Security company Sophos has lashed out at the BBC for commandeering some 22,000 computers earlier this month, claiming the move was a reckless breach of privacy that could inspire a wave of vigilante copycats.
The computers were assembled into a botnet by the BBC following advice from hackers in online chatrooms, and were then use to spam dummy Hotmail and Gmail accounts to demonstrate the machinations of spam in its Click TV segment.
Thousands of spam e-mails, each with unique subject lines generated by Google keyword searches, bypassed the Hotmail and Gmail spam filters and hit the inboxes within about two hours.
Kill commands issued to liberate infected computers can be rewired to wipe hard drives
Sophos chief technology officer Paul Ducklin said the demonstration, which also changed the desktop backgrounds on hijacked computers, was reckless because altering system data could have had unintended and dire effects.
“The BBC issued remote commands for its [Click] television program, using a criminal piece of software, from the author they've never met and which quality they've got to presume is dodgy,” Ducklin said.
“The commands to change the wallpaper could have hanged the computers. What if those [affected] were uploading a tax return, or a prescription for diabetes medication?
“It's not for the BBC to make that decision. I'm sure their motives were good, but they have set a dangerous precedent because the last thing we want is gangs of wannabe anti-virus vigilantes roaming the Internet and issuing commands to botnets,” he said.
Ducklin said the typical kill commands issued to liberate infected computers from botnet control, and presumably used by the BBC test, can be rewired by hackers to wipe hard drives and critical system data.
“The only good reason to [issue a kill command] is if the botnet was going to be used to do something terrible... not just to stop spam,” he said.
The BBC test also directed the infected computers to perform a denial-of-service attack on a test web site.
A quarter of all computers are part of a botnet, according to statistics from security research organisation TRACE. Despite this, most malware used to infect machines can be removed by basic anti-virus programs.
Ducklin said businesses should bolster internal security such as Network Access Controls to thwart rising attempts by botnet masters to dodge hardened external security and inject malware directly into corporate networks using infected portable devices.
He said the bot controllers, which are often Linux servers, are virtually impossible to locate.
University of New South Wales senior network administrator for the school of computer science and engineering Peter Linich previously told Computerworld Linux servers are extremely valuable for botnets because they are typically online more than 10 months of the year.
“We can't make sure users who need to administer their own computers use good passwords; a bad password choice is a damn good way to risk getting their machine compromised no matter how attentive they are to keeping their machines patched,” Linich said.
The BBC has defended media allegations that the demonstration was illegal, and said it did not pay hackers for access to the infected machines.
A list of 20 million legitimate e-mail address can cost up to $1000, according to the BBC botnet report.
Botnet masters — the masterminds behind the zombie computer networks — have received prison sentences of up to four years in recent history for using the machines to issue spam and denial of service attacks.