Home / Blogs

Are Botnets Run by Spy Agencies?

A recent story today about discussions for an official defense Botnet in the USA prompted me to post a question I've been asking for the last year. Are some of the world's botnets secretly run by intelligence agencies, and if not, why not?

Some estimates suggest that up to 1/3 of PCs are secretly part of a botnet. The main use of botnets is sending spam, but they are also used for DDOS extortion attacks and presumably other nasty things like identity theft.

But consider this — having remote control of millions of PCs, and a large percentage of the world's PCs seems like a very tempting target for the world's various intelligence agencies. Most zombies are used for external purposes, but it would be easy to have them searching their own disk drives for interesting documents, and sniffing their own LANs for interesting unencrypted LAN traffic, or using their internal state to get past firewalls.

Considering the billions that spy agencies like the NSA, MI6, CSEC and others spend on getting a chance to sniff signals as they go over the wires, being able to look at the data all the time, any time as it sits on machines must be incredibly tempting.

And if the botnet lore is to be accepted, all this was done using the resources of a small group of young intrusion experts. If a group of near kids can control hundreds of millions of machines, should not security experts with billions of dollars be tempted to do it?

Of course there are legal/treaty issues. Most "free nation" spy agencies are prohibited from breaking into computers in their own countries without a warrant. (However, as we've seen, the NSA has recently been lifted of this restriction, and we're suing over that.) However, they are not restricted on what they do to foreign computers, other than by the burdens of keeping up good relations with our allies.

However, in some cases the ECHELON loophole may be used, where the NSA spies on British computers and MI-6 spies on American computers in exchange.

More simply, these spy agencies would not want to get caught at this, so they would want to use young hackers building spam-networks as a front. They would be very careful to assure that the botting could not be traced back to them. To keep it legal, they might even just not take information from computers whose IP addresses or other clues suggest they are domestic. The criminal botnet operators could infect everywhere, but the spies would be more careful about where they got information and what they paid for.

Of course, spy agencies of many countries would suffer no such restrictions on domestic spying.

Of all the spy agencies in the world, can it be that none of them have thought of this? That none of them are tempted by being able to comb through a large fraction of the world's disk drives, looking for both bad guys and doing plain old espionage?

That's hard to fathom. The question is, how would we detect it? And if it's true, could it mean that spies funded (as a cover story) the world's spamming infrastructure?

This has been a featured post from Brad Templeton's blog Brad Ideas.

By Brad Templeton, Electronic Frontier Foundation (EFF) Boardmember, Entrepreneur and Technologist

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Re: Are Botnets Run by Spy Agencies? By Sven Meyer  –  May 14, 2008 3:00 am PDT

Actually, they do demand it openly: "Carpet bombing in cyberspace" http://www.armedforcesjournal.com/2008/05/3375884

Re: Are Botnets Run by Spy Agencies? By Gary Osbourne  –  May 15, 2008 2:07 am PDT

It gets worse, what if it was organized crime, instead of or in addition to spy agencies, engaging in such activities, which of course they are. Spy agencies are normally engaged in criminal activity too, so that's not what makes it worse.

What makes it worse is that ICANN has allowed itself on various levels including registrars and the DNS itself to be increasingly co-opted by organized crime. ICANN's insatiable hunger for money is largely to blame, and criminals have long known how to exploit such a weakness. Read this current article on ICANNWatch.org and follow the link in Fergie's subsequent comment, or my more accurate link to RBNBlog which follows. This is going to turn out badly. -g

Re: Are Botnets Run by Spy Agencies? By Suresh Ramasubramanian  –  May 18, 2008 4:53 am PDT

Ah, the negative fallacy.  http://en.wikipedia.org/wiki/Negative_proof

The last major FUD campaign from the EFF was of course the Dearaol astroturfing, and that, I see, is dead in the water since 2006.

I am gratified to note that the EFF hasn't lost its touch in the active propagation of FUD.

Re: Are Botnets Run by Spy Agencies? By Alessandro Vesely  –  May 24, 2008 3:43 am PDT

The PC I'm currently using has a non-zero likelihood of being "owned". That's not FUD, it is a realistic possibility that all users should consider, and take measures to prevent. Attacks may credibly come from spammers rings, marketing raiders, mafia, or governmental agencies: It doesn't really make a practical difference as far as countermeasures are concerned.

A user's ability to thoroughly analyze the system makes a difference. With the possible exception of a few skilled users, we need software tools that we can trust. If attacks might come from the system vendors, that would make a difference.

A fundamental question, when it comes to intrusion detection, is where exactly lies the boundary. I've always regarded the territory inside the home walls as mine. For the wire, one can host it up to an "external" router or appliance that does some filtering. In this respect, it is peculiar that DVD players and similar objects, e.g. Vista, are not designed to obey to their owner. As a further example, most firewall software on Windows is designed to grant permissions on a per executable basis, assuming that it is customary to have untrusted software installed inside the system. If we can get by with that, why don't we accept that we can be spied upon by either the government directly, or some agent that may stand with it? Living versus being battery-raised.

brilliant, and scary, and possibly already TRUE By Stephen Douglas  –  Jun 15, 2008 3:21 am PDT

It's funny that nobody else has brought this up. This is a brilliant and informative article that should be in the mainstream news media. Great job. Remember who is Pres of the US.  GW BUSH. And his cohort, the evil Dick Cheney. Using young hackers, under threat of prosecution, the intelligence agencies of the US and Britain and other allies could put together a team of young hackers who could literally suck up billions of megabytes of data, to be filtered and reviewed. Think of political enemies using these resources to eliminate opponents. Think of the dirt they could dig up on political enemies and use against them to remove them from office.  Think of the "Information Oppression" movement that could be utilized. This is a whole new area of fear…

but, hey, Nashville Stars is on so I don't have time to think about it.

Add Your Comments

 To post your comments, please login or create an account.




Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPXO

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Domain Management

Sponsored byMarkMonitor