Ethical and Other Issues Concerning the Kraken Botnet
Something very significant from an information security point of view happened recently. Two TippingPoint employees, Pedram Amini and Cody Pierce, reverse engineered the zombie code used in the prolific Kraken botnet. They then created what appeared to be a genuine Kraken server and waited for zombies to respond to it. Any zombies that responded could thus be identified and presumably removed from computers in which they resided. Approximately 25,000 zombies responded, but then Amini and Pierce suddenly faced an ethical dilemma. They reasoned that the systems were already compromised; by removing the zombie code from each, theywere, according to this point of view, actually doing the owners (as well as the Internet as a whole) a favor. Others, Amini and Pierce’s boss included, took an opposing point of view, reasoning that because the owner of each infected machine had not given access permission, deleting the zombie code from each compromised machine might constitute unauthorized access to a computing system, something that is forbidden by several U.S. statutes. They also worried that they might accidentally cause damage to the compromised systems. Others countered by saying that failure to remove the zombie code constituted the worst ethical failure of all.
As I have said in an earlier blog entry, insufficient attention is paid to ethical issues in the information security arena. Predictably, then, ethical issues surrounding the Kraken botnet seem to have drawn remarkably little notice, as judged by relatively few blog and newsgroup postings on this subject. But perhaps in this case the problem may not be lack of interest in ethical issues, but rather the fact that whether or not to remove Kraken zombies may not be as poignant an ethical issue as it would superficially seem to be. Removing tens of thousands of zombies would constitute an act performed in good faith, one that would benefit not only the owners of these systems, but also the Internet as a whole. In my mind, the risk of potential damage to these systems looms as a showstopper, however. One should not blindly perform a benevolent act—the potential benefits and downsides of every act, benevolent acts included, must be carefully weighed. Seeing a victim of a car accident lying in the road does not justify moving that person when moving that person may endanger the victim’s life more than leaving the victim there. The same is true of infected systems.
Ideally, Amini and Pierce should be able to contact a central team or function responsible for Internet security that would then notify owners of the compromised systems and ask them whether they want to have their systems disinfected. A number of years ago the closest thing to this function was CERT/CC, but CERT/CC now has a completely different mission, and no team or function has really been capable of filling this void. Unfortunately, then, what is most likely to happen with all the infected systems is, at least in the short run, absolutely nothing. This is a totally unacceptable outcome, yet it is difficult to envision any other one. All this once again shows just how vulnerable the Internet is from a security standpoint and how difficult it is to improve its overall security. Perhaps some day some high ranking government official will wake-up to this reality and try to do something about it, perhaps by forming an incident response team for the Internet. Meanwhile, however, we are likely to continue to have to live in frustration while botnet creators continue to act maliciously and with impunity.