back to article Whitehats tackle The Great Botnet Dilemma

After infiltrating one of the biggest and most abusive known botnets, security researchers are wrestling with a thorny ethical dilemma: should they exorcise tens of thousands of possessed machines or simply leave them be? Pedram Amini and Cody Pierce, of security provider TippingPoint, reverse engineered the executable behind …


This topic is closed for new posts.


  1. Pete

    Let the owner of the machine decide

    Send them a message, or instructions on how to remove themselves.

  2. vincent himpe


    use the bot to display a text that those peoples machines is infected...

    and then a box : click here to remove for free.

    most of those bozo's will click on it anyway. itr will also give us a good indication on how many people click on anything they see pop up ...

  3. Anonymous Coward

    Windows Life Support?

    IIRC the standard Windows EULA specifically states that it's not for use in life supporting situations - medical devices or nuclear power stations. So downing those infected machines, even as a deliberate act of 'self-defense' by the internet, would be warranted.

    It's bad enough that these unpatched machines are spewing spam at a prodigious rate, that someone would hook their poorly little snowflake up to a Win XP-powered heart machine is tantermount to child cruelty.

  4. JimC Silver badge
    Thumb Up

    Reluctantly I think they're right...

    As soon as you access other peoples machines without permission, no matter how good the reasons, you're heading down the same ethical route as the bad guys. If its right to use the botnet tools to take the software off does it then become right to access machiones to take out viruses, and so on and so on... Best to draw the line where its black and whte rather than gray... Now if you can generate an automated script that contacts those responsible for the PCs by publicly available info, reverse lookup say, that's OK I think...

  5. adnim Silver badge

    Obvious to me

    Where's the dilemma in reporting the IP addresses found and time of connection to the respective ISP owners of those IP ranges, who can then inturn email the customer and provide a link to some form of disinfectant?

    Like the title says this is obvious to me, or am I missing something here?

  6. Col
    Thumb Up

    [insert title here]

    What about modifying the code to continue trapping infected machines, but with a timer, at the end of which the user is presented with the fact that their 'puter is infected along with a link to the details of how to remove it (with some security mechanism to ensure this isn't hijacked by the bad guys) and the option to immediately disinfect the machine? Win all around.

    If it were me, I'd attempt to further infiltrate the net with a view to using it to shut itself down from within. But IANA expert in these things. Still, nice work.

  7. Ed

    Can't they tell the ISP's

    which IP addresses are infected and then have the ISP's inform the user. Then if the user wants it removed give a thumbs up. I bet ISP's would love to have some of that bandwidth back.

    Or why don't they just post some form of tool to remove it. If it exists, then it says you were part of the army and now you are not. If you were not, then it says that nothing was found.

    Mine's the simple...obvious coat over there

  8. Anonymous Coward
    Anonymous Coward

    Who'd do this?

    > is anyone foolhardy enough to rely on a Windows PC for life support?

    Cough - Microsoft Windows for Warships - cough.

  9. M. Burns Silver badge

    What a great scam TippingPoint is running!!!

    They claim they've performed this great technical feat, and then create a fake ethical dilemma so that they never have to prove their claim! Brilliant!

  10. James Smith

    I agree

    I don't like the idea of an extended tit for tat exchange between the bot masters and the bot exterminators played out on my machine. This could get messy. Expecially when the next logical step in the arms race is to deliberately make attempted removal of the bot more damaging than leaving it be.

    Best to contact the users concerned. They'll need to get involved in order to patch the vunerability that got them infected in the first place.

  11. This post has been deleted by a moderator

  12. Dan Goodin (Written by Reg staff)

    Contact them???

    James Smith, et al.

    Ever notice how slow ISPs are to deal with anything? Now multiply the delay by 25,000. I'm pretty sure TippingPoint has better things to do. As for popups and other types of notification: anytime you're running code on an infected machine, you're likely to get unintended consequences. Bottom line, contacting the infected users isn't practical. Anyone who believes otherwise should go ahead and contact each user himself (a list of the infected IP addresses is at

    M. Burns, if you'd bother to look, you'd notice TippingPoint documented infected IPs and gave a deep dive analysis into their infiltration. What kind of proof do you want?

  13. Simpson

    Mr Ed

    "which IP addresses are infected and then have the ISP's inform the user"?

    Take your coat off, it's not that simple...

    The ISP's do not care. Wait... I mean they do "care", but they decided long ago that it is too expensive to notify users. Notification leads to tech support calls, which cost money, which reduces executive bonuses.

    Many of these users would call multiple times, which would cost even more. Then the user will get infected by something else and call the ISP tech support, because they are now conditioned to do so.

    It is not their business model.

  14. Gordon Jahn

    "Click here to remove"...

    I love the comments saying the researchers should display a message getting the user to remove. These people have obviously been enjoying safe, pop-up free browsing for a while - every time I end up on an ancient PC that I can't update (it happens from time to time...) I see messages exactly like that that are part of web pages - and _all_ the education says "you never click 'em".

    Go down the road of putting a message on screens and you're playing right into the botnet controller's hands.. a valid reason to run a program presented to you against your will or knowledge.

    The only answer is to go via the ISPs - they might not be able to contact everyone and probably wouldn't want to spend money calling people, but it's the best answer without opening up a social engineering attack vector.

  15. Gordon Fecyk

    Cure for the Common Cold found: film at 11

    That alone should stir up enough postings. Imagine if a cure for the common cold were really, really found, as in a broad spectrum anti-virus medication for human beings. Such a discovery would risk putting much of the pharmaceutical (sp?) industry out of business, in theory.

    Now do a word swap of "common cold" for "kraken." Or, for that matter, for "storm worm."

    I'm anxious to see the responses.

  16. Pete Spicer


    Here's a thought - what would happen if the details were passed onto the ISPs with the following note attached:

    "Here is a list of IPs of users who got infected with a botnet virus [or whatever you want to say]. Contacting them will allow them to remove it - this means less traffic you have to carry on your network, thus lowering your costs."

    Tiscali would jump at that one!!


  17. Anonymous Coward
    Paris Hilton

    Dilemma? What dilemma?

    Sorry, but I fail to see TippingPoint's dilemma. The problem presented is that of unauthorized access. The zombie machines, however, logged into TippingPoint's server and asked for directions. When a machine, acting as an agent for the end user, logs into your server and gives you root access, I don't see how this is unauthorized.

    Thus, I don't see the problem with completely disabling the box in a fashion characteristic of a virus. Unintended consequences are the user's problem, as he allowed his box to offer complete strangers root access.. Disabling the box with a spooky virus screen may also have the effect of causing users to invest more time and money into their virus protection plan.

    Paris... because she never lets strangers root her box.

  18. Stone Fox

    Windows based life support

    Come on then, all together now:


  19. Eugene Goodrich
    Paris Hilton

    I already get these popups...

    I already frequently get popups (or popunders) that note my machine is, or may be, infected with a virus or a bot, and I need only _click here_ for free removal.

    So clearly someone sidestepped this ethical dilemma some time ago. Even before this botnet was reverse-engineered, if I recall. Wait a minute...

    Paris, because even she would see the problem with doing popup notification. Durrrr....

  20. Jon Minhinnick

    Record the ip addresses...

    ... and blackhole them. If the user cares, they'll fix it themselves. If not, they stay blackholed. And because they're mainly home users with dynamic IP addresses, refresh the blackhole list once a week. Oh, and notify their ISPs so when the user rings up, there's a listed reason they've been sent to dev/null.

    Hmmm... what if webservers also use the same blackhole list, so they don't serve to spamming machines. Then, the user would really care about getting back online. Just send back a page to the user that the requested page will only be displayed if they remove their bot.

  21. Anonymous from Mars
    Thumb Up

    TippingPoint says

    I am greatly amused that is on their list.

  22. This post has been deleted by a moderator

  23. Anonymous Coward
    Anonymous Coward

    Windows Life Support?

    Besides the scariness of that, why would a life support machine be connected to the internet? An intranet I could see, but not the big internet...

    They should have just kept mum about all this, and went through with removing the thing. Ethics indeed.

  24. RW
    Dead Vulture

    Windows LIfe Support

    It may be an urban legend but it sounded authentic when I heard it:

    Patient undergoing operation. Important apparatus controlled by Windows, anesthesia, ventilation, blood pump, something important. Windows decides it's time for an update, calls home, downloads update, installs it, reboots, and kerplunk, a patient in very bad shape thanks to Windows going off duty at a critical time.

    True? False? Anti-MS propaganda? Anybody know?

    Maybe our poor vulture was on Windows-run life support?

  25. Anonymous Coward

    Just do it!

    Stop creating a mountain out of a molehill and just remove the trojans! They've already stepped over the line of unauthorised access by taking control of them. If anything bad results it is because of the original hacker. Do we stop doctors from trying to save patients on the off chance that they might die in surgery? No.

  26. Dick Emery
    Paris Hilton


    Just bloody fix it and stop being wusses.

    Ethics? I know an Ethics girl.

  27. wibbilus maximus

    here's a thought....

    "We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie"

    ok, in that case why not just do an 'update' that just changes the ip address that the machine reports to to it wouldn't remove the zombie true, but it would disable the network and as it's not making any major change to the program, there shouldn't be any way that it would course the machine to crash

  28. Anonymous Coward
    Gates Horns

    When Self Righteous Reaches For The Crack Pipe

    I'm sure a quick search would show no medical life support program runs something so broken as a windows operating system. The decision is moronic and almost stinks of his involvement within the kraken system. How easy it would be to pose a ridiculous philosophical and moral dilemma to poor simpering geeks to keep your botnet alive.

    Ah fuck off with this

    - get us something real - this isn't even worth news, it's a cross cyber wank fest wherein the geeks nervously pat one another on the back at the same time as they offer a reach around.

    Kill the fucking thing.

    It's that simple.

    If you have the means to kill the botnet.

    Kill it.

    If not.

    Wait until you do.

    Releasing this information - just smacks of inside job bullshit.

  29. Ralph

    They better do it quick

    They should act fast whatever they do because you can bet the botnets creators are busy rolling out an update to change the DNS addresses it reports to as quickly as they can.

  30. Adrian Esdaile

    @ here's a thought....

    "...that just changes the ip address that the machine reports to to"

    That was the very first thing I thought of when I read the article. (Does this now make me a Cyber-Gibson-esque 1337 wh1t3-h47 playaz fo' shizzle?) Instead of remotely executing machines (and presumably people on MSN Live OneCare Life Support?), can't that they just patch the botnet to simply stop transmitting? Send all messages to /dev/null and/or Couldn't they have just gone and bloody done this with little or no fanfare and watched as the internet breathed a collective sigh of relief, then sat back and basked in the afterglow of a Good Deed Done?

    But no, they had to yell to all and sundry "Hey Youse Bad d00dz, we's totally like ontaz ya and wiz gunn4 k1ck yoz asses", with the result the botnet controllers will just upgrade to Botnet 2.1.

    Thanks a heap, may all your pr0n get pwned by newer botnets.

  31. Danny

    Drama Queen

    Dilemma? Just fix it already, duh. I don't believe the airheads still using Windoze and allowing their machines to become zombies would even notice. And if it did go tits up how would they know it was the fix and not the zombie code? A fresh reinstall might well do their machine a world of good and rid it of any other parasites they are doubtless hosting.

    Better still, install a keylogger, grab the lusers credit card number and order them a copy of F-Secure et al. D'ya think they'd get the message? Hell, why not just install Ubuntu and have done with it.

    If TP leaves the network be, then the spammers will see these reports (if they haven't already) and reconfigure Kraken. TP will be back to where they started and the rest of us will continue to drown in invitations to buy dodgy rolexes and fake v1Agrrr.

  32. tony trolle

    @rod - Microsoft Windows for Warships

    I was thinking Microsoft Windows Death Server 2006 (or ver 6.6.6)

  33. Kanhef

    Escalating warfare

    Attacking the botnet this way would set a precedent that could dramatically change the virus/antivirus battle. The so-called whitehats would presume the right to make arbitrary changes to any computer, neither asking permission nor notifying the owner of what they had done. Someone would decide that hijacking botnets isn't enough, or they evolved and became impossible to hijack, and write their own virus that removes others or fixes vulnerabilities as it spreads. The line between 'good guys' and 'bad guys' gets very blurry when both use the same means, only claiming different motivation.

    Today, the AV crowd fights the VXers by trying to educate users and admins, and make them install security patches and AV software. Tomorrow, that could become a head-to-head war for control of third-party computers (home, business, server, all fair game), with those same computers also the battleground. Both sides will write programs that try to infiltrate your computer and make changes to the system; one claims it's 'for your own good'. The AV programs won't just clean up your computer and leave; they'll stick around and try to prevent other infections. The VXers will be doing the same thing, of course. It will be hell for anyone who wants to connect to the 'net and still retain control over their own computer.

    This is why the 'good guys' who want to stay that way are hesitating. They're thinking about the consequences of their actions, not pulling the trigger as soon as they get their hands on a gun and seeing who they hit later.

  34. Maksim

    @wibbilus maximus & others with idea of changing address to

    Don't be so quick in assumption that it wouldn't hurt anything. There's plenty of things that can go wrong with that, simplest being the bot client doing something unexpected when not receiving any ACKs for some period of time. And all kinds of possible resource problems - potential memory/handle leaks due to excessive retries, overflows and whatnot

  35. James Henstridge

    @ here's a thought....

    The machines got infected through some vulnerability at some point in the past. Chances are that the vulnerability is still open and the user still does the things that got them infected in the first place.

    The bad guys have a mechanism for distributing software updates besides the botnet, so it isn't a stretch to imagine them using it to fix interference from the good guys.

  36. andrew

    Been seen before...

    IIRC wasn't the Blaster or Nimda virus (as I remember them being called) followed up by a 'fix' virus that attempted to remove it.

    Working for IT support at the time the cure was as bad as the virus...

    I'd say that viral fixes (or even targeted as this is) is a great idea so long as a proper support mechanism is in place - as essentially who knows what's on that user's machine. And of course who wants to be responsible for supporting upwards of 25,000 disperate machines which are, by merit of being infected, utter pants.

    Personally I'd keep quiet, watch what's going on and going where and try and start to find out a little more about who's running the whole thing. Then use something with terminal force...

  37. Anonymous Coward


    Let 'em suffer in their jocks!

    If these users are so stupid as to not protect their computers, then let them get on with life under their Russian Overlords.

    As long as I am safe, that's all that matters.

  38. This post has been deleted by its author

  39. Simon

    Shameful hesitation.

    So what about the theoretical "Life support computer" that has its bandwidth and resources compromised by the spam these bots are sending? What about the sites that are DDoS'd, costing thousands and again, potentially putting lives at risk (Continuing Dave Endler's ridiculous theory)

    What about the genuine emails (Maybe giving life-saving information!) that will be incorrectly deleted either by humans or antispam filters required to deal with this problem? The potential positives, both proven and theorised, far outweigh the negatives. It's like picking ticks off your dog. It's a parasite, it's harmful, it has to go - you don't go agonising over how the mother and father of the tick might feel.

    Reporting to ISP's is useless, they so rarely do anything about anything, preferring to stay quiet and take the customer's money, ignoring *anything* they do. (Social responsibility from any big business? Pfft)

    TippingPoint, you have a golden chance and if you want to make a difference and actually do some good in the world instead of standing by and flapping your mouth. DO IT.

  40. Simon

    And another thing!

    If you have the chance to stop a crime and you don't, aren't you an accessory?

    In this case, TippingPoint might be seen as abetting the theft of credit card details, personal identify information as well as sending unlawful bulk emails and involvement in denial of service attacks.

  41. foo_bar_baz
    Thumb Down

    ISPs "not capable" are just not willing

    ISPs that are not proactive are just being lazy and bad Internet citizens. A major ISP in my country will redirect all web pages to one saying "your machine is acting as a spam zombie, clean it up to regain Internet access" if it detects excessive SMTP traffic.

    I'm not sure about the technical details (do they just redirect port 80 or block the entire connection; do they just look at volumes or do they analyze the traffic to see it's actually spam; is it automated or are humans involved) but it's happened to several people I know.

    Don't say ISPs cannot do it.

  42. amanfromMars Silver badge

    Normal Service will be resumed as soon as Possible? The Great White Dope Hope?

    "I don't like the idea of an extended tit for tat exchange between the bot masters and the bot exterminators played out on my machine. This could get messy. Expecially when the next logical step in the arms race is to deliberately make attempted removal of the bot more damaging than leaving it be." ... I agree By James Smith Posted Tuesday 29th April 2008 20:15 GMT

    James et Al, [ Good Morning Dan Goodin in San FranCisco, how's Greg Garcia this morning. Shame that no one was really talking to him and that talks to him were so few, ..... .... which is unusual, whenever more were sent than were shared. Spooky that. Are you infected with a virus? However, that is water under the bridge, and I digress.]

    I would also agree, and suggest that any and all such attempts would be suicidal, and render no damage or harm to the intended target, at all.

    You may like to consider that you are reacting to a much SMARTer Program with ProgramMIng which is many more logical steps ahead than merely the next one, and is Perfectly Aware/Mindful of all possible reactions to ITs Programs and FailSafe Protected against all of them.

    You may like to further consider that what you are dealing with is .... AIRogue in Vogue HomeoPathic Binary with an Immune System which is Prepared for Assault and Attack by Simple Virtue of Assault and Attack which it has already suffered/sampled and which IT has Reverse Engineered for Source Recognition and Enjoyment.

    And finally, how do you deal with IT whenever the Driver Machine/Botnet/NIRobotIQs Virtualise their Systems Machinery from Control of Hardware/Computers to Control of Software/Computer Users in a Mirror of an Attack Vector suggested against ITs Presence ....Communication with Infected Machines with Advice of Infection. A SMART Virtual Machinery System using Advanced HomeoPathic Binary Codings, and let us call them CodeXXXX, would probably be into Sublime Messaging Systems, Quantum Communications which allow Stealth by Virtue of the Fact that their Signals are QuBits [A qubit has some similarities to a classical bit, but is overall very different. Like a bit, a qubit can have two possible values–normally a 0 or a 1. The difference is that whereas a bit must be either 0 or 1, a qubit can be 0, 1, or a superposition of both......] Strung for All Purpose, dDeeply Embedding Entanglement for Host TakeOver/MakeOver.

    Just a Future Thought Shared, for it would be a QuITe Logical Next Step to move Matters into the Cloud for AI Beta Control of Mastering/Mentoring and Monitoring All Systems.

    And I also agree, if you can Fix IT, Fix IT if you Can. Although if you don't or can't, it means that it is a lot SMARTer than you have ever Imagined, and are equipped to Deal with, and you are Following ITs Lead[s]

    Has anyone Thought to Cut AIdDeal? Splash some Flash Cash? It appears to work well with everything else.

  43. Kevin McMurtrie Silver badge
    Gates Horns

    Notify the ISPs

    The right thing to do would be to notify the ISPs of which computers are suspected of being hijacked. Good ISPs will take care of the problem. Some ISPs won't give a crap, but spam filters and firewalls know about them already.

    Satan Gates because...

    <>: failed after I sent the message.

    Remote host said: 550 5.7.1 <Your e-mail was rejected by an anti-spam content filter on gateway ( Reasons for rejection may be: obscene language, graphics, or spam-like characteristics. Removing these may let the e-mail through the filter.>

  44. Anonymous Coward
    Anonymous Coward

    Shut them down

    If shutting these botnets down might inconvenient a small percentage (let's say 1%) of the infected, out of 25,000 thats only 250.

    There are millions of people out there that will be glad of less spam.

    Further more so what if shutting down the botnets crashes someone's PC?

    They most likely say "f*cking Windows has crashed again....". Reboot and continue on their merry way.

  45. Dave Bell

    Ethical, legal, or neither?

    Ethics is not the same as law.

    And both Kraken and the proposed countermeasure seem equally illegal under the Computer Misuse Act. Though there are legal principles which might make sufficient distinction.

  46. Clint Sharp
    Paris Hilton


    Just do it.

    BTW, lots of medical devices run on windows, the foetal heart rate monitors in my local maternity dept and I assume many more run on Windows. Just because a *standard* EULA says you can't do it doesn't mean there's not a version that isn't designed for use in such devices.

    Paris, because I get a popup every time I see her.

  47. Anonymous Coward
    Paris Hilton


    Just do it.

    BTW, lots of medical devices run on windows, the foetal heart rate monitors in my local maternity dept and I assume many more run on Windows. Just because a *standard* EULA says you can't do it doesn't mean there's not a version that isn't designed for use in such devices.

    Paris, because I get a popup every time I see her.

  48. Anonymous Coward
    Anonymous Coward

    Google - Awareness Screen

    Google have the ability to change there homepage for ip's that are infected(thev'e done it before), they can present a do you want us to clean your PC Question screen it, by gaining permission they could send the IP to tipping point or fire the clean up code directly. It would be a good thing for them to alert the users in question. and good publicity for google too!

  49. Svein Skogen

    If they have decoded the control protocol...

    If, as they say, they have decoded the control protocol of this dronenet, couldn't we, the various netadmins around, use that information to add policy-classes to our edge routers, that simply drop the "updates"? Afterall, this was possble with several of our older friends like nimda/code red/blaster/etc. Even if the first-line-support, and tieracks in management are all for making internet even less safe (so their school pals who are execs at the "security firms" selling "security software suites" can make more money), I sincerely doubt most thick-skinned netadmins would miss any sleep over policy-routing this botnets protocol into the same martian-filter they are already using.

    And I agree, that we must separate between blackhat problems, whitehat saints, redhat morons, and day-to-day operations engineering. The latter being a mix of most of these. Going all vigilante and actually executing software on the victim computers, don't solve the problem. It adds to it. Denying the botnet itself the update service, by blocking the protocol, sends the message that ISPs don't want to waste bandwidth on this. If the botnet goes into self-destruct-mode if it can't contact its main server, there is time to do some more digging, and find the individuals behind the botnet (and possibly the company they work for. Follow the money), and make sure that the persons behind this can be sued for ALL the damage they have done. If that means they (and the tieracks behind the dronenet, again; follow the money), will be sitting on the street with a big sign saying "will give head for food", and never again be able to touch a computer (and if they do, it will be confisacted to pay their debts), that is ok with me. If it damages property, make sure they are facing "damaging property with criminal intent" charges (this will solve the botmasters roof-over-head problem for a time), and doing things this way sends a fairly clear message (especially if we get the tieracks aswell!): We will not accept dronenet programming. Cross that line, and you are "fair game", and WILL be utterly removed from society.

    So, where is the regexp we need to add to our classmaps to disable the dronemasters remote-upgrade ability?


  50. Paul

    inform the authorities?

    Surely they should talk to the FBI etc who have people investigating these botnets. If they say 'yes we think you should remove them from peoples PC' then it would remove their liability for anything going wrong I should think?


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019