Did Dutch police break the law taking down a botnet?

The Dutch police installed a program on computers that were infected with Bredolab

Dutch police took unprecedented action in taking down a botnet on Monday: They uploaded their own program to infected computers around the world, a move that likely violated computer crime laws.

The program causes a computer's Web browser to redirect to a special site set up by the Netherlands Police Agency, where users are informed their computer is infected with Bredolab, a password-stealing malicious software program.

Dutch police did that by taking command of 143 Web servers used to control computers infected with Bredolab. The servers belong to LeaseWeb, one of the top hosting providers in Europe, which was informed in August of the problem by police and other computer security experts, said Alex de Joode, LeaseWeb's security officer.

"For us, it's the first time we've seen something of this magnitude," de Joode said. "It's also the first time the police are trying to actively warn people that their computer is infected."

Botnets are a thorny problem: The complex networks are designed to prevent authorities from easily tracing the perpetrators, and are responsible for the mass distribution of spam and malicious software across the Internet.

Botnets have been attacked by the good guys before, but end users were usually no better off: Their computers may still be infected with other malicious software, and PC owners may never know that their machines need to be scanned with security software. But many computer users are likely turning on their machines today and seeing the Web page from the Dutch police.

Most countries have laws that forbid unauthorized modification of a computer. In the U.K., the regulation is part of the Computer Misuse Act of 1990.

The action by the Dutch police is likely a breach of the Computer Misuse Act, said Struan Robertson, a technology lawyer with Pinsent Masons. Since the territorial scope of the legislation is wide, in theory it could be used against somebody in the Netherlands hacking into a U.K. computer, he said.

"There is no defense in the Computer Misuse Act for unauthorized access to another computer being for noble purposes," Robertson said. "That said, I think it is important to note it is unthinkable that anyone would prosecute for this," Robertson said. "They were making the best of a bad situation."

But in an era where fake Web pages are rampant, it begs the question of whether people will believe that the warning is legitimate. Fraudsters could also simply copy the Web page, set up a new domain and create a site that actually infects people's computers with Bredolab or other malware.

"I think the bigger challenge in this is getting a message to computer users that convinces the users that it comes from an authorized source and that it is really the police who is contacting them," Robertson said.

It is unlikely that anyone will complain about the Dutch police's tactic, said Graham Cluley, senior technology consultant for Sophos, a security vendor. "It's so hard to clean up the average computer and convince them [users] they have a problem at all."

The takedown of Bredolab was followed on Tuesday by the arrest of a 27-year-old man in Armenia on suspicion of controlling the botnet. He is also suspected of renting the Bredolab-infected computers to cybercrime players in other countries for online banking scams and other frauds.

The hosting company LeaseWeb allowed Dutch police access to the command-and-control servers in its data centers. LeaseWeb said the servers were rented out to a person from Eastern Europe, who then sub-rented access on those servers to the person controlling Bredolab, de Joode said.

LeaseWeb allows people to rent out extra capacity on their servers to third parties, which it calls a "reseller" arrangement. LeaseWeb does not vet those arrangements and does not know who is actually using that extra capacity.

LeaseWeb does have the contact details for the Eastern European who originally rented the servers, but the person is not responding, de Joode said. It is unclear if Dutch police are pursuing that person. Dutch prosecutors could not be reached for comment on Tuesday.

The company has a fully automated system for renting servers. Customers need to submit a valid e-mail address and phone number. Credit card transactions are processed through PayPal, which LeaseWeb relies on to do fraud detection, de Joode said.

PayPal is "catching a lot of fake orders," de Joode said. "It's our established means of international payment."

For legal and technical reasons, de Joode said LeaseWeb cannot monitor all of the traffic on its network using deep-packet inspection technologies. LeaseWeb processes up to 785GB of data per second, and intercepting that traffic could expose the company to liability claims, he said.

As an alternative, LeaseWeb set up a system in June where it receives abuse complaints from security partners. The company is working to set up an automated system where people renting servers are notified if there is a problem, such as a machine sending out spam.

LeaseWeb receives about 80 complaints a day, ranging from copyright infringement concerns to phishing to spam, and generally processes them within a day, de Joode said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityfraudcybercrimemalwarelegalCriminalExploits / vulnerabilitiesLeaseWeb

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments





Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?