Who Cares if the BBC Hacks 22,000 Machines?

In a recent publicity stunt the BBC program Click used a botnet in coordination with the security firm Prevx to send out spam and perform a DDoS (distributed denial of service) attack. They first obtained two email accounts, one with gmail and one with hotmail. They then commanded each online PC controlled by the botnet to send out 500 spam emails to each of the gmail and hotmail accounts. This news segment is called “BBC team exposes cyber crime risk”.  In the DDoS attack they ordered the botnet to attack a test site that was setup by Prevx. They stopped the attack once 60 online botnet machines had joined in.  This news segment is called “How Cyber criminals attack websites”. After the completion of the botnet attacks they ordered the botnet to change the desktop wallpaper of the controlled PCs to a warning message from BBC stating that the PC had been infected.

Just a bit of background to put this into context. Basically a botnet is a collection of compromised computers that are all controlled by a single entity. Typically a hacker will create a virus that will infect hundreds/thousands of machines. The machines can be anything from home computers to government and military super computers. The virus will then notify the creator of an infection, or the creator will actively search for infections. The virus will provide some means for the creator to log onto the infected computers and issue commands. In the case of BBC, they logged onto hacker chat forums and then purchased access to a botnet that a hacker was controlling. We could certainly speak to the ethical arguments against paying a criminal for unauthorized access to 22,000 computers.

The first attack is certainly against the terms of service of gmail and hotmail. Bombarding gmail and hotmail with spam certainly goes against gmail’s terms of service: “5.4 You agree that you will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services).” as well as hotmail’s: “damage, disable, overburden, or impair the service (or the network(s) connected to the service) or interfere with anyone’s use and enjoyment of the service; “. It is also most likely against the terms of service of many of the ISPs that each individual infected PC of the botnet was connected to. It is also of course illegal to gain unauthorized access to 22,000 computers and then order those computers to perform various functions.

Similar arguments can be found against the DDoS attack. The dangers of making use of this botnet should have been quite obvious to BBC and certainly the “security firm” Prevx. Certainly Prevx had no proof as to the stability of the software that was controlling the botnet. What if when they had ordered the botnet to attack their test server a bug in the DNS client of the botnet had caused the PCs to actually attack CNN.com instead? What if there was also a bug in the authentication server of the botnet and after ordering 1000 machines to attack, the authentication server then crashed, and they were unable to stop the attack? These are all questions that have been thought through many times, and they are precisely the reason why virus research of this type is conducted on isolated test networks.

The last action BBC took is also quite dangerous. What they did is craft an image that explained the user’s PC had been infected and then gave instructions on how to remove the infection. They then ordered the botnet to change the desktop wallpaper of all 22,000 infected machines to that information image. There are several problems with doing this, and they have all been discussed thoroughly before. The idea that one could use viruses to actually help infected machines is certainly very compelling. Bruce Schneier talks a bit about this in the entry titled “Benevolent Worms”. It is an excellent post and certainly worth reading. He mentions the worm “called Blast.D or Nachi, it infects computers through the same vulnerability that Blaster did. When it infects a computer, it finds and deletes Blaster, and then applies the Microsoft patch to the computer so that the vulnerability is closed and Blaster cannot reinfect. It then scans the network for other infected machines and repairs them, too.” The basic argument against using a worm (or in this case a botnet) to automatically fix a computer is that of unintended consequences. Performing updates and upgrades to computers is typically a hard thing to get right. When a company like IBM has to upgrade Windows XP on thousands of computers you can be sure they will thoroughly test the upgrade before rolling it out on all the production machines. It often happens that a well intended Microsoft update will render a necessary program unable to load after the update. If you have ever had “funny” things happen after a windows update you will get the idea. The BBC case of “merely” changing the desktop wallpaper on someone’s machine is no different. There could have been a bug in the change desktop wallpaper method that causes the computer to crash. Or someone could have been using the desktop wallpaper content for a public billboard.

BBC and Prevx would certainly do well to read up on a bit of history. In November 2, 1988 Robert Tappan Morris launched the Morris worm from MIT that was meant to estimate the size of the internet. Unfortunately, the worm spread too rapidly causing a denial of service and costing $10M-100M. Morris got three years probation, 400 hours of community service, and a $10,000 fine. It has been shown many times that it is not lawful to gain unauthorized access to systems for any purpose (at least in the U.S.). The high profile trials of both Kevin Mitnick and Kevin Poulsen certainly helped establish this. I hope for our sake that BBC’s hacking days are over.