Did Dutch police break the law taking down a botnet?

The Dutch police installed a program on computers that were infected with Bredolab

Dutch police took unprecedented action in taking down a botnet on Monday: They uploaded their own program to infected computers around the world, a move that likely violated computer crime laws.

The program causes a computer's Web browser to redirect to a special site set up by the Netherlands Police Agency, where users are informed their computer is infected with Bredolab, a password-stealing malicious software program.

Dutch police did that by taking command of 143 Web servers used to control computers infected with Bredolab. The servers belong to LeaseWeb, one of the top hosting providers in Europe, which was informed in August of the problem by police and other computer security experts, said Alex de Joode, LeaseWeb's security officer.

"For us, it's the first time we've seen something of this magnitude," de Joode said. "It's also the first time the police are trying to actively warn people that their computer is infected."

Botnets are a thorny problem: The complex networks are designed to prevent authorities from easily tracing the perpetrators, and are responsible for the mass distribution of spam and malicious software across the Internet.

Botnets have been attacked by the good guys before, but end users were usually no better off: Their computers may still be infected with other malicious software, and PC owners may never know that their machines need to be scanned with security software. But many computer users are likely turning on their machines today and seeing the Web page from the Dutch police.

Most countries have laws that forbid unauthorized modification of a computer. In the U.K., the regulation is part of the Computer Misuse Act of 1990.

The action by the Dutch police is likely a breach of the Computer Misuse Act, said Struan Robertson, a technology lawyer with Pinsent Masons. Since the territorial scope of the legislation is wide, in theory it could be used against somebody in the Netherlands hacking into a U.K. computer, he said.

"There is no defense in the Computer Misuse Act for unauthorized access to another computer being for noble purposes," Robertson said. "That said, I think it is important to note it is unthinkable that anyone would prosecute for this," Robertson said. "They were making the best of a bad situation."

But in an era where fake Web pages are rampant, it begs the question of whether people will believe that the warning is legitimate. Fraudsters could also simply copy the Web page, set up a new domain and create a site that actually infects people's computers with Bredolab or other malware.

"I think the bigger challenge in this is getting a message to computer users that convinces the users that it comes from an authorized source and that it is really the police who is contacting them," Robertson said.

It is unlikely that anyone will complain about the Dutch police's tactic, said Graham Cluley, senior technology consultant for Sophos, a security vendor. "It's so hard to clean up the average computer and convince them [users] they have a problem at all."

The takedown of Bredolab was followed on Tuesday by the arrest of a 27-year-old man in Armenia on suspicion of controlling the botnet. He is also suspected of renting the Bredolab-infected computers to cybercrime players in other countries for online banking scams and other frauds.

The hosting company LeaseWeb allowed Dutch police access to the command-and-control servers in its data centers. LeaseWeb said the servers were rented out to a person from Eastern Europe, who then sub-rented access on those servers to the person controlling Bredolab, de Joode said.

LeaseWeb allows people to rent out extra capacity on their servers to third parties, which it calls a "reseller" arrangement. LeaseWeb does not vet those arrangements and does not know who is actually using that extra capacity.

LeaseWeb does have the contact details for the Eastern European who originally rented the servers, but the person is not responding, de Joode said. It is unclear if Dutch police are pursuing that person. Dutch prosecutors could not be reached for comment on Tuesday.

The company has a fully automated system for renting servers. Customers need to submit a valid e-mail address and phone number. Credit card transactions are processed through PayPal, which LeaseWeb relies on to do fraud detection, de Joode said.

PayPal is "catching a lot of fake orders," de Joode said. "It's our established means of international payment."

For legal and technical reasons, de Joode said LeaseWeb cannot monitor all of the traffic on its network using deep-packet inspection technologies. LeaseWeb processes up to 785GB of data per second, and intercepting that traffic could expose the company to liability claims, he said.

As an alternative, LeaseWeb set up a system in June where it receives abuse complaints from security partners. The company is working to set up an automated system where people renting servers are notified if there is a problem, such as a machine sending out spam.

LeaseWeb receives about 80 complaints a day, ranging from copyright infringement concerns to phishing to spam, and generally processes them within a day, de Joode said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags CriminalsecuritylegalExploits / vulnerabilitiesLeaseWebmalwarecybercrimefraud

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?