TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... TippingPoint customers were protected against 0-day exploitation of MS07-017 two years prior to the exploit being discovered in the wild.

Kraken Botnet Infiltration

Earlier this month a number of articles surfaced on the research and disagreements with regards to the size and classification of a large bot net named Kraken. At the front line of the debate was SecureWorks and Damballa. Secureworks claims Kraken is actually Bobax and estimates the bot net to include over 185,000 compromised systems. Damballa disagrees stating that Kraken is an entirely new bot net with a size over twice as large as Storm. Semantics aside no one disagrees that Kraken/Bobax is among the largest of the known bot nets if not the largest.

Cody and I thought it would be interesting to examine Kraken with the specific goal of infiltrating the bot network. We started with a sample from Offensive Computing and working from there eventually concluded that we would indeed be able to infiltrate and take over increasingly larger portions of the Kraken bot net. Cody did most of the manual labor of protocol dissection, reverse engineering the encryption routines and eventually creating a fake Kraken server capable of overtaking a redirected zombie. His detailed write up on the reverse engineering process is available under "Owning Kraken".

The key to overtaking the botnet is understanding how the overall client-server architecture works. Kraken infected systems attempt to "phone home" to a master command and control server by systematically generating sub-domains from various dynamic DNS resolver services such as dyndns.com. By reverse engineering the list of names and successfully registering some of the sub-domains Kraken is looking for, we can emulate a server and begin to infiltrate the network zombie by zombie. Stated simply, Kraken infected systems world wide start to connect to a server we control.

We monitored Kraken connections for a period of one week (seven days). In that time we have received over 1.8 million requests from infected systems worldwide. Of these requests over 65,000 came from unique IP addresses. Here is our list of all uniquely infected IP addresses. This number still does not accurately capture the true infection count monitored. Why? Think about the systems who are constantly rebooted, assigned a new IP address and then re-connect to the command and control server. We can do better thanks to the fact that the initial request from the Kraken zombies contains an encryption key generated in such a manner that makes it constant per system but unique across systems (see "Owning Kraken" for further details). Counting at this level of granularity leaves us with 25,000 truly unique infections monitored over seven days ... and growing, we are seeing a fairly uniform number of new infections a day.

Applying a reverse DNS lookup over this set of IP addresses reveals that the bulk of the monitored infected user base is home broadband users. The source country distributions break down as follows:

The initial Kraken zombie request also contains a version field which we parsed and found to contain the following distribution:

Various estimates place the overall size of the botnet to be somewhere between 185,000 and 600,000 zombies. This means that within a single week we would have been able to take over anywhere from 4% to 14% of the infected population ... and this is where we entered into a moral dilemma and ethical discussion. We have the ability to successfully redirect infected systems. We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In  our specific case however we have the ability to cease at any point. It is simply a one to one relationship. An infected system connects to us, we supply a simple binary to kill the target process, we never hear from the infected system again and neither can the actual botnet owners command and control servers.

Cody and I both are pro "cleansing". Dave Endler on the other hand is against. The arguments for pro-cleansing are obvious, the arguments against are a little more complicated. The most interesting of points that Dave brought up is the corner case of what happens if we accidentally crash the target system? What if that target system is responsible for someone's life support? Yes the system is already infected with a SPAM delivering zombie capable of receiving arbitrary updates from malicious actors, but at least for now it's running and carrying out the rest of it's functionality. As director of DVLabs, Dave's opinion overshadows that of our own so we simply sit and monitor. What are your personal thoughts on  the matter?

Tags: kraken,bot nets
Published On: 2008-04-28 19:03:23

Comments post a comment

  1. Felix Pleşoianu commented on 2008-04-29 @ 08:06

    Fascinating story, even for someone who's not into security.

    Regarding the "cleansing" dispute, I think that if somebody's running a life support system on a Windows box - as opposed to a dedicated system - and an unsecured box on top of that, then *they* are guilty of putting lives at risk, not you. Besides, how long until the box in question ceases to perform its normal functions because of the zombie, if it hasn't already?

    Your choice boils down to "do we perform the only action that can deal a blow to this botnet, or do we stand aside because of a moral dilemma that may not actually be there?"

  2. Anonymous commented on 2008-04-29 @ 08:37

    Clean them. If you don't, a rival bot net owner will do so; except they will be replacing them with their own bot net client.

  3. Anonymous commented on 2008-04-29 @ 08:44

    Keep watching, and you'll see those killed processed respawn and reconnect to command and control. I'm doubting your ability to kill the bots in the manner described.

  4. Pedram Amini commented on 2008-04-29 @ 09:24

    Anonymous: It's not entirely clear to me why you doubt the bot killing ability? It's not a matter of simply killing the PID but then removing the binary and erasing the installed service for completeness. The removal process is not difficult and has been proven in a lab environment.

    The target system may get re-infected if it is not brought up to date with patches, is that what you are referring to?

  5. Mike commented on 2008-04-29 @ 09:30

    First all, great article. As a master's student in information assurance, I found the article interesting to see the country breakdown. Furthermore, botnets and malware fascinate me.

    I truly sympathize with your moral quandary. However, I believe that Mr. Endler makes a compelling case for not cleansing. Would a compromise be that you contact that people that own the machines and see if they want you cleans them?

  6. Chris McBride commented on 2008-04-29 @ 09:43

    If the system isn't patched then the original installation vector still exists, even if you clean them. So what's the point? I'd think about cleaning them, and at same time installing an executable notifies the user that they need to update their machine or risk having it zombified again.

  7. Tom Deckers commented on 2008-04-29 @ 09:46

    Compare it to our 'first live' experiences. People are responsible for keeping their property secure. You shouldn't go out of the house without locking it either. Suppose you don't lock your house and someone enters the place. If noticed (by an alarm, neighbors), police men won't hesitate to go in an fetch the intruder. Even if they risk stumbling over your precious China.
    I agree with Felix Pleşoianu. It's the owner's responsibility to make sure his PC doesn't become a zombie... If he fails to do so, he can expect someone else to do it for him, with all consequences that may flow out of that.
    If you're negligent about securing your PC, you're harming other people using the community utility which is the internet by increasing spam etc..

  8. Darren commented on 2008-04-29 @ 09:48

    I say you replace the wallpaper and screensaver on the zombies with random lolcats overlaid with a message explaining that zombie computers kill kittens...

  9. Anonymous commented on 2008-04-29 @ 09:55

    If someone is resting their life in the hands of an unpatched, internet connected machine, it's only a matter of time before something happens anyway. However, I wouldn't want to be the one responsible for making that happen.

    That being said, do you know of any such life support machine that is actually connected to the internet? I don't off hand.

    The keys are generated with information related to the system, it'd be nice if some method could be devised to check this key for the system version and only deliver the cleanser payload to systems that it is known to be stable on.

    I'm pro cleansing however and here's why. If my machine were infected, I'd much rather have code written by someone who knows what they're doing and has good intent run on my machine, than to sit and let the authors of the malicious code update the system at will to do whatever they need.

    This is probably a moot point by now anyhow. I'm sure the authors of the botnet can read and have no doubt been working to implement some kind of update to nullify the work that has been done so far.

  10. zach commented on 2008-04-29 @ 11:12

    Similar idea to notifying user/change wallpaper: Instead of cleansing outright, could you modify the infection so that it is quickly detected by anti-virus software, but without otherwise modifying the original functionality of the zombie?

  11. Roan commented on 2008-04-29 @ 11:13

    You not only face a moral dilemma, but updating a computer without authorization is illegal in the USA, most likely it is illegal in Britain. I have no clue for the other countries.

    Whether you would/can be prosecuted for criminal activity is another question. You may also open yourself up to civil suits.

    I fall on the side of pro-active patching, but there is more than just the moral decision to decide upon before taking action.

  12. Phil commented on 2008-04-29 @ 11:13

    Cleanse and patch - how many doctors have missed a critical piece of information in their inbox because of spam and a patient has died as a result? - I'll bet more than there are infected PC's running life supporting equipment.
    How many doctors spend time deleting spam that could better be spent curing patients? - almost all of them.
    An unpatched, infected machine is also likely to be less stable than a clean, patched one.
    Not fixing these systems may result in deaths.

  13. Ian Murphy commented on 2008-04-29 @ 11:35

    First of all, there is no way in hell any life-support machine would have an internet connection, so that argument does not fly. As far as removing it goes, you shouldn't. As people above have already stated, the initial infection vector would still exist. And I'm definitely against having you patch someone's computer without their knowledge. The computer in question may be relying on the older dll's to support some legacy system and patching the OS could do more harm than good.

  14. not so anonymous commented on 2008-04-29 @ 12:07

    hey guys..great job, wish I could help in some way...i guess maybe if you had someone that wasn't working for you , but had access to this info, they could be the ones to push that red go button, and leave you without blame, I would be proud to help in any way as a means to an end. If this is on any serious big corp server, trust me the data is backed up and so are the systems. If you crash their server it boots up again. I know of no medical place that has windows running heart monitoring systems, and I believe this is a windows only worm correct?

    If you want to contact me, u know what you have to do.

  15. Anonymous commented on 2008-04-29 @ 12:16

    Clean 'em. I think the life support argument is bullshit. What life support computers are both Windows and connected? And if they are it was by an idiot.

  16. Anonymous commented on 2008-04-29 @ 12:41

    Perhaps in a controlled environment, but what of those bots with polymorphic properties that immediately clone themselves and respawn a new pid the moment the currently active process is killed...and the binaries do not always reside in ...\system32 and have been found in places like ...\system32\drivers and even the font's directory. Have you devised a way to interrupt this self-preservation or have you not witnessed this. In most cases the respawned processes will not attempt to reconnect to the same host unless no other hosts are available. While it's true that you may never hear from the bot again...you can be sure the herder will.
    See: http://en.wikipedia.org/wiki/Number_Six_(Battlestar_Galactica)

  17. David Endler commented on 2008-04-29 @ 12:59

    @Anonymous: Life support was simply one of several scenarios I brought up. What if one of the systems is a military system - what are the laws governing unauthorized modification to that system? What about SCADA systems? Would you dare risk the impact of an electrical outage now that Grand Theft Auto IV is out? :-)

    In all seriousness, cleansing the systems would probably help 99% of the infected user base, it's just the 1% of corner cases that scares me from a corporate liability standpoint.

  18. John commented on 2008-04-29 @ 13:08

    I think the moral dilemma does NOT exist here, for two reasons. The first has already been discussed, which is that there are no life support systems running on Windows with an Internet connection. A better example might be a support computer for a nuclear reactor, however, it's not a critical system.

    The second reason not yet mentioned here is this: They are requesting information from you. You didn't misreport anything. Their computer queried you FIRST, and you RESPONDED. So if your response includes a cleansing and they run it, it's not your fault.

    I get emails with attachments all the time. I don't run them if I don't trust them. So they've had 2 opportunities to avert any "wrongdoing" your cleansing is responsible for.

  19. Anonymous commented on 2008-04-29 @ 13:33

    This part of the article is unclear to me: "By reverse engineering the list of names and successfully registering some of the sub-domains Kraken is looking for, we can emulate a server".

    How are you able to register these domain names? Wouldn't the Kraken herder already be registering these names as to control the botnet?

  20. Kurt Seifried commented on 2008-04-29 @ 14:58

    Hey ho, my one thought on this is that these machines are obviously not well cared for (based on results, they are infected) and short of removing Kraken, running Windows update (assuming these are not pirated copies), installing some anti-virus software and whatever measures are appropriate (spyware software? etc.) they will just get reinfected promptly. In other words unless you go all out (which strikes me legally as an insane proposition with respect to the amount of liability you would be potentially incurring) it's at best a band aid for a sucking chest wound. If you can figure out a way to remove Kraken and/or update machines with no or minimal liability issues for yourself please let us know how you do it =).

    One thought that comes to mind as a way to take a minimally intrusive action and (hopefully) incur minimal liability by simply informing the end user, for example a pop-up message or notepad.txt with some text displaying a message notifying whoever is on the other end that their machine is infected and where they can go (some page at Microsoft listing best security practices?) to get some information on dealing with it.

  21. j commented on 2008-04-29 @ 15:03

    I think you made the right call, guys. It's a shame because this would be a lovely little victory (regardless of what those who comment that it wouldn't work - without even seeing the code), but the fact remains, as already stated, that the laws in many countries forbid such activity. The fact that you've written about the dilemma means it's no longer an option for you. Publicly, that is. If you were able to ensure that no such activity could be traced back to you then you would, I am sure, be commended (privately) for doing so...

  22. Pedram Amini commented on 2008-04-29 @ 15:08

    In response to Anonymous asking "How are you able to register these domain names? Wouldn't the Kraken herder already be registering these names as to control the botnet?"...

    Kraken's algorithm will continually generate names. So as the names towards the top of the list are disabled by the dynip providers the Kraken zombies will continue down the list connecting to the next available server. The botnet owners registered a few of the names at the top of the list and many many names @yi.org.

    Our registered names are pretty close to the top. In our testing there was only a single server active above ours but it was going up and down sporadically. Bottom line, we are not seeing all of the traffic. Just a sampling of the traffic.

  23. Pedram Amini commented on 2008-04-29 @ 15:19

    Kurt Seifried: Long time no chat old friend ;-)

    You make a valid point in that these systems are likely neglected and could get popped again. Of course that depends on how they were popped in the first place. I don't *believe* that Kraken is spread via a server-side exploit but rather the seeding mostly relies on web based exploits. So chances of it being popped again, by at least Kraken, may not be all that high.

  24. Anonymous commented on 2008-04-29 @ 16:12

    If I'm not mistaken, simply taking over the first dynamic DNS domain is more than sufficient at stopping the bots from actually maintaining activity. So in that case, just take over the server function. On the flip side, if you are worried that fixing it could crash the system, then wouldn't your interference in the network already put you at risk for that? Its not like your version of the server is a "perfect" match of the original. You could always do something simple, like popup an alert window on the computer, thats only a couple of API calls and could be extremely reliable.

  25. Pedram Amini commented on 2008-04-29 @ 16:39

    Anonymous: The reason we are not worried about causing a crash currently is because we are not talking back to any of the Kraken zombies that are phoning home to us. We are simply listening passively, decrypting the request and recording statistics.

    The Kraken zombies will continue down the list of generated dyndns names looking for an available server.

  26. Alex commented on 2008-04-29 @ 17:02

    I personally think that you should have removed the bots and killed what you could have of the bot network but Dave is right from a management perspective.

    What if you removed/updated a bot running on a U.S. government computer? That's a federal offense.

    One point that made me really wonder in the discussion was Tom Deckers thought of "People are responsible for keeping their property secure". I generally think this is true but what about when someone's lack of security for their own property is costing others? As in the case of a network of bots flooding SMTP servers. Interesting dilemma.

    Great post and discussion.

  27. OzBox commented on 2008-04-29 @ 22:05

    Is there a sleep function you could send? It worked on the borg, makes the zombie unavailable until next reboot and would be risk free.

  28. Joe commented on 2008-04-30 @ 06:58

    Although I agree that the thought of a Windows PC running a Life Support system is laughable, I wouldn't be surprised if there was such a setup in existence. Regardless, it is a good illustration of the liability arguement and is enough to scare me off pressing the "Cleanse" button.

    If you can't remove the bot can you netralise it, i.e. stop it from sending out spam and getting new instructions from the actual botnet owners?
    You say you can provide a patch to
    "kill the target process, we never hear from the infected system again and neither can the actual botnet owners command and control servers."
    Can you also provide a patch that means your server is the only server the bot will ever contact? Would it be safe to do so, or would this modification also be seen as "dangerous" to the infected PC?

    If you can take control of the bot completely away from the actual botnet owners safely, then surely this is as good as cleansing the infected PC?

  29. MJ commented on 2008-04-30 @ 07:02

    Great information but useless words until a central unity is found among white hats.

    Black hats bound together many years back and only grew stronger as the whites spent that time bickering among themselves.."Who can be the best"

    Heh,the best is the botnet,they understand the words..

    Common Cause


    Strength in numbers

    Divide we fall

    When the general collaboration of vendors and security specialist get out of puberty and join us here in the real world we can stage a fight against this existing dark force.

    As for now,the internet has a full blown case of AIDS and no one is making a cure.

    I fear my life will expire before this ever happens,so my legacy gets left holding the bag or what will be left of it.

    Cheers from the southside,


  30. Rob Jackson commented on 2008-04-30 @ 10:06

    Close the door....or better yet give a popup and ask permission i.e.)

    Hi, you're computer has really bad stuff on it. If you don't mind we're going to remove it [OK] [No Thanks I Like Being pwnd] . If you have questions go to this website. (On the website have both an explanation and some basic instructions on how to keep your system from getting owned again).

  31. Dustin commented on 2008-04-30 @ 19:38


    Congrats on your breakthrough!! I remember a muggy day sometime during the throes of the "CodeRed" worm when we discussed the possibility of something like this in your apartment with (I think) Eric and Doug. The idea had just come around through the meme-o-sphere that a one-off "patching worm" could be created for any worm that left its attack vector unpatched. IIRC, everyone was in agreement that the benefits outweighed the possible damages.

    But now that I've been around the block in the "real world" I also see Dave's point about liability for your direct actions. Is there a middle ground here? I think there is, but now that this article has hit the street you're facing further escalation from the botnet programmer...

    My suggestion (please check with your lawyers) would be to make available source code that has the effect of automating an infiltration and delivery of self-destructive updates. You give the code out, but don't run it yourselves (except in an isolated test network). This is how you'd handle a M$ exploit, right? Some "proof of concept code" that does the interesting part of infiltrating the system, and as "proof", closes the holes that let it in in the first place. Why give a break to the botnetters (in not disclosing your code) that you wouldn't give any other group? (Maybe you're waiting to contact the botnet herder and ask them to patch their product?? haha)

    On the ethical side, I'd argue that you have an imperative to create and disseminate such an exploit. The situation you find yourself in has a parallel that's been solved for a while in another domain. Think of the situation of a doctor who has to decide whether to treat an unconscious patient. In the absence of evidence that the patient does not want treatment (such as a DNR), the doctor will do whatever it takes to help the patient, doing his professional best to minimize the risks. And that's the difference between what we're talking about and the way the medical world works; there is no organization approving or disapproving our procedures and certifying who can and can't make these decisions. Nor are there equivalent laws shielding any of us from the inevitable (but hopefully rare) negative consequences. So you definitely have the moral right -- might there be any other legal protections?

    Here's a hypothetical to put to your lawyers: what would the law say about an equivalent physical situation that occurs on someone else's property, presents a pressing concern to the safety of others, and is in your power to remedy (ie - a small apt fire)? If I notice it and fix it before the authorities get there, have I committed trespassing (assuming I looked and saw no "no trespassing" signs)? Even if I had to go through a doorway already left open by the arsonist to fix the problem or rescue a victim, have I commtted breaking and entering? I'd say the answer should be "No" in most jurisdictions.

    In regards to civil liability, yes you might be sued if something goes wrong. But in my understanding (I work exclusively for injury lawyers now, but obviously IANAL), there must be verifiable negligence for such a claim to stand up. Assuming you have good intentions, thoroughly test your code, and do due diligence in looking around for the equivalent of "no trespassing" or DNR notices, I'd say you're likely to have the legal right as well.

    Botnets are a cancer, guys. You've got to excise the malignant cells (infected hosts) before they bring down more cells and organs, and eventually destroy their host. Hell, if you have the ability to fix it but hesitate long enough to cause more harm you might even be held responsible at some point for the consequences of that decision as well. Talk to a lawyer ASAP, please... and good luck guys!

  32. Anonymous commented on 2008-04-30 @ 20:05

    I think there's an important point that appears to have been overlooked: negligence. We can attempt to find the person who left their machine open to be compromised and the resulting damage or we can modify the system without changing it's function (wallpaper, etc) or we can remove the infection and close the hole. The hole wouldn't like exist if the owner applied due care to the situation. It sounds like basic negligence to me.

  33. Ð. commented on 2008-05-01 @ 09:13

    Great research! We all have a right to not be bombarded because of someone else’s negligence. Wipe every hard drive slick and maybe when they reinstall, they will reinstall with appropriate safeguards, so as to avoid the hassle again. Obviously, do nothing illegal. However, if someone, from a country where it is not illegal were to perform such an operation….anyone planning a vacation soon?

  34. wheel commented on 2008-05-01 @ 10:03

    Cracking other people's computers is illegal in many countries. Your 'good' intentions don't change what you're suggesting you do - the same thing as the original hackers did.

  35. Pedram Amini commented on 2008-05-01 @ 12:21

    Dustin: Good to hear from you! Who would have guessed that botnet research could lead to old college friends opening dialog again. I do recall the conversation we had about Code Red, if things were as simple as they were back in the college days I am 100% sure we would have gone straight for bot removal ;-)

    There are a lot of solid arguments both pro and con, in the end it's not our (TippingPoint's) place to decide what is right or wrong. Perhaps in the future there will be some global non-profit organization who will handle these matters. Who knows.

  36. extranational commented on 2008-05-02 @ 01:52

    Great work, good discussion. Couple of points that come to mind after reading through the other comments.

    * Bottom line, unauthorized use is what makes "cleansing" unethical in the security profession.
    * Even initiating a user prompt would constitute unauthorized use where such laws exist.
    * I can imagine there will emerge - or has already emerged - a "gray hat" community of mercernaries that will straddle this ethical divide and provide for-profit cyber-security defense services that include counter-offensive and defensive tactics.

    Great work! Thank you, Cody and Pedram!

  37. Scott C commented on 2008-05-02 @ 15:15

    This same debate was raised with the Code Red worm (2002?) in that a researcher created a "friendly" worm (code green) that moved through the same vector, disinfected, then patched the system. If memory recalls, it was shot down for several reasons (many you have sighted here). In essence this was a "nice worm", but a worm nevertheless and no one would consciously back the project (legal and ethical reasons). Great job guys --- really fascincating stuff!

  38. ian commented on 2008-05-03 @ 18:42

    What I find interesting is that the only people that fear affecting a machine are the good guys. Not for the fact that it could cause issues technically, more for the reasons of legal kickback.

    I am reminded of the legal wrangling in the US between those that fear guns and those that believe guns are a right to prevent government and others from having the complete upper hand.

    On the side of the NRA: It is our right to defend ourselves from others that attack us and perform evil upon others even if there is a chance that those that own guns can perform evil.

    On the side of those that fear guns: If we take away guns we won't have any problems with them anymore even though criminals don't care about the law and its ramifications.

    Currently the NRA has more rights than the other lobby. In the SPAM, botnet corner the criminals have more rights. We are under attack by SPAM and criminals yet there are no policemen in that arena yet. Its the wild west. Here is a group that has a weapon against a large and powerful botnet and can't because lawyers win. Not all the people affected by this criminal organization.

    So why are we not brave enough to fight this battle? If its a legal battle lets start fighting it. Can't Department of Homeland Security take this on and just run a handful of servers "cleansing" machines.

  39. Rich L commented on 2008-05-05 @ 09:45

    I can totally see why it would be wise from a liability perspective to not remove the Kraken code without consent. So why not create a way to allow people to indicate their consent?
    For example, why not provide an encrypted file that people could download and place on their systems which would contain an authorization for you to remove the Kraken code? If you were to scan the system for this file and locate it, than this would permit you to remove the malicious code.

  40. Naraki commented on 2008-05-06 @ 17:46

    I like the sugestion made by one of those before me. Make a p0c that kills the bot and let the public do justice.

    Take for instance interpoll they have posted the pictures of a peadophile regardless of the risks ( angery mobs come to mind )because they consider it their moral duty to protect childeren. Isnt it your moral duty to protect those of us who dont have the wisdom to protect ourselfs?.

    I know the " other side " do you think they care about the risks? hell, the more, the merrier.

    But what if its a system controlling trafic or other parts of the infra structure? Railways? Subways? Waste water and sewage systems? maybe someday a bot out there will update and brake his host. do you really want to be responcible for not having acted then when you could? when the proverbial shit hits the fan? ( no pun intended ;-). ) Its a complex moral dillema and I sympathise with your efort to make the right decision. However sometimes you should think to long.. . and simply act. in one way or the other.

  41. Anonymous commented on 2008-05-07 @ 12:49

    I would develop a removal tool for the zombie and sell it to the companies involved.

  42. Keith commented on 2008-05-07 @ 12:57

    Possibly the answer may lay in notification to the system or user that a bot has infected their system and show them steps to assist in cleaning it from their own systems.

    Or work with Microsoft to integrate your technology with their Spyware / Virus removal tool - You could always put a disclaimer notification along with that as well.

    Whatever way you go I would highly suggest contacting a lawyer group that would help you stay legal.

    PONDER THIS: If you knew someone was going to be robbed by overhearing a conversation - isn't it your moral obligation to notify the person that will be affected by it?

  43. Anonymous commented on 2008-05-07 @ 12:59

    Maybe it would be a job for the DHS to take on, government hasn't had any issues in the past doing "grey" work.

    My personal opinion is: If the computer user is stupid/lazy/ignorant enough to have an unpatched, non-firewalled computer attached to the Internet and gets infected, they have no right to be ON the internet. Send in a program and FORMAT their hard-drives. This would take care of the bot-net client, AND force these PC's to be rebuilt (hopefully with security installed.)

  44. Lars commented on 2008-05-08 @ 03:38

    Great research and good presentation of an ethical and legal dilemma. The case isn't quite as clean as the trigger-happy camp puts it, though. Killing a terrorist does not remove the cause that made him a terrorist, and there are some similarities here.

    My advice: Don't attempt to be a world cop, but work with legal authorities in the countries involved. Users need to be informed, so try to bring these news to the mass media headlines.

    You may consider displaying a message on the infected machines, but don't expect too much. Most people in the world don't understand English, and owners of zombies probably lack any knowledge of security.

    Some of us do understand the basics, and just for the record: When I occasionally get a message reading something like, "Your computer has a virus, press this button to let us remove it", I take a deep breath and move the mouse to the opposite corner of the screen. Then I call my IT department. :-)

  45. Anonymous commented on 2008-05-08 @ 19:17

    I'm sure I'd download that a file to authorises someone I don't know to install something unknown on my machine anyday. Just like I'd install allow a bot to be installed in the first place!
    I like the "zombie computers kill kittens approach"

  46. Anonymous commented on 2008-05-13 @ 11:24

    Couldn't you just contact antivirus companys and have them take care of the cleansing in a legal manner? I would assume theres a way to tell if a system is compromised locally and if so then they could deploy the cleansing program you have developed (or plan to develop). On the topic of informing the user: I don't think it will help one bit. You constantly see pop-ups and adware that says "You're computer is infected with so and so! Go here to fix!". Its annoying and most people think its just to further that person's business, which it usually is. I think the only way that the system should be cleansed is by someone who already has permission to do so legally, Antivirus companies. It would inform the user of the botnet client, ask them if they want to remove it and it would be more trustable to see it coming from their antivirus program instead of a notepad document written by someone they don't know.

  47. Catalin Patulea commented on 2008-06-15 @ 23:11

    I would, in one word, delegate.

    Find "abuse@example.com" addresses for the organizations responsible for each of those IPs. These are sysadmins who are in a position, in terms of knowledge and power, to act on the computers. Provide the sysadmins with instructions on cleaning their computers, patching them to prevent repeated infection, and configuring their firewall to reduce the impact of a potential future infection.

    This approach has its pros and cons, of course. One major con is that many of these abuse@example.com addresses are simply ignored or are large ISPs who can't control their customers' computers. But in my opinion, it's more ethical than either of the other two options (doing nothing, or pushing a bot-killer).

  48. ION CLEANSE commented on 2008-07-16 @ 03:00

    Take for instance interpoll they have posted the pictures of a peadophile regardless of the risks ( angery mobs come to mind )because they consider it their moral duty to protect childeren. Isnt it your moral duty to protect those of us who dont have the wisdom to protect ourselfs.

  49. Anonymous commented on 2008-07-20 @ 10:32

    re: Dustin commented on 2008-04-30

    comparing the situation to a fire is interesting. in many jurisdictions callous disregard laws have been passed making it a crime not to offer aid. perhaps not stopping the bots is also illegal.

  50. Julie commented on 2008-07-21 @ 07:49

    Since April, what progress has been made in relation to Kraken? Has its binary been updated to avoid reverse engineering techniques; to change its C&C; to further prevent AV detection? Has TippingPoint done anything more with the infiltration?

  51. Cody Pierce commented on 2008-07-22 @ 11:56

    @Julie: It is hard for us to comment on this. We have always made the distinction that we are not an AV company and thus are not on top of things like they are. However, in our personal research the Kraken network we had insight into has all but stopped. We speculate this is due to a change in the bot communication. Microsoft may also have played a part in the dwindling numbers as you can read in this post.

  52. Datdamwuf commented on 2008-07-24 @ 11:04

    I do hope that you have provided your information to all of the Anti-virus companies so they can update their clients? That would mean that at the least, those zombies that have anti-virus installed will soon get an alert and their own application can clean it.

    Of course, the "owners" of this botnet are likely to modify the code after reading your article.

  53. Frank Paolino commented on 2008-11-18 @ 12:34

    I guess I am searching for a clearer case of what would be a safe time to do good? No lives are at risk (I believe Dave's example of a life support system will actually run better without the virus). No money is lost. No one is harmed or embarassed.

    Full disclosure: I block spam for a living http://www.maysoft.com Now should I consider that I blocked a spam and deprived the spammer of a livelihood? Is that actionable?

    But this is not a criticism of DVLabs, as much as society as a whole. We are moving from "whatever is not illegal is legal" to "whatever is not LEGAL is illegal". This is a symptom of societal breakdown. Can anyone remember "give me liberty of give me death"? Now, it is "give me some time to ask my lawyers".

    No offense to Dave et al. Indeed, you would be looked at as "vigilantes" and that is a terrible shame. I'll end with one last quote:
    "All that is necessary for the triumph of evil is that good men do nothing." (Edmund Burke)

Links To This Post

  1. Security News - Tools - Tutorials and more … » Blog Archive » Whitehats tackle The Great Botnet Dilemma
    linked on 2008-04-29 @ 16:26 Show Comment

    “This is where we entered into a moral dilemma and ethical discussion,” Amini wrote in an entry on the TippingPoint DVLabs blog. “We have the ability to successfully redirect infected systems. We have the ability to provide an ‘update’ through the existing Kraken protocol that can simply remove the Kraken zombie. Is it wrong to do so?”

  2. Botnet disruption raises ethical concerns among researchers - codon5
    linked on 2008-04-29 @ 17:53 Show Comment

    ... registering some of the sub-domains in the Kraken list and emulating a C&C server. The phony server immediately began receiving connection requests from Kraken-infected PCs around the Internet, adding up to nearly 2 million in a one-week period, the researchers said in a blog post on their infiltration of Kraken. The researchers now had the ability to issue whatever commands they chose to the thousands of bots in the Kraken army. The question is: What orders should they give? Are they justified in feeding the infected PCs new binaries that would disable the Kraken bots? The researchers wrestled with the problem and eventually came to the decision not to disable the bots, but not before a lot of back-and-forth on the matter. "We have the ability to successfully redirect infected systems. We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie. Is it wrong to do so?" one of the researchers, Pedram Amini, wrote in an analysis of the operation. "Although this discussion is similar to that of writing 'good worms' that roam the Internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In our specific case however we have the ability to cease at any point. It is simply a one to one relationship. An infected system connects to us, we supply a simple binary to kill the target process, we never hear from the infected system again and neither can the actual botnet owners command and control servers." The idea of writing code to automatically patch machines against a specific vulnerability or to disable existing malware is by no means a new one. Security specialists and researchers have been toying with the notion for years, and it has produced almost as much inflamed rhetoric as the arguments for and against full disclosure. There have been a few actual examples of so-called good worms in the wild, with the most famous being the Welchia worm of 2003 that attempted to patch the flaw in Windows that the infamous Blaster worm exploited. And earlier this month a group of German researchers released a paper detailing their work digging into the botnet set up by the Storm Trojan and their ability to poison the Storm network by publishing a large amount of fake key material for the Storm-infected machines to consume. The Storm bots use the keys to communicate with their peers and the researchers were able to overwhelm the bots' search capabilities. Many security experts have ...

  3. Kraken Botnet - Should a Good Worm be used to clean infected PCs? - Harry Waldron - Microsoft MVP Blog
    linked on 2008-04-30 @ 15:57 Show Comment


  4. Kraken Botnet - Should a Good Worm be used to clean infected PCs? - Harry Waldron - My IT Forums Blog
    linked on 2008-04-30 @ 15:57 Show Comment


  5. links for 2008-05-01 :: The Last Minute Blog
    linked on 2008-04-30 @ 23:39 Show Comment

    Hmmm, what to do when you pwn a botnet… Some whitehats take over a botnet and wonder what to do with it. (tags: botnet security kraken)

  6. Kraken y España « TIDDER
    linked on 2008-05-01 @ 04:22 Show Comment

    Según han comprobado la gente de DVLabs, que han logrado infiltrarse y diseccionar dicha red, España aparece en segundo lugar por número de ordenadores infectados, justo por detrás de EE.UU. y a la par que el Reino Unido.

  7. Angels of security » Blog Archive » legal != ethical
    linked on 2008-05-04 @ 00:12 Show Comment

    Several news agencies are reporting that TippingPoint researchers have cracked the “kracken” botnet and have actually been able to commandeer at least a part of it. The researchers are now faced with an ethical dilemma - whether or not to use their control ability to automatically fix the infected computers. This is by no means ...

  8. Anti-Malware Engineering Team : Oderoor all its Kraked up to be?
    linked on 2008-05-21 @ 22:15 Show Comment

    Being the helpful lads they are, the guys over at DVlabs (http://dvlabs.tippingpoint.com/) thought they’d get to the bottom of the ‘Mystery of the Disappearing Botnet Nodes’ and take a peek at the network from the inside (http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration). Whilst this doesn’t really help us with the number estimate, they did manage to obtain 65,000 unique infected IP addresses, so now we only have to account for the other missing 125,000-335,000 nodes. With so many nodes around you’d figure people would be tripping over them all over the place. Sadly not. :(

  9. Botnet infiltration and ethics at JonRolfe.com
    linked on 2008-07-23 @ 03:35 Show Comment

    Security researchers at TippingPoint infiltrated the botnet after reverse engineering a sample of the malware and successfully took control of 25,000 unique bots within 7 days. This raised the question of was it ethical to disable the malware on these systems now that they had control of them? This raises an interesting ...

  10. Good versus Evil? - The reverse engineering of Kraken | Community Site News
    linked on 2008-08-11 @ 08:57 Show Comment

    You might at this point be questioning the relevance of this, but here comes the interesting bit. Amini writes on the TippingPoint DVLabs blog, “We have the ability to successfully redirect infected systems. We have the ability to provide an ‘update’ through the existing Kraken protocol that can simply remove the Kraken zombie. Is it wrong to do so?”