BBC Click paid cybercrooks to buy botnet

Your licence fees at work


BBC Click has admitted paying cybercrooks thousands of dollars to buy access to a botnet as part of a controversial cybercrime investigation, broadcast over the weekend.

In a website story accompanying the heavily-promoted report, BBC Click reporter Spencer Kelly explains how licence fee payers' money was used to buy access to virus-infected machines under the control of hackers in Russia and the Ukraine.

After months of investigation and a few thousand dollars, we had managed to buy a botnet from hackers in Russia and the Ukraine.

The process began in chatrooms where hackers advertise their services. You have to earn their confidence, then negotiations take place in instant messaging applications.

Once a service and a price have been agreed, payment is made using a money transfer to keep both sides anonymous.

BBC Click used the botnet of 22,000 machine to send spam to webmail addresses it established and launch a denial of service attack against a test website by security firm PrevX which advised on the investigation. It then changed the wallpaper on compromised machines with a message of its own, advising affected users to clean up.

The BBC reckons its actions were legal, but specialist technology lawyers contacted by El Reg disagreed. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, said that the BBC's actions were likely to have breached the unlawful access provision of the Computer Misuse Act, the UK's anti-hacking law. He added that there was no public interest defense against CMA offences.

All parties agree that there's unlikely to be a prosecution, even if the BBC inadvertently interfered with Pentagon computers. Infected computers on US military systems are hardly unknown, and BBC Click failed to make any checks on whose computers it was hacking into - so it could well be that some of the zombie machines used during the exercise were on US military networks.

Aside from the legality of the scheme, the exercise raises troubling ethical questions. Security firms are almost unanimous in saying the behaviour of infected machines could have been illustrated without hacking into the machines of innocent victims.

Much of what BBC Click found was already common knowledge in security circles, if not to the wider public. The idea that botnets are used to send spam or run DDoS, that access to them is sold through underground forums and that control tools are growing in sophistication, have been the staples of information security stories in the technology press and reports from vendors for months.

BBC Click said the programme was six months in the making.

Many security have described the exercise as misguided, unnecessary and unethical. Kaspersky, AVG, McAfee, FaceTime, Sophos and F-Secure all agreed that the BBC had behaved badly. Over the weekend Sunbelt Software joined the attack, which Sophos has spearheaded, against the programme's tactics.

Some security firms disagree with this consensus view, most notably PrevX, which participated in the programme. CEO Mel Morris, chief exec at PrevX, suggested that security researchers and the police routinely break the law to investigate botnets in a statement (below):

Prevx's input to the BBC Click Botnet experiment saw us providing our test site as a target for their DDoS attack and giving some comment and advice on the technical implications of what they were doing. In terms of what the BBC learnt the experiment highlighted some interesting facts - not least that their Botnet reached 9,000 computers over several days before it was detected by any of the major anti-virus or Internet security products.

Because of the nature of the market we operate in, and the ever growing risks of cyber-crime, every internet security company has to understand the ways in which the enemy operates. What the BBC did with this experiment is just taking that lesson to the broader public. Every day, most security companies, and law enforcement agencies investigating botnets and information stealers break the law to investigate and uncover stolen information and techniques - It goes with the turf!

Other supporters include security firm Marshal8e6 which issued a statement to "applaud the BBC Click programme for its interesting and informative piece which hopefully will assist in raising the public’s awareness of these issues".

The BBC Click programme was broadcast on BBC 1 on Saturday morning and the BBC News Channel on both Saturday or Sunday at 11:30. Those in the UK can catch up with the show through iPlayer, via the BBC Click site here. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022