Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 16 June 2010

Botnets: The good, the bad and the confusing

Both Jart at HostExploit, and Pedro Bueno at McAfee, recently reported on botnets being used by the good guys, aswell as the bad. See;

http://www.internetevolution.com/author.asp?section_id=717&doc_id=193286&f_src=internetevolution_section_717

http://www.trustedsource.org/blog/422

The problem here, is that we've known for years that the bad guys were using them, and likely knew but didn't want to admit, that the good guys invariably used the same sort of tactics, to root out the bad guys. The problem is, as Jart asked, how are you supposed to tell the good from the bad?

Do you just look at the source systems, and target systems? Well no, that's not going to help you, as I found out recently, when sending a take down notice to 1 & 1 during an investigation into this, and was informed, that actually, the IP addresses had been hijacked by the good guys, for analysis purposes, or as he put it;

1&1 does not host the evil scripts or any infecting Root-Server. The [removed] rooted the Domain to their 1&1 Servers from China to our range to investigate the attacks and furhter access. So it looked like 1&1 did it. This was reported in the german media, too.


For a good guys bot to be successful, it needs to look and act, exactly the same as the bad guys bot. But this poses a huge problem, both from an ethical perspective, and a legal one.

There's several problems with the good guys using this method, and at least one of them is from a legal stand point. Thankfully I'm not a lawyer, so will leave the discussion on that one, to those more familiar with the laws regarding that than myself (as far as I'm concerned, good guys or bad, they have no right to access a system without authorization, which is what these are doing). One of the other problems is, there's no flag from the good guys bot, to enable us to identify them as good, and to be fair, we'd not believe such a flag even if there were one.

No comments: