First published: 31st May 2008
Security researchers at TippingPoint DVLabs have made a nice little ethical dilemma for themselves. The Kraken trojan builds a botnet that is difficult to take down because, instead of using a hard-coded address for the control server(s), it uses a pseudo-random domain name generation algorithm that allows the zombies to search for control servers. The good guys therefore do not know which addresses to get taken down.
Pedram Amini and Cody Pierce at TippingPoint realised that this gave them an opportunity to "infiltrate" the botnet. They reverse-engineered the Kraken trojan and built their own, fake, control server that could successfully communicate using Kraken's encrypted protocol. When they registered some of the sub-domains Kraken is looking for, Kraken infected systems started contacting their fake server, asking for instructions. Over one week, about 25,000 infected systems contacted their fake server, an estimated 14% of the infected population.
TippingPoint can now issue instructions to those 25,000 machines, telling them to do anything from sending spam (as the botnet creators probably originally intended), wiping the machine, or, simply, uninstalling the Kraken client. This is now their dilemma: uninstalling the client would appear to be a benevolent act, should they do it?
On the plus side, about 25,000 users will find their computer and internet connection is faster, and there will be about 25,000 less machines sending spam or participating in DDoS attacks etc.
On the minus side, what if there are unintended consequences of the uninstallation? Dave Endler, director of TippingPoint, brought up the hypothetical case of what happens if the uninstallation accidentally crashes the target system? What if that target system is responsible for someone's life support?
Yui Kee Chief Consultant Allan Dyer commented, "The life support scenario is a bit extreme - why was such a critical machine unprotected and connected to the internet to get infected in the first place? However, we can substitute 'serious damage' without changing the discussion. I would take a probabilistic view: which has the greater probability of resulting in damage, uninstalling the malware without authorisation, or leaving it there for an indefinite period to be exploited by Kraken's developers, possibly downloading additional software with additional incompatibilities? Uninstallation seems less risky, and is therefore the ethical choice."
However, ethics is not the only consideration. In most jurisdictions, unauthorised modification of programs or data on a computer is a crime, so the uninstallation would be illegal, regardless of the fact that the installation was also illegal. Dyer commented, "Vigilantism can lead to chaos. So far, TippingPoint has done some good research and passive monitoring that may benefit their customers, and have uncovered a crime in progress. Isn't this the point where they should turn the results over to the Courts and the Police, to decide what happens next? There are great difficulties there too: firstly, with jurisdiction, but this is an area where we need to think, what should the appropriate course be, and how can we put in place the laws and cooperation to make that work."
The debate might be moot for the Kraken botnet - now that the infiltration has been publicised, Kraken's developers might be taking other actions.