Did Dutch police break the law taking down a botnet?

The Dutch police installed a program on computers that were infected with Bredolab

Dutch police took unprecedented action in taking down a botnet on Monday: They uploaded their own program to infected computers around the world, a move that likely violated computer crime laws.

The program causes a computer's Web browser to redirect to a special site set up by the Netherlands Police Agency, where users are informed their computer is infected with Bredolab, a password-stealing malicious software program.

Dutch police did that by taking command of 143 Web servers used to control computers infected with Bredolab. The servers belong to LeaseWeb, one of the top hosting providers in Europe, which was informed in August of the problem by police and other computer security experts, said Alex de Joode, LeaseWeb's security officer.

"For us, it's the first time we've seen something of this magnitude," de Joode said. "It's also the first time the police are trying to actively warn people that their computer is infected."

Botnets are a thorny problem: The complex networks are designed to prevent authorities from easily tracing the perpetrators, and are responsible for the mass distribution of spam and malicious software across the Internet.

Botnets have been attacked by the good guys before, but end users were usually no better off: Their computers may still be infected with other malicious software, and PC owners may never know that their machines need to be scanned with security software. But many computer users are likely turning on their machines today and seeing the Web page from the Dutch police.

Most countries have laws that forbid unauthorized modification of a computer. In the U.K., the regulation is part of the Computer Misuse Act of 1990.

The action by the Dutch police is likely a breach of the Computer Misuse Act, said Struan Robertson, a technology lawyer with Pinsent Masons. Since the territorial scope of the legislation is wide, in theory it could be used against somebody in the Netherlands hacking into a U.K. computer, he said.

"There is no defense in the Computer Misuse Act for unauthorized access to another computer being for noble purposes," Robertson said. "That said, I think it is important to note it is unthinkable that anyone would prosecute for this," Robertson said. "They were making the best of a bad situation."

But in an era where fake Web pages are rampant, it begs the question of whether people will believe that the warning is legitimate. Fraudsters could also simply copy the Web page, set up a new domain and create a site that actually infects people's computers with Bredolab or other malware.

"I think the bigger challenge in this is getting a message to computer users that convinces the users that it comes from an authorized source and that it is really the police who is contacting them," Robertson said.

It is unlikely that anyone will complain about the Dutch police's tactic, said Graham Cluley, senior technology consultant for Sophos, a security vendor. "It's so hard to clean up the average computer and convince them [users] they have a problem at all."

The takedown of Bredolab was followed on Tuesday by the arrest of a 27-year-old man in Armenia on suspicion of controlling the botnet. He is also suspected of renting the Bredolab-infected computers to cybercrime players in other countries for online banking scams and other frauds.

The hosting company LeaseWeb allowed Dutch police access to the command-and-control servers in its data centers. LeaseWeb said the servers were rented out to a person from Eastern Europe, who then sub-rented access on those servers to the person controlling Bredolab, de Joode said.

LeaseWeb allows people to rent out extra capacity on their servers to third parties, which it calls a "reseller" arrangement. LeaseWeb does not vet those arrangements and does not know who is actually using that extra capacity.

LeaseWeb does have the contact details for the Eastern European who originally rented the servers, but the person is not responding, de Joode said. It is unclear if Dutch police are pursuing that person. Dutch prosecutors could not be reached for comment on Tuesday.

The company has a fully automated system for renting servers. Customers need to submit a valid e-mail address and phone number. Credit card transactions are processed through PayPal, which LeaseWeb relies on to do fraud detection, de Joode said.

PayPal is "catching a lot of fake orders," de Joode said. "It's our established means of international payment."

For legal and technical reasons, de Joode said LeaseWeb cannot monitor all of the traffic on its network using deep-packet inspection technologies. LeaseWeb processes up to 785GB of data per second, and intercepting that traffic could expose the company to liability claims, he said.

As an alternative, LeaseWeb set up a system in June where it receives abuse complaints from security partners. The company is working to set up an automated system where people renting servers are notified if there is a problem, such as a machine sending out spam.

LeaseWeb receives about 80 complaints a day, ranging from copyright infringement concerns to phishing to spam, and generally processes them within a day, de Joode said.

Tags CriminalsecuritylegalLeaseWebExploits / vulnerabilitiesfraudcybercrimemalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?