BBC Unleashes Botnet For ‘Investigation’

The BBC has made an odd move recently by buying/seeding a botnet of 22,000 computers under the guise of investigative journalism.

They claim it’s not illegal as they caused no harm and only sent spam to e-mail accounts used by themselves. Technically I think it’s still breaking the law under the Computer Misuse Act but most likely nothing would happen as they caused no damage or losses (According to lawyer Struan Robertson BBC did violate the act).

Software used to control thousands of home computers has been acquired online by the BBC as part of an investigation into global cyber crime.

The technology programme Click has demonstrated just how at risk PCs are of being taken over by hackers. Almost 22,000 computers made up Click’s network of hijacked machines, which has now been disabled.

The BBC has now warned users that their PCs are infected, and advised them on how to make their systems more secure. Click managed to acquire its own low-value botnet – the name given to a network of hijacked computers – after visiting chatrooms on the internet.

The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law.

The whole thing has created quite a furor in the computer security scene, with people debating the legality and ethics involved.

Which was probably what the BBC wanted in the first place, the more people talk about it the better right?

SMH even claim the whole thing back-fired.

By prior agreement, Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx. Click then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.

Amazingly, it took only 60 machines to overload the site’s bandwidth. DDoS attacks are used by extortionists who threaten to knock a site offline unless a hefty ransom is paid. Jacques Erasmus from Prevx said that high-traffic websites with big revenues are a “massive target” for this kind of attack.

“Cyber criminals are getting into contact with websites and threatening them with DDoS attacks. “The loss of trade is very substantial so a lot of these websites just pay-up to avoid it,” he explained.

But well pushing the boundaries, that’s what investigative journalism is about right? We’ve had enough programs about pimps, triads and drugs – why not some about cybercrime and the underbelly on the Internet.

I hope I manage to view the show, it sounds like it’ll be interesting (even if ethically questionable).

But well aren’t all the best things on that thin grey line?

Source: BBC

Posted in: Legal Issues, Malware, Spammers & Scammers

, , , , , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

9 Responses to BBC Unleashes Botnet For ‘Investigation’

  1. james March 16, 2009 at 11:41 am #

    Yeah we just blogged about the same program and how it could be used in the SEO world to take down competitors websites.
    The scariest thing was how cheap they can buy the computers for!!
    As long as they have not caused any damage to computers but their own, I would of thought this is common practice for security or anti virus companies? Surely they need to do these tests in order to understand how the cyber criminals work?

  2. erik March 16, 2009 at 4:09 pm #

    I like Lenny Zelter’s name for this: British Botnet Corp … lol


  3. ashish March 17, 2009 at 7:58 am #

    good article, thanks for this useful info, I have dug and stumbled this article. I will keep visiting for more useful information.

  4. Bogwitch March 17, 2009 at 9:21 am #

    There is a possibility that this was an offence under Paragraph 3, subsection (1)(b), Subsection (2)(b) applies that ‘to impair the operation of any computer;’ of the Computer Misuse Act 1990

    it can be argued that the actions taken by the BBC may have impaired the operation of computers by way of reduced bandwidth available or CPU cycles available.

    That said, the act stipulates that there must be ‘an intent to cause a modification of the contents of any computer’

    OK, where do you draw the line at modification? The action the BBC took would cause a modification to the volatile ram of the systems running, it is even possible that some code was swapped to the hard disk, although I doubt there would be an intention to cause the data to be swapped.

    By the BBC lawyer definition, if I were to take over a botnet and use if for e.g. massively parallel hash cracking would I not be breaking the law?

  5. ethicalhack3r March 17, 2009 at 2:11 pm #

    You also need to consider which laws were broke in the countries in which the computers resided.

    If the BBC can get away with it, why cant the average citisen? Its completely illegal and unethical.

  6. gVibe06 March 18, 2009 at 1:58 am #

    I was hoping this was the angle you would take. I kind of have this fishy feeling that the BBC did a little more than they reported. Would you be able to resist spending a pile of cash if no one was watching and guaranteed getting away with it?

  7. navin March 18, 2009 at 4:50 pm #

    For those interested in this story:

    Man behind BBC botnet defends decision:

    While Expert Says Its Unjustifiable:

  8. dio March 19, 2009 at 2:43 pm #

    I have blogged extensively about this on www(.dot)conanthedestroyer(.dot)net

    Arguments about how they broke the law are a complete farce. Security researchers do this all the time but do not want people to know about it because they want to reserve that right for themselves. All the while they sell products to fix the problem, but in actuality they are wholly ineffective.

    I applaud and completely stand by the BBC action. What did they do? They took 22k bots off the network. What did any of the security companies do lately? Watch, monitor, report. Doesnt sound like action to me guys. Better luck next time.

    Read my blog for more on cyberwar and cybercrime aspects of this nefarious scourge.

  9. Bogwitch March 20, 2009 at 1:32 pm #

    After reading more in-depth, it does appear that the BBC is in breach of the Computer Misuse Act insofar as they installed a wallpaper. The accusation that the BBC is more responsible than security researchers carries little weight with me – security researchers will try always attempt to keep within the law – something that the BBC decided not to.
    I have been trying to find a sample of the wallpaper that the BBC distributed but I have not been successful thus far, if anyone has a source, please provide it!
    As for the suggestion that the BBC explained to users that they were infected with a trojan, it is worth noting that the BBC intentionally picked non-UK/USA based computers for this demonstration, where the use of the English language will be less. They did nothing to prevent the computers from being re-infected via the same vectors.
    The cynic in me thinks that they selected non-UK/USA computers to prevent posible litigation. It is noted that the Police in the UK will not act unless a complaint is made by a victim…