Kraken the botnet: The ethics of counter-hacking

The long view of security strategies for your network.

The Kraken (a 19th century word referring to a giant squid) is a huge network of personal computers that have been infected with software that turns them into zombie systems under the control of a master program - a botnet. The Kraken botnet is used by criminals to generate spam.

Kelly Jackson Higgins, writing for DarkReading, says, “like Storm, Kraken so far is mostly being used for spamming the usual scams – high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance.” The botnet is the largest known; in April 2008 it was estimated to have included 400,000 zombies. 

Gregg Keizer of Computerworld reports that in April 2008, TippingPoint researchers Pedram Amini and Cody Pierce "created a fake Kraken command-and-control server by reverse engineering the list of domain names found in a captured sample of the bot, and then registered some of the sub-domains Kraken looks for. The server essentially acted as a command-and-control honeypot that waited for connections from PCs infected with the bot."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The Kraken (a 19th century word referring to a giant squid) is a huge network of personal computers that have been infected with software that turns them into zombie systems under the control of a master program - a botnet. The Kraken botnet is used by criminals to generate spam.

Kelly Jackson Higgins, writing for DarkReading, says, “like Storm, Kraken so far is mostly being used for spamming the usual scams – high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance.” The botnet is the largest known; in April 2008 it was estimated to have included 400,000 zombies. 

Gregg Keizer of Computerworld reports that in April 2008, TippingPoint researchers Pedram Amini and Cody Pierce "created a fake Kraken command-and-control server by reverse engineering the list of domain names found in a captured sample of the bot, and then registered some of the sub-domains Kraken looks for. The server essentially acted as a command-and-control honeypot that waited for connections from PCs infected with the bot."

As a result, the scientists “monitored the incoming communications from Kraken bots for seven days.” They “listened and collected statistics for a week, and filtered out [for] the IP addresses and then the systems.” Then “Pierce wrote code that would let him redirect infected PCs, or better yet, use the bot’s built-in update mechanism – something most malware includes – to remove Kraken.”

However, management at TippingPoint forbade the researchers from activating the cleaning code. They argued that although it might be nice to interfere with the botnet, the law in the U.S. forbids unauthorized access to anyone’s computers, including zombies. In addition, managers were concerned about the possibility that their code could inadvertently damage the systems of unknowing recipients of their well-intentioned cleaning. 

This case illustrates sound judgment on the part of the managers at TippingPoint. There are two fundamental problems here:

1. Releasing programs that modify other people’s systems without permission, even with the best of intentions, is a prescription for disaster. It’s bad enough getting a poorly tested patch from a major software vendor that screws up the operating system or an application program when we allow it to load; having someone’s bright idea invade our computers without permission – and inevitably, without consideration of particular configurations that will make the program cause damage – is unconscionable.

2. Accessing someone else’s computer without permission is illegal. Period.

Readers should remind over-enthusiastic colleagues who are contemplating counter-hacking that breaking the law to punish bad guys on the ‘Net is not acceptable; corporate policies should be unambiguous on this matter. Charles Cresson Wood, in his Information Security Policies Made Easy, 10th Edition offers a simple policy in Chapter 9 (Access Control):

"Policy: Workers must not use Company X information systems to engage in hacking activities that include, but are not limited to: (a) gaining unauthorized access to any other information systems, (b) damaging, altering, or disrupting the operations of any other information systems, and (c) capturing or otherwise obtaining passwords, encryption keys, or any other access control mechanism that could permit unauthorized access."

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.