The Kraken (a 19th century word referring to a giant squid) is a huge network of personal computers that have been infected with software that turns them into zombie systems under the control of a master program - a botnet. The Kraken botnet is used by criminals to generate spam.

Kelly Jackson Higgins, writing for DarkReading, says, “like Storm, Kraken so far is mostly being used for spamming the usual scams – high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance.” The botnet is the largest known; in April 2008 it was estimated to have included 400,000 zombies. 

Gregg Keizer of Computerworld reports that in April 2008, TippingPoint researchers Pedram Amini and Cody Pierce "created a fake Kraken command-and-control server by reverse engineering the list of domain names found in a captured sample of the bot, and then registered some of the sub-domains Kraken looks for. The server essentially acted as a command-and-control honeypot that waited for connections from PCs infected with the bot."

As a result, the scientists “monitored the incoming communications from Kraken bots for seven days.” They “listened and collected statistics for a week, and filtered out [for] the IP addresses and then the systems.” Then “Pierce wrote code that would let him redirect infected PCs, or better yet, use the bot’s built-in update mechanism – something most malware includes – to remove Kraken.”

However, management at TippingPoint forbade the researchers from activating the cleaning code. They argued that although it might be nice to interfere with the botnet, the law in the U.S. forbids unauthorized access to anyone’s computers, including zombies. In addition, managers were concerned about the possibility that their code could inadvertently damage the systems of unknowing recipients of their well-intentioned cleaning. 

This case illustrates sound judgment on the part of the managers at TippingPoint. There are two fundamental problems here:

1. Releasing programs that modify other people’s systems without permission, even with the best of intentions, is a prescription for disaster. It’s bad enough getting a poorly tested patch from a major software vendor that screws up the operating system or an application program when we allow it to load; having someone’s bright idea invade our computers without permission – and inevitably, without consideration of particular configurations that will make the program cause damage – is unconscionable.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.