Sign up to our newsletter
[Update: if this post is of interest to you, you may also find Kevin Townsend's commentary of interest, though the title seems a little misleading to me. While I'm not altogether comfortable with the fact that the message is a little too reminiscent of fake AV, I don't see how you can describe an application that does exactly what it says on the tin as a Trojan. As the late Simon Widlake might have said.]
Long-time readers may recall that I was rather critical last year, here and elsewhere, of the way in which the BBC played footsie with the bad guys, in contravention of OFCOM directives and, arguably, the UK's Computer Misuse Act, by paying a criminal a significant sum in exchange for control of a botnet, with the intention of demonstrating how spam and botnets work. While I wasn't at all against drawing public attention to these matters, I was (like many others) far from convinced that the Click programme's skating on ethically and legally thin ice was justifed.
One of the issues raised at the time was the fact that having finished with their botnet, the Beeb notified the owners of the compromised systems that they needed to secure their systems, by changing their wallpaper to show a warning message. Not a malicious action in intent, but probably a technical breach of the Computer Misuse Act (and other laws in other countries that criminalize unauthorized access and/or unauthorized modification.
The question has been posed by Eddy Willems among others since as to whether the Dutch High Tech Crime Unit was justified in using the Bredolab botnet to send a program to the owners/users of infected machines advising them that:
"Users of computers with viruses from this network will receive a notice at the time of next login with information on the degree of infection."
I can't give an authoritative answer to that. It's likely that there has been a technical breach in countries that have legislation like the CMA, though I can't imagine that many people would want to put the Dutch police in the dock. On this issue, at any rate. :)
Perhaps there was contact between law-enforcement agencies on this that established that there would be no comeback. After all, I'd expect the UK's Crown Prosecution Service to be in close contact with UK police forces on such matters, and the Dutch unit has a lot of experience in these matters (and for that matter, doesn't stand accused of putting money into the pockets of organized crime). Still, such legal complications are easier to handle where there is harmonization between the affected countries: for example, many European countries have Data Protection legislation based on the same EC Directive.
Computer Misuse Act: http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1
Legal commentary from Pinsent Mason: http://www.out-law.com/page-9863
My comment on the legal commentary: http://www.eset.com/threat-center/blog/?p=713
Author David Harley, ESET