TechReviewAl writes "Researchers at the University of California at Santa Barbara hijacked the Mebroot botnet for about a month and used it to study drive-by downloading. The researchers managed to intercept Mebroot communications by reverse-engineering the algorithm used to select domains to connect to. Mebroot infects legitimate websites and uses them to redirect users to malicious sites that attempt to install malware on a victim's machine. The team, who previously infiltrated the Torpig botnet, found that at least 13.3 percent of systems that were redirected by Mebroot were already infected and 70 percent were vulnerable to about 40 common attacks."
From TFA: "The next two most popular operating systems were Mac OS X 10.4 'Tiger' and Mac OS X 10.5 'Leopard,' which accounted for 6.4 percent of all visitors."
This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well with code on the main exploit servers (the ones which initiate the drive by downloads) targeting vulnerabilities in some Apple Mac OS versions. The Mebroot gang is apparently among the more sophisticated bot net operators (i.e. they support alternative
I've never really understood the whole Mac vs. WIndows debate, and it's even more pointless now that you can have Mac, Win, and Linux running on the same box at the same time. Now, vi vs. emacs is a legitimate jihad.
This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well
No, it means that the infected websites redirected visitors including Mac users. They were victims of redirection only at that point. It's the sites that people got redirected to that did the actual user-machine infecting. The article only says that six vulnerabilities were targeted but it doesn't say which. Mebroot (Master Boot Record Rootkit) is Windows based and isn't new.
"Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet's owners with remote control over that machine."
I'm not an expert, but the Mebroot description at F-Secure appears to show Windows systems as the target. Of course other mutations could potentially be created to target vulnerabilities on OS X or other platforms, but once in it couldn't just install the same Windows rootkit. (below from F-Secure, not article) http://www.f-secure.com/weblog/archives/00001393.html [f-secure.com]
The actual site hosting the exploit code utilizes the following exploits:
Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow
from article: "The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit."
For things that have been fixed, I think Mac users are generally a bit better about having OS and browser updates. Of course, like everyone else, they can still reduce significantly reduce risk by disabling browser functionality except when needed (as with NoScript and Firefox).
I'm concerned updates in other applications may be missed not only by users, but even developers. VLC promptly was updated for some vulnerabilities in underlying ffmpeg code, but users aren't always good about keeping VLC up to date (the older version for OS X 10.4 got an update as well as the current release.
There are a many video conversion, dvd assembly and other programs built on Windows and OS X using ffmpeg behind the scenes. In some cases the developers make little or no mention of it (LGPL/GPL compliance is a problem too). These programs don't seem to be getting the newer ffmpeg builds that address the problems.
Leave it to people who exploit pcs to get sloppy enough to leave the kitchen door unlocked.
Its more like carjacking a carjacker's own personal vehicle. News or no news, its a ray of sunshine that reminds us that this universe still has a balance. And it's got a sense of humor.
I think the same idea came up when this group hijaaked the Torpig net, and quite probably on several other similar occassions. Unfortunately, that opens up a whole new can of worms, if you'll excuse the pun. Specifically, if they issue commands for a botnet to shut itself down, or try to patch a vulnerable system, then they potentially become liable for whatever might go wrong. What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the applic
What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the application, for instance?
Ah, I've seen you've read the Admin Handbook: "Even if your critical system has been compromized and is a zombie in some malicious botnet, do not patch the vulnerability if the patch might compromise your critical system."
/sarcasm
yes, if it's not broken, don't fix it... then again, your definition of broken appears to be broken
I didn't say "don't fix the issue", just that there are occassions where you can't immediately apply a patch, no matter how desirable it might be. Sadly this scenario does happen from time to time and particularly so with enterprise applications, where "enterprise" is defined as "very expensive software with only a comparatively small number of customers and an even smaller group of developers". It's not just expensive, non-COTS applications either. Case in point Microsoft's DLL Hell v2.0 [slashdot.org] issue. Equally
They didn't exactly hijack the botnet. They just hijacked it's reproductive system. RTFA.
It spreads by a javascript which the criminals were able to inject into innocuous sites. This javascript sent visitors to an auto-generated URL which was registered by the botnet owners. This URL hosted the actual exploit which attempted to attack vulnerable visitors who landed there from the javascript. The URL changed every day, but by predicting it, the researchers were able to register domains before the botnet owners. As a result, victims of the drive-by javascript landed on the researchers' server instead of the botnet owners' servers. Needless to say, the researchers didn't attack the visitors and exploit their machines, but they did do some profiling to find out what sort of computers were hitting their server and how many of the visitors were unpatched, vulnerable boxes.
This liability excuse sounds like bullshit. Who is liable for a zombie? Let's do a little metaphor:
Rob Zombiemaster is robbing a bank. During the robbery, in a failed attempt to stop it, a guard shoots and misses Zombiemaster and hits the bank president in the head, killing him instantly, but also causing him to drop his cigarette into some flammable solvent someone was working with in the vicinity. The bank goes up in flames and burns down the whole block, killing everyone except Rob Zombiemaster and the guard. Zombiemaster escapes clean, with the money, and never killed anyone. The guard tells the authorities the tragic truth about his actions.
With whom does the liability for this catastrophe lay? With the guard? He did kill his boss and everyone on the block except the robber, so that's a reasonable assumption, though wrong. The liability for the deaths and property destruction still rests squarely on the shoulders of the wily Rob Zombiemaster, who, upon capture, will promptly be charged with multiple counts of murder long before he's charged with mere bank robbery. The guard gets off scott free.
Those lawyers sound more like lazy CIO's, but with no law degree, and less balls.
Sure, it certainly makes sense when you explain it out like that, but that doesn't mean that a family member of one of the innocent people who died isn't going to decide that they deserve money as compensation for their emotional pain and anguish. Zombiemaster is nowhere to be found, so they decide they're going to sue the bank, and the guard.
I would certainly argue that the guard isn't guilty of any wrongdoing, at least from a morality point of view. But when the law considers liability, we're not talking
Often, these bot nets are designed to install software for commission. The company paying the commission should be held accountable. They can play dumb and claim that they didn't know it was being installed in this manner, sure. But it would be fairly simple to make it so the installed software makes itself known to the user. It would be fairly simple to make it easy to un-install as well.
I know there are ways around it. But, it'd be great to see the companies selling the products that are making revenue to be accountable. They are enabling it. And they know it.
Think of all the illegal copies of windows....now imagine that overnight they were to offer a special deal for those with an illegal copy of windows. Buy a license from us for 6months at 50$ rechargeable every 6months after that...atleast everybody and their grandmother would get the first 6 months, get their updates, be rid of 90% of viruses and problems, getting rid of 3/4 of the botnets out in the wild, and then when it came to the next 6motnhs, Microsoft would have made their money already, the people will probably revert back to being non legal, with no ill effects, except for those talked into keeping their copies legit for further patches. The people that did buy legal copies would not have anything to bitch about, as these were not legit copies and revert back to being bad people...which most owning a legit copy do not want to be branded... everybody wins.
They have some serious cojones to be messing with dangerous organised criminals. Good on 'em and I hope they keep fighting the good fight -- and not come unstuck. They are stepping on the toes of some seriously ugly, violent people.
Richard Kemmerer, one of the authors, gave a Tech Talk at Google titled "How to Steal a Botnet and What Can Happen When You Do." The video of the talk [youtube.com] is available on YouTube.
so universities can break the law but common criminals can't? remind's me of nazi/japanese experiments on humans in the name of 'science'.
Really? Intercepting a botnet reminds you of experiments leading to the deaths and suffering of thousands of helpless adults and children? No I see your point, exactly the same thing.
I used to have a rather gruesome book detailing some of those experiments, and while I don't think a lot was gained by transplanting spare heads onto victims &c., I understand that the data from dropping "test subjects" into ice water to see how long it took them to die has been quite valuable for things like Naval Air rescue planning. Always look on the bright side, mate.
It's the principle of the thing. Botnet creators are entitled to a reasonable expectation of privacy, under the law, right? Besides, if it were YOUR botnet they were infiltrating, you would be pissed, too.
Oh, you weren't trying to be funny? "legally copyrighted software produced by bot net authors"? How exactly did they copyright anything, and how was it legal?
You mean colleges and universities are held to a double standard? Blasphemy! Next you'll be trying to tell me that politicians and government officials are held to a double standard...
Strikes me that this is a "crime" somewhat akin to stealing money from a drug dealer. Sure, I guess you are doing something "illegal" since it's not your money, but it's not like the drug dealer is going to report you to the police...
Announcing this activity publicly doesn't strike me as particularly prudent, even if it is valuable information...
Not even that. There is absolutely no personal gain for them in this. Even stealing the money has a gain and this experiment neither hurts nor benefits anybody. It's a completely neutral act not to be trolled into some nonsensical paralell about murder or theft.
The information gained doesn't benefit them? Why else did they do this, then? Benefit isn't just cash, you know. Anythiing that provides an advantage is a 'benefit'...
The law criminalizes behavior, not intent. Intent is no longer necessary to be convicted in the United States.
I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case the judge made it explicitly clear several times that we could only find the defendant guilty if evidence showed, beyond a reasonable doubt, that he intended to commit the crime (theft). In fact, intent is part of the definition of theft, which needs to be met in order to find someone guilty.
Civil cases are held to a lower standard, but criminal cases require "beyond a reasonable doubt". In fact, the very reason why he was found not guilty is because the prosecutor could not prove intent in a way that satisfied the indictment. It's extremely difficult to prove intent, the prosecutor was able to show intent to commit the crime several months after the crime was allegedly committed, but because of the wording of the indictment we could not find evidence of intent when the specific events happened. The prosecutor understood why we reached the verdict we did.
That sounds a little vague, I'll be happy to go into details of the trial if you're interested.
I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case the judge made it explicitly clear several times that we could only find the defendant guilty if evidence showed, beyond a reasonable doubt, that he intended to commit the crime (theft). In fact, intent is part of the definition of theft, which needs to be met in order to find someone guilty
That's true of theft, and any other crime where "mens rea" is a criminal element. There are crimes of strict liabilit
It was a case where one guy was buying a car from another guy, paid for it, and never got it. There was no evidence which showed that the seller intended to keep the money and the car at the time the money changed hands. So, according to the indictment he did not steal the money. They showed intent several months later when he modified the car (you wouldn't modify a car unless you considered it yours), but the indictment clearly stated that he was being charged for theft by intending to deprive the buyer of his property (money) when he took the payment, not several months down the line whenever he decided to keep the car. If the state had worded the indictment differently so that we could establish intent at a later date then he would have been found guilty.
Did they do bad by manipulating the botnet? Sure. Tsk tsk.
Can they crack that egg and get rid of it now? Yeah. The sad thing is they'll need some court order to do it, rather than take the leech offline and be done with it. I wish they could trace route it so that a little drone could drop by the instigator's address with a payload of green goo.
Sounds like a testosterone reaction but consider just how many machines are bot'd these days and how rot
This is more like intercepting and recording the conversations had among a network of criminals, which yields a lot of good insights into how these organizations operate. This can be extremely valuable information if it's forwarded to appropriate law enforcement personnel, which don't always have the technical talent or resources to conduct investigations like this in the first place.
There have been studies on how far people travel daily/weekly/monthly. To do so, the study used thousands of people's locations based on cellphones. The participants of the study were fully unaware that they were being tracked for months. At least this one isn't scary...
They violated the DRM placed on the legally copyrighted software produced by bot net authors. They committed a US federal felony according to the DMCA.
RTFA -- they hijacked the domains where the drive-by download exploits were stored, not the botnet itself.
Also, they were emulating a browser, because the javascript based "drive-by" is 100% browser based (ie, you don't get infected if you're not browsing a compromised website).
70% (Score:3, Funny)
Re: (Score:3, Informative)
From TFA: "The next two most popular operating systems were Mac OS X 10.4 'Tiger' and Mac OS X 10.5 'Leopard,' which accounted for 6.4 percent of all visitors."
This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well with code on the main exploit servers (the ones which initiate the drive by downloads) targeting vulnerabilities in some Apple Mac OS versions. The Mebroot gang is apparently among the more sophisticated bot net operators (i.e. they support alternative
Re:70% (Score:5, Funny)
((vi is better))
Parent
Re: (Score:2)
((vi is better))
VI VI VI is the number of the beast!
Re: (Score:3, Funny)
Now, vi vs. emacs is a legitimate jihad. ((vi is better))
Sure, that's because you haven't figured out elisp. It should be
(setq vi better)
or
(setq is-vi-better (better vi emacs))
Re: (Score:3, Informative)
Uhhh no.
The article doesn't state which OSes were infected, just how many users were directed to the point of infection.
Mebroot doesn't infect OS X.
Re:70% (Score:4, Informative)
This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well
No, it means that the infected websites redirected visitors including Mac users. They were victims of redirection only at that point. It's the sites that people got redirected to that did the actual user-machine infecting. The article only says that six vulnerabilities were targeted but it doesn't say which. Mebroot (Master Boot Record Rootkit) is Windows based and isn't new.
"Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet's owners with remote control over that machine."
I'm not an expert, but the Mebroot description at F-Secure appears to show Windows systems as the target. Of course other mutations could potentially be created to target vulnerabilities on OS X or other platforms, but once in it couldn't just install the same Windows rootkit.
(below from F-Secure, not article)
http://www.f-secure.com/weblog/archives/00001393.html [f-secure.com]
The actual site hosting the exploit code utilizes the following exploits:
Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow
from article:
"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit."
For things that have been fixed, I think Mac users are generally a bit better about having OS and browser updates. Of course, like everyone else, they can still reduce significantly reduce risk by disabling browser functionality except when needed (as with NoScript and Firefox).
I'm concerned updates in other applications may be missed not only by users, but even developers.
VLC promptly was updated for some vulnerabilities in underlying ffmpeg code, but users aren't always good about keeping VLC up to date (the older version for OS X 10.4 got an update as well as the current release.
There are a many video conversion, dvd assembly and other programs built on Windows and OS X using ffmpeg behind the scenes. In some cases the developers make little or no mention of it (LGPL/GPL compliance is a problem too). These programs don't seem to be getting the newer ffmpeg builds that address the problems.
http://secunia.com/advisories/36805 [secunia.com]
Parent
Karma at it's finest (Score:2, Insightful)
Maybe (Score:2)
Maybe they were able to break into it because (dun dun dun) they wrote it!
Isn't that how things work in all those lousy movies with some kind of computer virus in them.
Or that Mac virus can infect alien computers
Great idea, narrowly averted (Score:2)
Re: (Score:2)
Yes, many times, and each time it's shot down based on the liability issues around forcibly patching other people's computers without their consent.
Re: (Score:3, Informative)
Read the article. They didn't gain control of the botnet.
Re: (Score:3, Insightful)
Re:Great idea, narrowly averted (Score:4, Funny)
What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the application, for instance?
Ah, I've seen you've read the Admin Handbook: "Even if your critical system has been compromized and is a zombie in some malicious botnet, do not patch the vulnerability if the patch might compromise your critical system."
/sarcasm
yes, if it's not broken, don't fix it... then again, your definition of broken appears to be broken
Parent
Re: (Score:3, Insightful)
Re:Great idea, narrowly averted (Score:5, Informative)
Yes.
They didn't exactly hijack the botnet. They just hijacked it's reproductive system. RTFA.
It spreads by a javascript which the criminals were able to inject into innocuous sites. This javascript sent visitors to an auto-generated URL which was registered by the botnet owners. This URL hosted the actual exploit which attempted to attack vulnerable visitors who landed there from the javascript. The URL changed every day, but by predicting it, the researchers were able to register domains before the botnet owners. As a result, victims of the drive-by javascript landed on the researchers' server instead of the botnet owners' servers. Needless to say, the researchers didn't attack the visitors and exploit their machines, but they did do some profiling to find out what sort of computers were hitting their server and how many of the visitors were unpatched, vulnerable boxes.
Parent
Re:Great idea, narrowly averted (Score:4, Insightful)
Rob Zombiemaster is robbing a bank. During the robbery, in a failed attempt to stop it, a guard shoots and misses Zombiemaster and hits the bank president in the head, killing him instantly, but also causing him to drop his cigarette into some flammable solvent someone was working with in the vicinity. The bank goes up in flames and burns down the whole block, killing everyone except Rob Zombiemaster and the guard. Zombiemaster escapes clean, with the money, and never killed anyone. The guard tells the authorities the tragic truth about his actions.
With whom does the liability for this catastrophe lay? With the guard? He did kill his boss and everyone on the block except the robber, so that's a reasonable assumption, though wrong. The liability for the deaths and property destruction still rests squarely on the shoulders of the wily Rob Zombiemaster, who, upon capture, will promptly be charged with multiple counts of murder long before he's charged with mere bank robbery. The guard gets off scott free.
Those lawyers sound more like lazy CIO's, but with no law degree, and less balls.
Parent
Re: (Score:2)
Sure, it certainly makes sense when you explain it out like that, but that doesn't mean that a family member of one of the innocent people who died isn't going to decide that they deserve money as compensation for their emotional pain and anguish. Zombiemaster is nowhere to be found, so they decide they're going to sue the bank, and the guard.
I would certainly argue that the guard isn't guilty of any wrongdoing, at least from a morality point of view. But when the law considers liability, we're not talking
Go after the software companies (Score:5, Informative)
Often, these bot nets are designed to install software for commission. The company paying the commission should be held accountable. They can play dumb and claim that they didn't know it was being installed in this manner, sure. But it would be fairly simple to make it so the installed software makes itself known to the user. It would be fairly simple to make it easy to un-install as well.
I know there are ways around it. But, it'd be great to see the companies selling the products that are making revenue to be accountable. They are enabling it. And they know it.
Re: (Score:3, Interesting)
Re: (Score:3)
Why sugar coat it like that?
They're paying for it. And they know it.
This could be avoided. (Score:4, Interesting)
Think of all the illegal copies of windows....now imagine that overnight they were to offer a special deal for those with an illegal copy of windows. Buy a license from us for 6months at 50$
rechargeable every 6months after that...atleast everybody and their grandmother would get the first 6 months, get their updates, be rid of 90% of viruses and problems, getting rid of 3/4 of the botnets out in the wild, and then when it came to the next 6motnhs, Microsoft would have made their money already, the people will probably revert back to being non legal, with no ill effects, except for those talked into keeping their copies legit for further patches. The people that did buy legal copies would not have anything to bitch about, as these were not legit copies and revert back to being bad people...which most owning a legit copy do not want to be branded...
everybody wins.
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
Hats off to the UCSB guys (Score:5, Insightful)
They have some serious cojones to be messing with dangerous organised criminals. Good on 'em and I hope they keep fighting the good fight -- and not come unstuck. They are stepping on the toes of some seriously ugly, violent people.
Video of the Tech Talk by these Researchers Here (Score:5, Informative)
Re:arrest them (Score:5, Insightful)
so universities can break the law but common criminals can't? remind's me of nazi/japanese experiments on humans in the name of 'science'.
Really? Intercepting a botnet reminds you of experiments leading to the deaths and suffering of thousands of helpless adults and children? No I see your point, exactly the same thing.
Parent
Re: (Score:2)
I used to have a rather gruesome book detailing some of those experiments, and while I don't think a lot was gained by transplanting spare heads onto victims &c., I understand that the data from dropping "test subjects" into ice water to see how long it took them to die has been quite valuable for things like Naval Air rescue planning. Always look on the bright side, mate.
Re:arrest them (Score:5, Insightful)
so universities can break the law
They broke the law? Citation needed.
Oh wait... you didn't even RTFA.
Parent
Re:arrest them (Score:4, Funny)
It's the principle of the thing. Botnet creators are entitled to a reasonable expectation of privacy, under the law, right? Besides, if it were YOUR botnet they were infiltrating, you would be pissed, too.
Parent
Re: (Score:2)
Oh, you weren't trying to be funny? "legally copyrighted software produced by bot net authors"? How exactly did they copyright anything, and how was it legal?
Re: (Score:2)
oh... sorry about the multiple replies, I didn't notice that you were the parent author for both posts.
I am pointing out that it is a crime, not that it should be a crime.
No law broken here (Score:2)
RTFA. Researchers registered domains that were next in line to receive messages from the infected machines, and listened to what was coming in.
Wow... (Score:2)
so universities can break the law but common criminals can't? remind's me of nazi/japanese experiments on humans in the name of 'science'.
Wow... you put the "Hyper" in hyperbole.
I think you pulled enough G's ( unit: Godwin ) there to create a cognitive singularity.
Re: (Score:3, Insightful)
Re:Like stealing illicit drugs? (Score:5, Insightful)
Strikes me that this is a "crime" somewhat akin to stealing money from a drug dealer. Sure, I guess you are doing something "illegal" since it's not your money, but it's not like the drug dealer is going to report you to the police...
Announcing this activity publicly doesn't strike me as particularly prudent, even if it is valuable information...
Not even that. There is absolutely no personal gain for them in this. Even stealing the money has a gain and this experiment neither hurts nor benefits anybody. It's a completely neutral act not to be trolled into some nonsensical paralell about murder or theft.
Parent
Re: (Score:3, Interesting)
The information gained doesn't benefit them? Why else did they do this, then? Benefit isn't just cash, you know. Anythiing that provides an advantage is a 'benefit'...
Re:Like stealing illicit drugs? (Score:4, Informative)
The law criminalizes behavior, not intent. Intent is no longer necessary to be convicted in the United States.
I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case the judge made it explicitly clear several times that we could only find the defendant guilty if evidence showed, beyond a reasonable doubt, that he intended to commit the crime (theft). In fact, intent is part of the definition of theft, which needs to be met in order to find someone guilty.
Civil cases are held to a lower standard, but criminal cases require "beyond a reasonable doubt". In fact, the very reason why he was found not guilty is because the prosecutor could not prove intent in a way that satisfied the indictment. It's extremely difficult to prove intent, the prosecutor was able to show intent to commit the crime several months after the crime was allegedly committed, but because of the wording of the indictment we could not find evidence of intent when the specific events happened. The prosecutor understood why we reached the verdict we did.
That sounds a little vague, I'll be happy to go into details of the trial if you're interested.
Parent
Re: (Score:3, Informative)
I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case the judge made it explicitly clear several times that we could only find the defendant guilty if evidence showed, beyond a reasonable doubt, that he intended to commit the crime (theft). In fact, intent is part of the definition of theft, which needs to be met in order to find someone guilty
That's true of theft, and any other crime where "mens rea" is a criminal element. There are crimes of strict liabilit
Re: (Score:3)
How about that?
Re:Like stealing illicit drugs? (Score:5, Interesting)
It was a case where one guy was buying a car from another guy, paid for it, and never got it. There was no evidence which showed that the seller intended to keep the money and the car at the time the money changed hands. So, according to the indictment he did not steal the money. They showed intent several months later when he modified the car (you wouldn't modify a car unless you considered it yours), but the indictment clearly stated that he was being charged for theft by intending to deprive the buyer of his property (money) when he took the payment, not several months down the line whenever he decided to keep the car. If the state had worded the indictment differently so that we could establish intent at a later date then he would have been found guilty.
Parent
Re: (Score:3, Insightful)
It's more like a private investigation of a crime , finding proof and then making it public.
This is something journalists do all the time.
Re: (Score:2)
No, they shouldn't restrict themselves.
They're fucking heros.
Did they do bad by manipulating the botnet? Sure. Tsk tsk.
Can they crack that egg and get rid of it now? Yeah. The sad thing is they'll need some court order to do it, rather than take the leech offline and be done with it. I wish they could trace route it so that a little drone could drop by the instigator's address with a payload of green goo.
Sounds like a testosterone reaction but consider just how many machines are bot'd these days and how rot
Re:Like stealing illicit drugs? (Score:5, Insightful)
Parent
Re: (Score:3, Interesting)
Re: (Score:2)
I RTFA'd (shocking, yes) and – now I'm no expert, but – I don't think they did break any laws.
Re: (Score:3, Interesting)
They violated the DRM placed on the legally copyrighted software produced by bot net authors. They committed a US federal felony according to the DMCA.
Re: (Score:2)
Did the EULA forbid reverse-engineering? If so these guys could be in a lot of trouble.
Re: (Score:2)
Agreed.
One caveat though...
If the research is being accomplished by intercepting information being sent to their own computer, then it is completely legal.
Having said that, I disagree with publication for two reasons:
1. It can alert the botnet operators, and in such a case disclosure could very well be interpreted as obstructing an investigation.
2. Overzealous prosecutors may decide to pounce.
Re: (Score:2)
RTFA -- they hijacked the domains where the drive-by download exploits were stored, not the botnet itself.
Also, they were emulating a browser, because the javascript based "drive-by" is 100% browser based (ie, you don't get infected if you're not browsing a compromised website).