Did Dutch police break the law taking down a botnet?

The Dutch police installed a program on computers that were infected with Bredolab

Dutch police took unprecedented action in taking down a botnet on Monday: They uploaded their own program to infected computers around the world, a move that likely violated computer crime laws.

The program causes a computer's Web browser to redirect to a special site set up by the Netherlands Police Agency, where users are informed their computer is infected with Bredolab, a password-stealing malicious software program.

Dutch police did that by taking command of 143 Web servers used to control computers infected with Bredolab. The servers belong to LeaseWeb, one of the top hosting providers in Europe, which was informed in August of the problem by police and other computer security experts, said Alex de Joode, LeaseWeb's security officer.

"For us, it's the first time we've seen something of this magnitude," de Joode said. "It's also the first time the police are trying to actively warn people that their computer is infected."

Botnets are a thorny problem: The complex networks are designed to prevent authorities from easily tracing the perpetrators, and are responsible for the mass distribution of spam and malicious software across the Internet.

Botnets have been attacked by the good guys before, but end users were usually no better off: Their computers may still be infected with other malicious software, and PC owners may never know that their machines need to be scanned with security software. But many computer users are likely turning on their machines today and seeing the Web page from the Dutch police.

Most countries have laws that forbid unauthorized modification of a computer. In the U.K., the regulation is part of the Computer Misuse Act of 1990.

The action by the Dutch police is likely a breach of the Computer Misuse Act, said Struan Robertson, a technology lawyer with Pinsent Masons. Since the territorial scope of the legislation is wide, in theory it could be used against somebody in the Netherlands hacking into a U.K. computer, he said.

"There is no defense in the Computer Misuse Act for unauthorized access to another computer being for noble purposes," Robertson said. "That said, I think it is important to note it is unthinkable that anyone would prosecute for this," Robertson said. "They were making the best of a bad situation."

But in an era where fake Web pages are rampant, it begs the question of whether people will believe that the warning is legitimate. Fraudsters could also simply copy the Web page, set up a new domain and create a site that actually infects people's computers with Bredolab or other malware.

"I think the bigger challenge in this is getting a message to computer users that convinces the users that it comes from an authorized source and that it is really the police who is contacting them," Robertson said.

It is unlikely that anyone will complain about the Dutch police's tactic, said Graham Cluley, senior technology consultant for Sophos, a security vendor. "It's so hard to clean up the average computer and convince them [users] they have a problem at all."

The takedown of Bredolab was followed on Tuesday by the arrest of a 27-year-old man in Armenia on suspicion of controlling the botnet. He is also suspected of renting the Bredolab-infected computers to cybercrime players in other countries for online banking scams and other frauds.

The hosting company LeaseWeb allowed Dutch police access to the command-and-control servers in its data centers. LeaseWeb said the servers were rented out to a person from Eastern Europe, who then sub-rented access on those servers to the person controlling Bredolab, de Joode said.

LeaseWeb allows people to rent out extra capacity on their servers to third parties, which it calls a "reseller" arrangement. LeaseWeb does not vet those arrangements and does not know who is actually using that extra capacity.

LeaseWeb does have the contact details for the Eastern European who originally rented the servers, but the person is not responding, de Joode said. It is unclear if Dutch police are pursuing that person. Dutch prosecutors could not be reached for comment on Tuesday.

The company has a fully automated system for renting servers. Customers need to submit a valid e-mail address and phone number. Credit card transactions are processed through PayPal, which LeaseWeb relies on to do fraud detection, de Joode said.

PayPal is "catching a lot of fake orders," de Joode said. "It's our established means of international payment."

For legal and technical reasons, de Joode said LeaseWeb cannot monitor all of the traffic on its network using deep-packet inspection technologies. LeaseWeb processes up to 785GB of data per second, and intercepting that traffic could expose the company to liability claims, he said.

As an alternative, LeaseWeb set up a system in June where it receives abuse complaints from security partners. The company is working to set up an automated system where people renting servers are notified if there is a problem, such as a machine sending out spam.

LeaseWeb receives about 80 complaints a day, ranging from copyright infringement concerns to phishing to spam, and generally processes them within a day, de Joode said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags CriminalsecuritylegalExploits / vulnerabilitiesLeaseWebmalwarecybercrimefraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?