Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Case Study in Ethical Decision Making Regarding Remote Mitigation of Botnets

A Case Study in Ethical Decision Making Regarding Remote Mitigation of Botnets

It is becoming more common for researchers to find themselves in a position of being able to take over control of a malicious botnet. If this happens, should they use this knowledge to clean up all the infected hosts? How would this affect not only the owners and operators of the zombie computers, but also other researchers, law enforcement agents serving justice, or even the criminals themselves? What dire circumstances would change the calculus about what is or is not appropriate action to take? We review two case studies of long-lived malicious botnets that present serious challenges to researchers and responders and use them to illuminate many ethical issues regarding aggressive mitigation. We make no judgments about the questions raised, instead laying out the pros and cons of possible choices and allowing workshop attendees to consider how and where they would draw lines. By this, we hope to expose where there is clear community consensus as well as where controversy or uncertainty exists.


Dave Dittrich

January 28, 2010


  1. A Case Study in Ethical Decision Making Regarding Remote Mitigation

    of Botnets Workshop on Ethics in Computer Security Research, 28 Jan 2010 David Dittrich, University of Washington Felix Leder, University of Bonn Tillmann Werner, University of Bonn 1
  2. What guides our decisions?  Institutional Review Boards (U.S. specific)

     Professional/industry standards  Program Committees (PCs)  Communities, colleagues, and friends  Our own personal moral/ethical fabrics 2
  3. Ethic as Method (Markham)  What is my intent in

    performing this research?  Who are the stakeholders being served?  How would these stakeholders view my actions and interpret my intent?  How would they feel – grateful, neutral or resentful? 3
  4. Research Involving Non-Criminal Activity  Topics: Performance, scalability, availability, integrity

     Methods: Passive observation to gather metrics, end- user surveys, vulnerability research  Impacts: Privacy 4
  5. Research Involving Criminal Activity  Topics: Malware virulence, botnet C&C

    identification, botnet enumeration, botmaster attribution, botnet scalability, botnet mitigation, analysis of stolen data  Methods: Use of miscreant credentials, use of back- doors, active enumeration, P2P cache poisoning, direct manipulation of botnet C&C  Impacts: Privacy, confidentiality/availability/integrity of innocent third-party systems, interference with criminal investigations, affecting other researchers’ results 5
  6. Researching Criminal Activity … is like researching health issues? 

    Identity of “subjects”  Risk of harm to “subjects”  “Subjects” of research are also the beneficiaries … is not like researching health issues?  Research “subjects” could be criminals, their tools, or computers owned by innocent 3rd parties  Researchers sometimes indistinguishable from criminals controlling a botnet  Viruses/cancers don’t adapt due to our publications  Harm primarily financial, but unintended consequences could affect uninvolved 3rd or 4th parties  Unknown side effects that might affect others (similar to actively infecting a human subject with a new virus) 6
  7. Subject or Object? 7

  8. We must take risks  Understanding fraud (e.g., spam and

    phishing)  Bots that are vetted (“made bot”)  New techniques/tactics seen daily  LEAs investigate and SecOps mitigate; they don’t do R&D  Sophisticated malware frameworks tomorrow’s biggest threat 8
  9. Where is the line? 9

  10. Case Study: Stormfucker 10

  11. Stormfucker: Owning the Storm Botnet  Presented at 25C3, Berlin,

    December 2008  University of Bonn students and faculty reversed Storm encryption and C&C protocol  Video at: http://mirror.informatik.uni-mannheim.de/pub/ccc/streamd ump/saal3/  Concerns  Risk/benefit not fully explored  Confident in their reverse engineering of Storm, but disinfector not yet tested on all Windows variants (but the technique demonstrably works!)  Non-functional source code they published could be completed/republished/used by someone else  “Found” other researchers with their enumerator (not the only ones to note this) 11
  12. Stakeholders Entity Activity Type Risk/Benefit Researchers Discovered vulnerabilities thru RE,

    developed working countermeasure (maybe with side-effects) Key Reputation, altruism Malware authors Write and maintain malware, send spam, steal information, sell CaaS, observe Researchers Key Booty, Arrest Svc. Providers Support infected end users, receive spam, respond to abuse reports Secondary Lost revenue, DoS End users (including enterprises) Infected with bots, networks penetrated Primary Fraud, data loss, business continuity General public Receive services provided by enterprises (e.g., 9-1-1, health care, public services, banking, ecommerce) Primary Fraud, DoS, physical harm 12
  13. W32.Downadup (Conficker)  What if a “good worm” was created

    to clean up Conficker?  “The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of U.S. hospitals recently, a security expert said on Thursday in a panel at the RSA security conference.”  “Staff at hospitals across Sheffield [U.K.]… confirmed that more than 800 computers have been infected with self-replicating Conficker code. Insiders at Sheffield Teaching Hospitals Trust said they suspect many more machines are affected but have not been reported to IT.”  “The justice system in Houston was thrown into disarray late last week after the infamous Conficker (Downadup) worm infected key systems… [forcing] municipal courts in the Texan city to shut down on Friday, and police had to temporarily stop making arrests for minor offences, such as those for outstanding traffic warrants or minor drug possession.” 13
  14.  YES  Academic independence from government  Only means

    of gathering certain information  NO  Interference with LEAs?  Confusing other researchers?  Alter/destroy/conceal evidence?  Responsible conduct re: evidence of crimes? Is it ethical to perform research that alters an active crime scene without coordinating with law enforcement? Active Engagement With Criminal Activity 14
  15.  YES  Unpredictability of side- effects  Risk of

    harm >0  NO  Cease to do meaningful research  Escalating cycle of sophistication Is it ethical to restrict researchers to only performing actions that are guaranteed to be risk- free, or avoid any potential ambiguity in laws? Constraining researchers 15
  16.  YES  Harm increases over time: longer a host

    stays infected, greater the harm  Allowing harm vs. doing something to cease harm  Many users don’t know they are infected / are not able to handle problem themselves (they would appreciate help – e.g. granny)  Virus scanners have crashed systems, too. Still, they are mostly doing good.  NO  Effectiveness of cleanup not total  No examples of “good worms” that were completely good  Unintended consequences of uncoordinated action (e.g., crash patient care systems) Is it ethical to clean up infected computers owned by others without their knowledge and consent? Informed consent 16
  17.  YES  Knowledge gained helps victims behave more safely

    online  Some victims would give up privacy for somebody watching their computers. (Similar to police setting up sobriety checkpoints to catch drunk drivers.)  NO  Victims did not consent to having stolen details of their private/personal behavior analyzed by researchers Is it ethical to violate the ownership (privacy) rights of others in order to obtain information that helps mitigate a criminal botnet? Respect for persons 17
  18. Questions  Contact: David Dittrich, University of Washington dittrich at

    uw dot edu http://staff.washington.edu/dittrich Felix Leder, University of Bonn leder at cs dot uni-bonn dot de Tillmann Werner, University of Bonn werner at cs dot uni-bonn dot de 18