More on Benevolent Botnets

Kurt Wismer at antivirus rants posts a thoughtful followup to my benevolent bots post. He probably does a better job than I did explaining the risk of this "benevolence." I agree entirely that as soon as you perform some operation with the bot, either taking advantage of its native capabilities or dropping a new executable on the compromised system, then you are no longer benevolent.

What is more interesting to me is how you might use the passive takeover of a control server (the way F-Secure and the German researchers did) to further security. So this is more like a detection mechanism that may then communicate with a responsder that is authorized on the same client.

For example, Symantec could intercept communications at the botnet server level through passive takeover (I don't support actively hacking a botnet server unless given explicit authorization by some authority) and then either set up its own version of a "real-time blackhole list" for compromised clients and/or communicate with those clients it has an agent on to respond to the problem.

This still doesn't eliminate the problem of false accusation should someone replace a botnet server…

1 comment for “More on Benevolent Botnets

  1. January 16, 2009 at 5:03 pm

    I have no intention of being the one who seizes control of an evil botnet in order to fix the remote machines. I don’t want that legal hassle.

    But if someone else did it? I say go for it. These machines are all compromised already. Even if they were all blue-screened so as to require a reinstall, we would have short-term pain, but in the long term people would be less likely to let their machines become bots that are used to attack third parties.

Comments are closed.