Related Links

Related Stories

  • Cybercriminality moves from guerilla to blitzkrieg
    Cybercriminality is traditionally guerilla warfare: stay hidden, pop up, fight and run. But now RSA has detected a step-change in methodology - from hidden insurgency to full-frontal blitzkrieg involving 100 co-ordinated botnets.
  • TDSS/TDL4 'indestructible botnet' is back with 250K victims already
    Damballa has discovered a new iteration of the TDSS/TDL4 botnet that, at its height last autumn, infected more than 5.5 million victims. Now, it’s back and is utilizing domain generation algorithm (DGA)-based communication for command-and-control (C&C).
  • Takedown of Grum botnet completed
    Earlier this week FireEye reported that the takedown of the Grum botnet – the world’s third largest spam machine – was a ‘work in progress’. Yesterday it announced that the work in progress is complete: Grum is no more.
  • The ease and difficulty in taking down a botnet
    Last week FireEye analyzed the Grum spam botnet, which was at the time the world’s third most active botnet below Cutwail and Lethic, responsible on its own for 17.4% of worldwide spam traffic. Now FireEye reports some success against it.
  • Microsoft Fights Botnets Through Disruption
    According to the Microsoft Digital Crime Unit (DCU), botnets are the cyber-weapon of choice in 2012, and disrupting the criminal infrastructure is the best way of taking down a botnet-based cybercrime. In February 2010, Microsoft got a court order to sever 277 domains believed to be part of the Waledac botnet in what became known as Operation b49.

Top 5 Stories


The legal implications of botnet disruptions

19 November 2012

The best defense against a botnet is to get rid of it – to infiltrate it, to learn all about it, and to take it down. While the takedown is usually done by or with law enforcement and any necessary court orders, the initial infiltration, often by individual security researchers or anti-malware vendors, remains a legally grey area.

Laws such as the UK’s Computer Misuse Act and the various European data protection laws exist to protect the law-abiding user. The problem is those same laws can be said to protect the criminal. NATO and ENISA have collaborated in a report to analyze the legal implications for those involved in the takedown of one of today’s biggest cyber problems: Legal Implications of Countering Botnets.

The report looks specifically at the legal situation in Estonia and Germany, but notes that since both countries are members of the European Union with cyber laws largely influenced by the Council of Europe Cybercrime Convention, “many of the problems which are addressed and their proposed solutions can be quite universal, especially in the context of the European Union.”

The extent of the legal complications can be seen in what the report calls ‘one of the first and logical steps’ when a botnet infection is known or suspected: packet inspection. On the one hand, it notes, packet inspection monitors the traffic and not the content of messages and should not breach that part of the European data protection laws. But on the other hand, the IP address is a far more complex issue – and both data protection and telecommunications secrecy laws need to be considered. There is a current debate over whether a user’s IP address constitutes personal data, and the report does not enter that debate. It notes, however, that if an IP address is personal data, then “capturing and analyzing the traffic would, under § 10 of the Estonian Personal Data Protection Act, need the consent of the data subject;” something highly unlikely if the data subject is a cyber criminal.

The actual takeover is equally worrying. Referring specifically to current German law, the report notes that “the benevolence of the actor is not relevant, because whoever gathers information or produces or acquires (hacking) tools with the intention to gain unjustified access to somebody else’s data is punishable by §§ 202c and 202a of the German Penal Code.” However, even if the botnet’s C&C servers are taken over or taken down, the individual infected bots remain infected. A couple of years ago the Dutch police famously took over a BredoLab botnet and used the C&C servers to send messages to the infected computers. That’s as far as they could go. “The preparation, infiltration and disinfection of the bots fulfills the conditions for data tampering, as set forth in § 303a of the German Penal Code, even if only the infection is removed and the original state restored,” says the report.

This report does not set out to solve the botnet takedown problems – merely highlight some of the issues and complications involved since “many botnet countermeasures addressed in this report are neither explicitly permitted nor prohibited by the law.” It warns that any individuals or companies involved in the botnet infiltrations should seek “appropriate legal advice beforehand.” And concludes that, “The legislators, on the other hand, should use their mandate to shape national laws so that they support rather than hinder the fight against botnets.”

This article is featured in:
Compliance and Policy  •  Internet and Network Security  •  Malware and Hardware Security  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×