BBC creates a botnet of 22 000 PCs in investigation

The BBC has drawn criticism for an investigation that involved its researchers creating a botnet swarm of around 22 000 infected PCs.

As part of a demonstration of how easy it is to create a botnet swarm, the BBC's Click technology programme researchers hijacked around 22 000 PCs on the internet and have flown in a storm of controversy as a result.

The BBC claims it has acted legally and has advised the owners of the PCs it infected as to how to cleanse their machines of the malware.

According to the BBC, it acquired the botnet program whilst interfacing with hackers on various internet chatrooms.

The broadcaster has admitted that, if it had undertaken the exercise with criminal intent it would have broken the law.

But, it claims, since the intention was to show how easy it was to create a swarm, its actions were on the right side of the legal fence.

Despite this claim, the BBC may have unwittingly broken the Computer Misuse Act, since its appears to have infected users computers - albeit with the best of intentions - and technically qualified for a two year prison sentence for the researchers involved.

Sources suggest, however, that a prosecution is unlikely in this case.

Interestingly, Click's research team says it worked with IT security vendor Prevx, allowing the bot swarm to launch a distributed denial of service attack on the vendor's backup web site.

According to Prevx, it took just 60 PCs pinging the backup site to effectively bring it to a standstill.

Ollie-Pekka Niemi on the BBC wearing a White Hat
interview by Rob Stringer

Ollie-Pekka Niemi is team leader of network security solution provider Stonesoft's virus research team, and used to belong to the global ‘Licence to Hack’ group, hired by organisations to search for vulnerabilities. Although he praises the value of ‘White Hat’ hacking, he believes that the BBC “broke the law”.

Niemi says it is not explicit if the BBC paid money for the botnet they received through underground chatrooms, but “I don’t think the criminals would give a botnet away for free”.

Also, although the BBC had permission to launch a DdoS attack on Prevx, “what they didn’t have was permission from the 22 000 computer users”.

Niemi points out that it is not clear which countries the hijacked computers were in and states that if the BBC haven’t broken the UK law, they may have broken the law in another country.

“In Finland, the unauthorised use of a computer is a crime,” he notes. “I wouldn’t be surprised if [the BBC] face prosecution.”

What’s hot on Infosecurity Magazine?