Score One for the Good Guys

April 15, 2011 - 1 Comment

With each passing day, security reports – including Cisco’s – describe accounts of computers that are used in botnet attacks. Each computer, unwittingly, is infected with malware and controlled by remote unseen hands, foreign or domestic, and with little to no care for the computer’s owner. Simply put, the computer is no longer exclusively under the owner’s control; nor is the data or the privacy of the owner. Unchecked, botnets grow in variety, frequency, complexity, and capability.

Traditionally, dynamic teams, composed of private citizens and law enforcement, devise ways to contain the effects of a botnet and, if possible, shut it down in some way, such as:

  • Releasing signatures to anti-virus vendors in the hopes that AV will clean some of the infected machines
  • Disrupting the Command and Control channel, so that the infected computers are no longer receiving instructions
  • Just attempting to stay one step ahead of the malware through DNS, detection, or blocking access lists

In nearly each circumstance, new approaches are developed to keep the botnet variants from succeeding.

Add another creative approach to the mix based in the rule of law.

The US Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) sought and received legal authority to replace the known Command and Control servers for the Coreflood botnet with computers that would ‘act’ like the real Command and Control servers. Now, the Coreflood-infected computers in the US would receive instructions from the FBI instead, and in fact, only one instruction: ‘stop.’

I’ve heard quite a debate if this somehow crosses a line on our privacy. As a staunch privacy advocate, I believe that the infected computer owner’s privacy had been already violated by the malware and the botnet operators. In the ‘protect and serve’ aspect of their mission, my view is that the FBI sought to back the US citizen’s privacy and protect the affected individual – based on my instinct that the infected computers were now controlled by the good guys, and the good guys were only allowed to respond to communications requests and tell the computers to stop running the malware. I also take to heart that if something was done incorrectly, the FBI could have caused one or more computers to work improperly. I am confident that the DOJ and FBI knew this all too well, and similar to anti-virus vendors, software vendors who issue patches, and updates from security vendors, the FBI rigorously tested their abilities beforehand.

This story could be very different: one in which authorities are overstepped, privacy invaded, or computers damaged. But this situation was all handled through the US Judicial system and these concerns all seem addressed by the limits in what the FBI was authorized to do. I tip my hat to the DOJ, FBI, Judge Vanessa Bryant for her decision, and the combined efforts that helped disrupt another botnet from continuing to steal private information and setting the stage for future, nefarious operations.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. This equates to hostage rescue IMHO