The BBC exposed how easy it is to obtain malware and deploy them on unsuspecting users’ computers. They also showed how these computers could then be used to launch a DoS attack against a website. This has now resulted in a controversy. There is now a bunch of people outraged at the fact that the BBC showed how it is done. They are even saying that what the BBC did was even illegal.
Let us look at what they actually did. They say they bought a botnet. This most probably means that someone had already compromised all the PCs that were used by the BBC in the experiment (some 22000 of them). All these computers already had malware installed on them. The BBC used this malware and had all these computers send out emails to a couple of specific email ids that the BBC controlled. They also had these computers launch a Distributed Denial of Service (DDoS) attack on a specific IP that belonged to a security vendor, with the vendor’s consent.
Once they established that they could in effect use the botnet for their purposes, they notified the unsuspecting owners of these computers that made the botnet that their computers had been compromised and shut down the botnet.
One of the arguments against the BBC is that they put money in the hands of hackers when they bought the botnet. The other is that they used computers belonging to unsuspecting users to do this experiment. The first one is maybe valid. But we have to balance the benefits against the harm. Is there enough benefit in terms of general awareness by computer users regarding malware and botnets to outweigh the harm that is done by funding the hackers? I think there is.
The second argument is easier to tackle. These computers had already been compromised. They already had malware installed by the hackers. They were just waiting to be used in a real attack. Instead of that, they were used against a target that consented to this experiment and also were prepared. They probably also gained a lot information in terms of how this botnet worked. We also have to consider the possibility that the BBC probably has (maybe not) provided law enforcement agencies with information on how this botnet was obtained and who the payment was made to. This will probably help in shutting down at least this individual/group.
I think people should get off the BBC’s back and focus more on the issue at hand, which is the spread of malware and raising people awareness regarding computer security.
I wrote an article some time ago on personal information security and spyware if you want a quick overview of what you can do to prevent your computer from being taken over.