Crowdstrike, a new stealth mode start-up, demonstrated an active defense methodology live on stage at RSA. Werner Tillman, who some years ago first developed a methodology for detecting Conficker and then advocated that attack is the best form of defense, performed a live manipulation of the Kelihos botnet. He altered the C&C messaging system so that infected bots received new commands. In effect, he instructed the bots to cease communicating with the Kelihos server and instead report to a server under his own control. He also sent down a blacklist of other known Kelihos servers with which the bots should never communicate.
On a separate video screen, red dots rapidly started to appear, indicating the time and location that Kelihos bots started to communicate with Tillman’s server. Within hours that number had reached tens of thousands; all of which, according to the demonstration, had effectively been neutered. The computers concerned were still infected, but the bots had become harmless.
But it’s a grey area. It involves hacking the hackers – and that may be illegal to different degrees in different regimes. It also involves, via the C&C servers, altering the content (albeit altering malware) without prior approval on the infected computers – and that may also be illegal.
The issue was discussed in a Kaspersky Lab blog post last month. Steve Chabinsky, CrowdStrike senior VP of legal affairs and a former deputy assistant director of the FBI’s cyber division, is quoted, “The legal community is debating the full extent of offensive actions a company can take when it involves intentionally accessing a third-party system without the owner’s permission.” He noted that some interpretations of US federal law would suggest it is permissable to delete your own data if no harm is done to the network. In this instance that could be argued since it is the bot C&C altering its own data, which just leaves the C&C server hack to be questioned. It is unlikely, however, that the botherder would surface to make a formal complaint.
“Even if an action would technically violate the law if done for a criminal purpose, there is a lot of discussion about the legal defense of necessity,” continued Chabinsky. So it remains a grey area – one that is unlikely to be solved outside of the courts, and yet one that is equally unlikely to reach the courts. Meanwhile, tens of thousands of Kelihos bots have been neutered.