Fighting back: Is it OK to 'Unfriend' a C & C server?

Linda Musthaler
By | March 20, 2012

Posted in: Network Security Trends

It seems that illegal computer hacking has become so commonplace these days that events only make the news when they are significant. Last week’s headline was the hacking of Syrian President Bashar Assad’s email account. The group Anonymous claims credit for the attack. On the Daily Show,  Jon Stewart remarked, “Finally! A hacking attack against someone who deserves it!”

I’m not going to step into the politics of Anonymous or to debate the merit of Stewart’s claims that Assad “deserves it.” I’ll leave that rhetoric to the political commentators and talk show hosts.

What I do want to talk about is the notion of hacking back in self-defense when a botnet has infiltrated your network. The idea has been thoughtfully laid out in a white paper “Hacking Back in Self-Defense: Is It Legal; Should It Be?” by David Willson.

Willson asserts that you have the right to fight back in self-defense if your computer is invaded against your will by malicious code and usurped for membership in a botnet. His position (which he says is not legal advice): “When plagued with a persistent bot, you can legally use automated code outside of your network, in specific circumstances and via specific means, to eliminate the threat in an act of self-defense of property.”

We all know how pervasive botnets are and how difficult it can be to defend against individual machines becoming bots. Willson points out that the standard operating procedure for infosec professionals to deal with bots is to “detect, block, clean up and move on.” But what if you could proactively disrupt the bot PC’s ability to communicate with the command and control (C&C) server? Willson suggests this can be done by firing back some code on the phone-home function of the bot so that when it communicates with the C&C server for instruction, the communication path is cut off. In other words, the C&C server can no longer communicate with the bot and thus cannot force it to spew spam, participate in a DDoS attack or do whatever dirty deed the hacker intends. Think of it as “unfriending” the C&C server.

That sounds reasonable, doesn’t it? The problem is, such an action might violate the law. It sounds odd to say that it might be illegal to fight fire with fire — in this case, interrupting programming that sits on a C&C server — but that’s what Willson’s argument is all about. In a nutshell, he says the U.S. Computer Fraud and Abuse Act makes it illegal for you to “intentionally cause damage without authorization” to another person’s computer. While most of us would be delighted to “cause damage” to a hacker’s computer, the fact of the matter is that the C&C server is very likely to be another unsuspecting victim’s PC.

Willson has a very convincing argument that his theory of blocking the C&C communications path to its bots is neither damaging nor illegal. He does stop short of saying bot victims should do this, but it does make one wonder why we aren’t fighting botnets in this manner. It’s “not vigilantism, but clear, forward, out-of-the-box thinking” to give infosec professionals a weapon for fighting back, he says.

You May Also Be Interested In: