BBC buys, uses botnet to show dangers to PCs

To demonstrate the threats from botnets, the BBC purchased a network of 22,000 infected computers, used it to spam its own e-mail accounts and for a denial-of-service test, and then left messages on the hijacked computers that they were infected.

The BBC's Spencer Kelly discusses how the BBC's botnet spammed two e-mail accounts the company created as a test.

(Credit: BBC)

The BBC's Click technology program said it acquired the "low value" botnet after visiting Internet chat rooms and used the network to spam a Gmail and Hotmail account it created for the spam test. It demonstrated the test in a video that accompanies a BBC article about the expose on Thursday.

The e-mail accounts received thousands of spam messages within hours, the video says.

The botnet also was used in a distributed denial-of-service attack on a test site owned by security company Prevx. After the demo attacks were complete, the BBC left messages on the infected computers used in the botnet telling them they were infected and offering information for how to secure their systems, and then disabled the botnet, the company says.

No personal information was accessed on the infected PCs, the BBC said. "If this exercise had been done with criminal intent it would be breaking the law," the article said.

However, a European law firm says the BBC may in fact have broken the law despite its good intentions.

The BBC violated the Computer Misuse Act by acquiring and using the software to control the botnet, according to Struan Robertson, a technology lawyer with Pinsent Masons and editor of the firm's Out-Law.com site.

"It does not matter that the e-mails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorized access to a computer," Robertson said.

"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an e-mail is likely to satisfy that requirement," he wrote. "It also requires that the access is unauthorized--which the BBC appears to acknowledge."

Robertson said it is unlikely the BBC will be prosecuted because its action probably caused no harm.

Robertson notes that the BBC said on Twitter that it had consulted with lawyers before it acquired the botnet and took action.

[mbenedict]

As someone who works in the security field, in my opinion what the BBC did was unethical, at the least.

First, the demonstration had no security value. We've learned absolutely NOTHING from this demonstration that we didn't already know before. People can hire botnets to send spam, old news.

Second, the demonstration -- without permission -- used computer and network resources of the infected computers, Google, Hotmail, and various ISPs.

Third, to "leaving messages" and to "disable" the botnet, BBC might have had to send commands of its own to each infected computer, changing its state. This alone could have interfered with normal operations of an infected computer (causing unexpected errors, etc.)

Fourth, it seems the ONLY reason for doing all this is to generate publicity for BBC's Click programme, which generates ad revenue for BBC. So it appears that BBC hired a botnet to spam Google and Microsoft and affected the operation of 3rd party computers for solely its own financial benefit.

Many in the security field gain professional credentials (such as CISSP) and as part of such credential adhere to its Code of Ethics. BBC would be well served to review it's own Code of Ethics, which seems lacking in this case.

[Sam Papelbon]

"We've learned absolutely NOTHING from this demonstration"

do you speak for all the viewers who might have seen this program? or just yourself?

[YankeePoodle]

I dont know the law and I am no expert in security, but I think what BBC did was right thing. Many people do not know about botnet or even they knew they did not know how easy it is to procure a botnet. It will certainly help people and as far breaking the law, law enforcements through out the world do selective enforcement whether they admit it or not.

[mbenedict]

Unless BBC viewers are a bunch of complete idiots, then surely we don't need BBC to *actually* hire botnets (PAYING MONEY TO THE BAD GUYS), hijack resources of 20,000 computers, and spam Google + Hotmail just so the viewers can understand how easy it is to procure a botnet.

BBC could've just interviewed a few experts, do a "dramatization" skit and achieved the same thing, without all this legal and ethical dilemmas.

No, the only reason BBC *actually* hired a botnet is to be sensational, gain publicity, and make ad revenue money for itself. Despicable.

[actualtiger]

The BBC has "experts" on it's programs talking about this sort of stuff every other day. Most peoples eyes glaze over when they see a couple of talking heads talking about things of which they has no comprehension, I know mine do when the financial experts start chattering way.

Sure many of the people reading this won't learn anything, However I suggest that the BBC in the UK alone has a somewhat bigger audience that this blog enjoys, and globally it would be hugely bigger!

As far as I know, in the UK at least, the BBC does not have any ads, its funded by viewer license fees. And I believe that the BBC World Service is funded by the UK Foreign Office so it's the equiv of VoA. So comments about them doing this to make ad revenue are probably wrong. It's would be true that pay TV broadcasters who take a BBC feeds might make money from ads but not the BBC itself.

[Jack K1]

I count that as 22,000 cases of hacking. Tut tut, it's jail time for journalists.

[BobbyMcFerrin]

Well I count it as 22,000 pc users being informed that their computer was infected, probably without their knowledge, and therefore showing them that they need to implement protective measures. Secondly, you seem to be misinformed about 'hacking'. Hacking involves NO criminal intent at all, it it simply finding out how systems work due to curiosity, and possibly even helping companies and others by indicating security problems. On the other hand, 'hacking' for criminal intent is referred to as 'cracking'. So in your opinion, it's 22,000 cases of cracking, but I think the BBC helped out 22,000 pc users by showing them that they should run antivirus tools and such to try and prevent what botnets do. I definitely think that what the BBC did was completely right, but that's just my opinion :)

[knowles2]

Also the BBC be pretty well protect under the public interests rule, was it in the interest for the BBC to do this would be argument they would use in any court case. I do not see how the answer can be no given the amount of articles it generated and increase awareness.

Also it will require someone to actually complain to the police, the police do not investigate anything with out a formal complaint from someone, not even an attack on a minister caught on more than few cameras with the protester admitting it on live tv, with out John Prescott launching a complaint about it to the police.

As to the actual crime they would consulted with more than few lawyers an probably had some advice from the police themselves before launching the experiment.

As to the person who mention ads revenue, last time I check the BBC does not receive ad money, it publically funded. Now BBC America on the other hand might do but I doubt the program even airs on there.

[mbenedict]

1. There is no need for the BBC to actually participate in botnet spamming to "inform the public". It only did so to make its program more sensational.

2. BBC makes millions in ad revenue, especially online for non-UK users (some estimate more £100m per year.) BBC also has a deal with YouTube, where BBC gets money for providing content. BBC Click is among the programs available on YouTube.

See for example: http://www.bbcreachingmillions.com/ and http://www.youtube.com/watch?v=0w_bd5nblqE&feature=channel_page

[alenas]

Seems like guys that are compaining about BBC's actions are spammers themselves, who did not like that someone turned-off the botnet.

[salientknight]

The media should be reporting the news, not making it. Heads should roll.

[van_Zeller]

It seems like a great idea to me...you should all stop your ******** and whining, pardon my french. One of the reasons the war on malware is being lost (and trust me, it is) is that there is not enough awareness on the subject. If a virus is sufficiently quiet and does no damage to your computer directly, people either don't know or don't care. I see this all the time with friends who bring their computer over for me to "fix". So generating awareness and showing the situation to the masses sounds like a good plan.

[ajhoughton]

It's a shame, actually, that it isn't legal, where machines' owners are negligent, to break into their systems in order to secure them properly. Or at least to shut them down so that they don't impact on everyone else. Actually it'd be nice if ISPs monitored the machines used by their subscribers and disconnected them automatically if they get misused, insisting that they be properly secured before reconnection.

The BBC has clearly broken the letter of the law in this instance, though as long as they were careful not to do any damage I suspect (as it suggests in the article) that a prosecution is unlikely.

[Michichael]

Roadrunner does this. The cut my parents off for allegedly being infected with a botnet. They weren't.

[[RR]Macavity]

Michicael: Thanks for the heads-up on that - now I know not to give my money to Roadrunner ;)

[gggg sssss]

The BBC could have created its own army of botnets by buying a bunch of PCs and sticking them in a warehouse and loading them with trojans. Their actions in further compromising aleady victimized computers and their owners is akin to proving that kicking somebody in the head hurts by going out and kicking some poor beggar on the street corner. Or attempting to prove that dog fighting is bad by staging a dog fight.

Where is the Queen when you need her? Off with their collective heads.

[CITechnologies]

First of all, they broke the law regardless the intent by using other peoples computers without their authorization.

Second, the awareness issue is total BS because the owners of the computers are responsible for educating themselves on all products they purchase and to maintain them in a legal sense. We buy products all the time that we are held responsible for not misusing that doesn't take a lot of intelligence to use. This is a clear case of "ignorance is bliss" idea. I can leave my system infected as long as I'm willing to tolerate its bad behavior and let everyone else deal with the financial impacts of my laziness. If you are too ignorant or too dumb to use the hardware appropriately and responsibly, you shouldn't have it in the first place. This includes putting forth efforts to secure it and keep it up to date. If I didn't put locks on my doors and I got robbed, everyone would say I asked for it and that I was stupid for not taking precautions. This does not mean I endorse the so called hackers who infect your system in the first place because they as well broke many laws.

Third, they have no right to manipulate the computers on the botnet as they did without getting consent. Who knows if the commands they sent to shut the systems down did more harm then leaving the botnet alone. There just isn't enough information to prove there was no harm as claimed. I appreciate the noble move, but I don't want any of my systems tampered with because I keep some pretty sensitive aps running at all times. I don't want my system shut down or tweaked without running full tests in a test environment first. Some systems don't have updates installed because of compatibility issues, so other security measures need to be taken to rectify problems.

Fourth (pointed more towards van_Zeller), the war on Malware continues because of the ignorance and laziness of computer users who shouldn't be allowed to have their own PC in the first place because they don't practice safe computing. I know it gets tougher every day to combat malware, but it is real easy to point fingers when nobody wants to be held accountable for their own actions. Even after expensive system fixes, I know a lot of people who still refuse to run updated anti-virus/anti-spyware programs. In most cases, simply paying the subscription would have been much cheaper then cleaning the system after infection.

Last, there is a ton of news broadcasts, articles, discussions, books, faqs, etc... talking about these issues and how they are used. This article did absolutely nothing to prove or show what has not already been drilled into the public for over a decade. For those pointing out whether it helped one person or everyone, that is a matter of convenience. If you want to hear about it, you will. There is news I miss every day, but that doesn't mean I'm not responsible for knowing it. This news is terribly old news. They just used this as an opportunity for getting bonus points for actually participating. We all know this would make an outcry from those who care and we all know that the media gets more attention when they do more shocking investigations. It makes more entertaining news. That is a huge factor in the amount of viewers which directly applies to the revenue they bring in.

[BobbyMcFerrin]

Regarding your third point, the botnet the BBC used had already infected the computers, a cracker had built the botnet and distributed it to the PCs and s/he could have performed all sorts of criminal intent whenever they want. The BBC bought the botnet off of them to prevent them using it, performed innocent actions that could have been performed maliciously whenever the original cracker wanted to. Next, the BBC disabled the botnet, thus securing the PCs from one of however many viruses they have. And about your point regarding sensitive applications, if you have such important programs running, perhaps you should research and perform all protective measures possible to your computer in order to protect it, or else you could get a mac :)

[dellboy2]

I hope the BBC passed details of where they purchased they botnet to the relevant authorities. This is itself could save thousands more computers from being infected.