computer or to impair and operation on a computer then you can be punished by 2 years in prison. I cant help but think of it all the way from the bot to the isp to the target, all of the systems are being impaired but that is just how I look at it.

I do not live in the UK so I am just going off of what Ive read and what people have told me.

[shawty]

Erm, sorry no, DDoSing someone which you have permission to do so is completely legal, obviously you need to have permission to use the resources as well, but there is nothing illegal about the act, penetration testers sometimes use limited DDoS to cause diversion from their other attacks.

Didn't the Gov amend the computer misuse act early last year to cover this?? I could have sworn i heard somthing somewhere that they did?

I could be wrong.. :-)

Which ever way you look at it tho, all it takes is to pIzz the wrong person off and your gonna get your ass kicked somewhere down the line.

[DingleBerries]

Reading over the Computer Misuse Act 1990, not sure if that's the newest version there are a few things that although may seem morally right are against the law. Here is the url I am using:

http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm

Section 3: Unauthorised modification of computer material

(1) A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(B) at the time when he does the act he has the requisite intent and the requisite knowledge.

To fulling understand that you have to also read article 4. You would have to prove that BBC had the intent "to impair the operation of any computer" it doesn't seem like they did that. Although they changed the wall paper that did not impair any operation of the computer, using the resources, bandwith/cpu/ect, may have though. Article 6 of section 3 is also interesting;

(6) For the purposes of the [1971 c. 48.] Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.

This article seems to back up the claim that modifying the wallpaper is not a criminal act. I thought I read somewhere that they did remove the bot from the computer. If this was a mission critical system, life support/power plants/ect, and removing the bot had some ill effect on the computer, it was hooked into the kernel, and it was unable to boot then it may be a criminal offence.

Article 17 deals with interpretation of this bill, don't know what they call it in the UK. Section 7 article 2 says that if the "program" out puts any data whether by having it displayed or in any other manner is illegal. Droping down to article 4, For the purposes of subsection (2)(d), describes what exactly is meant by this;

(B) the form in which any such instructions or any other data is output (and in particular whether or not it represents a form in which, in the case of instructions, they are capable of being executed or, in the case of data, it is capable of being processed by a computer) is immaterial.

Now I get back into the wall paper subject. Article 7 says "A modification of the contents of any computer takes place if[sic]" subsection b, "any program or data held in the computer concerned is altered or erased". How do we know that this is illegal? Article 8

(8) Such a modification is unauthorised if—

(a) the person whose act causes it is not himself entitled to determine whether the modification should be made; and

(B) he does not have consent to the modification from any person who is so entitled.

It would seem that what they did was illegal. I cannot find more information about ddos laws in the UK but from what this says all of what they did was illegal... using resources, changing wall papers, sanitisation of the zombie. Its up to the court to decide really, this is a hard bill to understand.

[stingwray]

Erm, no. There is alot of grey area here. The resources do not just belong to the infected computer, but also to the ISP. Now this isnt the case here but with a large/powerful enough bot, say a corporate network, you run the risk of over running the servers at the ISP. Depending on what the damage is, how long others had to go without internet, then the ISP may decide to track you down.

Seeing as they only used 60 or so bots to attack this site then it probally did not do any harm. Also you are causing a local dos on the bot computer because you are using there resources to do the attack, but you already covered that.

I dont want to argue about it, the Police And Justice Act 2006 says that if you do this with just the "the requisite intent" or "the requisite knowledge" of impairing the operation of a computer, prevent/hinder access to any program or data held on a computer or to impair and operation on a computer then you can be punished by 2 years in prison. I cant help but think of it all the way from the bot to the isp to the target, all of the systems are being impaired but that is just how I look at it.

I do not live in the UK so I am just going off of what Ive read and what people have told me.

Your paying your ISP for the bandwidth, if they can't provide it then thats their problem, but if I pay for 50Mbps connections then I'll pump 50Mbps through that if I want (transfer limitations and cost aside).

The problem is that ISPs supply a maximum theoretical speed to people that they can't give to everyone at the same time, this is the reason why some services have transfer limits for peak and off-peak times which are different.

Given that a DDoS attack is easy for attacks to do, organizations have the right to test their defenses and contingency plans against them, even if it is just to see how much bandwidth they can soak up before they go down, so they can change their system appropriately.

[stingwray]

Register Coverage just came through, summarizing some of the information, looks like the BBC covered their butts more by not using computers in the US or the UK.

My question then after that, is why did they bother to change the background, given that probably most of the computers used in that botnet were owned and operated by people who spoke very little english, and if they were part of the botnet, probably had been compromised before and had things like their wallpapers changed etc.

[DingleBerries]

BBC has some great lawyers and they more then know the law, but Section 7 of the Computer Misuse Act 1990 is about territorial scope. In subsection sub subsection 1B it says that the law still applies if they are a party in England or Wales and it describes how. It says that they may become a party via an agent, what type of agent is made clear but to me I think of the agent here being the internet and alas herein lays the problem. With that logic it can be said that if I exploited a computer in the UK I fall under this law, extradition is possible but it is more likely I will be heard in a US court. The act itself took place in the UK, the zombies may not have been in that area but the law "should" still apply. I think at the bare minimum this should be heard in court so that there will be some type of precedent to base future conclusion off of.

[stingwray]

Well whether they are breaking the law or not, the police said that they aren't going to do anything unless anyone brings a complaint to them.

Seeming the BBC did a "service" to the people infected and they were in other countries, I highly doubt anything will come through at all.

I do think that what the BBC was wrong and probably illegal. Really the coverage should have been trying to buy the botnet, as in how easy it was, but stopping before exchanging any money. Then if they wanted they could have bought some botnet software and run it to show how easy it was to command that power.

Given that it only took 60 machines to DDoS the backup site, I imagine they could have got 60 people to install some software for a limited time to so how little it takes to take a website down.

[shonen]

Yeah that kind of blew me away, I was expecting more than 60 machines to take down a website.

[LauBen]

Hi all,

I have to say that I have heard from a friend that works for McAfee, they have gone S$%T ape about being shown on a show carrying out illegal acts (or what are illegal in most of Europe).

McAfee have published a statement saying they were misrepresented, and they were never told the full story or idea by the BBC, and more to the point that if they had been they would not have agreed to being in the show.

On a side note anyone know the BOTNET used in the show, I was thinking Storm or Srizbi but I may have been mistaken.

I was also thinking that the owners of the BOTNET will not be taking too kindly to the BBC uninstalling 22,000 zombies, and these guys do NOT play nice, so the BBC boys must have some big balls (or a wish to lose their knee caps :D)

[dr0p]

...

I was also thinking that the owners of the BOTNET will not be taking too kindly to the BBC uninstalling 22,000 zombies, and these guys do NOT play nice, so the BBC boys must have some big balls (or a wish to lose their knee caps :D)

The BBC purchased the botnet, the original owners / malware distributors probably don't care, they still have their money.

[DingleBerries]

The BBC purchased the botnet, the original owners / malware distributors probably don't care, they still have their money.

You normally do not buy a botnet. Usually you will pay for time or action on it, i.e 500 Ddos, 1000 spam, ect.