Just because you can doesn't mean you should. Or: legal always trumps technical.

Coreflood Botnet was taken down. Legally.

In the security industry, researchers have often been able to infiltrate botnets. Yet, the next step has always been a big question mark.

Now, defenders may have a new slate of options. The takedown of the Coreflood botnet marks the start of more aggressive stance against botnets, say security experts. Last week, the U.S. Department of Justice obtained a temporary restraining order forcing registrars to reroute requests from infected computers, not to Coreflood’s command-and-control servers, but to a substitute server managed by a non-profit group. Under the judge’s order, the sinkhole server can issue commands to prevent the bot agents from carrying out normal operations

And the approach required to take down a botnet? Or to otherwise interfere with other people’s computers? It is a sizable undertaking and nothing like what has been advocated in the past. The “we’ll fix it for them whether they like it or not” approach that some advocated is fraught with legal peril, so it’s good to see DoJ taking all precautions to make sure the LE involvement is:

  • documented;
  • within legal bounds;
  • consulted; and above all
  • limited.

The U.S. Department of Justice has established a good model for approaching the shutdown of a botnet, says Dell’s Jackson. The government agency wrote a 60-page legal memo analyzing the decision and spelling out the steps they took, including technical analysis and consultation with the industry, to limit damage from the move. Fully understand the workings of the bot software, getting expert analysis, and limiting the data intercepted from the botnet show commonsense, says Jackson.

This is a first for US. Europe, however has done similar things in the past - and to a greater extent:

"We wanted to take down the botnet," Prins said. "What we also wanted to do was make sure the botnet wouldn’t switch over to other infrastructure under his control."

The Dutch police decided to use a tactic they have apparently used before, taking over the computers infected with Bredolab and directing them to servers not under the control of the Armenian.

But there are problems with that approach:

The action by the Dutch authorities represents a bold move, as infecting anyone’s computer — whether it’s with a “good” bot or a malicious one — is likely against the law in many countries.

Most EU countries are signatories to the Budapest Convention on cybercrime, which can provide legal backing for at least some of the actions that the Dutch High Tech Crime Unit did:

Article 32 – Trans-border access to stored computer data with consent or where publicly available

A Party may, without the authorisation of another Party:
a    access publicly available (open source) stored computer data, regardless of where the data is located geographically; or
b    access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.

Ignorance of the law is no excuse; especially if you work in information security.