For years there's been talk about the value of "good samaritan" viruses or botnets, that would go out and try to delete or kill of "bad" viruses or botnets. Lots of computing experts have, reasonably, warned that the unintended consequences of such an action could be large and dangerous. Apparently, the FBI figures, why not test it out anyway? In a rather surprising move, the FBI was able to get a court order that allowed it to effectively hijack a large botnet, involving millions of computers, and send a "stop" command to all of those PCs that would disable the malware (called Coreflood).

While there are obviously good intentions here, and it's definitely a good thing to see a large malicious botnet go dark, there still are really serious concerns about this move, the legality of the move, and the risk of unintended consequences. Do we really want to set a precedent where the FBI can send commands remotely to millions of computers? And how confident are people that the FBI's programming skills won't cause problems, if not this time, at some point in the future? In the filing requesting the right to do this, the FBI even pointed out that a newer version of Coreflood had been released that morning "but that the FBI had tested the kill command against that variant and it had worked successfully." Of course, testing in the lab and deploying to millions of machines in the real world is entirely different. There are also concerns that this is an ongoing effort, since Coreflood apparently reruns every time a machine is rebooted, meaning that the FBI will have to keep sending this kill signal. And while the FBI swears up and down "that this would cause no harm to computers," how confident are you that this is really the case?

Again, I recognize the importance of trying to stop botnets and take them down. Additionally, there don't appear to be any early reports of trouble or unintended consequences from this move. But... when dealing with something like this, where the FBI is sending execution commands to millions of PCs, you have to assume that sooner or later, something bad is going to happen. Does the FBI have a technical support helpdesk to help your grandparents when it kills their computer?

A TV show on the BBC is highlighting the ongoing problem of botnets -- by acquiring one of its own and using other people's computers in it to mount a DDOS attack on a security company's web site. The BBC says it had the security company's approval to do so, and that it didn't have any criminal intent, making its action legal. But some people aren't so sure, and say that intent doesn't offer a way out under British computer law. A tech lawyer says it's unlikely the broadcaster will face prosecution because there wasn't any real harm done, but those whose computers were used in the attack might disagree and view the methods used to make a point about computer security as a bit extreme.

We're seeing a bunch of folks pointing out that evidence collected by the Washington Post's computer security writer, Brian Krebs, is basically responsible for getting that company kicked off the internet. Krebs is a fantastic reporter, so I don't doubt the story -- but I'm always a little skeptical of stories claiming that a huge percentage of spammers have been knocked offline. We see such stories every few months, and it never seems to have any real impact on the amount of spam out there. Just last month there was a report claiming that the world's largest spam operation was shut down, but the actual amount of spam flowing across the network did not decrease.

This case is a little different, in that it didn't shut down the spammers themselves, but rather a hosting company that apparently many of the largest zombie botnets relied on. However, it seems quite likely that they'll find some other hosting company that will gladly take them on and everything will be up and running again. That's not to say it's bad that these guys get taken down -- but at some point people should realize this seems like a big game of whack-a-mole, and there may be better, more efficient ways to tackle the problem.

Every so often, we see a random news story about authorities somehow arresting or shutting down some huge spam ring, and every time the articles are peppered with quotes about just how big the operation is and how much spam they send out. And, yet, every time, it never seems to do very much to dent the amount of spam that's being sent. So, again, with this week's big spam bust, all the numbers and explanations sound impressive. 35,000 computers in a botnet. Able to send 10 billion (billion, with a b) spam messages per day. The leading source of spam online in January (what, only January?). These all sound impressive, but the real question should be whether or not this does anything to decrease spam. Or will others just as quickly jump in to fill the breach?

Last year we wrote about how rival online scammer gangs had their botnets fighting each other by disabling trojans of competing botnets on their computers -- but it appears that some researchers have a different idea for creating a "good" botnet to fight the "bad" botnets being used for denial of service attacks (found via Slashdot). This is quite different than some older proposals to create "good worms" that go about automatically patching infected machines (which are wide open to abuse). Instead, the idea is rather creative. It involves setting up a distributed system of computers that effectively act as a way station for connect requests -- which then wait for the actual server to request the inbound requests. This prevents the server from being overloaded (though, I would imagine it could slow down access somewhat). Either way, it's nice to see efforts under way to stop such zombie botnets. Hopefully someone isn't sitting on a patent for such an idea and waiting to sue, like we've seen with other security measures.

Rich Kulawiec writes in to point out that security expert Dan Geer is suggesting that merchants violate the security of customers they deem as security risks. His argument is, basically, that there are two types of users out there: those who respond "yes" to any request -- and therefore are likely to be infected by multiple types of malware doing all sorts of bad things -- and those who respond "no" to any request, who are more likely to be safe. Thus, Geer says merchants should ask users if they want to connect over an "extra special secure connection," and if they respond "yes," you assume that they respond yes to everything and therefore are probably unsafe. To deal with those people, Geer says, you should effectively hack their computer. It won't be hard, since they're clearly ignorant and open to vulnerabilities -- so you just install a rootkit and "0wn" their machine for the duration of the transaction.

As Kulawiec notes in submitting this: "Maybe he's just kidding, and the sarcasm went right over my (caffeine-starved) brain. I certainly hope so, because otherwise there are so many things wrong with this that I'm struggling to decide which to list first." Indeed. I'm not sure he's kidding either, but the unintended consequences of violating the security of someone's computer, just because you assume they've been violated previously are likely to make things a lot worse. This seems like a suggestion that could have the same sort of negative unintended consequences as the suggestion others have made about creating "good trojans" that go around automatically closing the security holes and stopping malware by using the same techniques employed by the malware. Both are based on the idea that people are too stupid to cure themselves, and somehow "white hat" hackers can help fix things. Now, obviously, plenty of people do get infected -- but using that as an excuse to infect them back, even for noble purposes, is only going to create more problems in the long run. Other vulnerabilities will be created and you're trusting these "good" hackers to do no harm on top of what's been done already, which is unlikely to always be the case. No, security will never be perfect and some people will always be more vulnerable -- but that shouldn't give you a right to violate their security, even if for a good reason.

Over the last few years, we've all heard stories about how organized crime groups have taken to using botnets of "zombied" computers to run all sorts of scams and spam campaigns. ISPs have been somewhat slow to react. While they try to use fairly blunt instruments, like cutting off certain ports, many don't seem to have a very good process in place for tracking down and stopping customers whose machines have become unwitting members in a botnet. In fact, security researchers are growing frustrated that when they come across evidence of a hijacked computer, ISPs don't respond at all when told that a customer is causing trouble. There certainly are a few ISPs that are careful to help get rid of botnets, doing things like quarantining or cutting off certain users from their internet access until their machines are cleaned up, but most of the bigger ISPs don't appear to do very much at all. Of course, there is the other side of this story -- which is that when ISPs may be too proactive, it can often snag people whose machines aren't actually doing anything wrong. But, it certainly seems like completely ignoring reports with evidence of a botnet may be going to the opposite extreme.