Are botnets run by spy agencies?

A recent story today about discussions for an official defense Botnet in the USA prompted me to post a question I've been asking for the last year. Are some of the world's botnets secretly run by intelligence agencies, and if not, why not?

Some estimates suggest that up to 1/3 of PCs are secretly part of a botnet. The main use of botnets is sending spam, but they are also used for DDOS extortion attacks and presumably other nasty things like identity theft.

But consider this -- having remote control of millions of PCs, and a large percentage of the world's PCs seems like a very tempting target for the world's various intelligence agencies. Most zombies are used for external purposes, but it would be easy to have them searching their own disk drives for interesting documents, and sniffing their own LANs for interesting unencrypted LAN traffic, or using their internal state to get past firewalls.

Considering the billions that spy agencies like the NSA, MI6, CSEC and others spend on getting a chance to sniff signals as they go over the wires, being able to look at the data all the time, any time as it sits on machines must be incredibly tempting.

And if the botnet lore is to be accepted, all this was done using the resources of a small group of young intrusion experts. If a group of near kids can control hundreds of millions of machines, should not security experts with billions of dollars be tempted to do it?

Of course there are legal/treaty issues. Most "free nation" spy agencies are prohibited from breaking into computers in their own countries without a warrant. (However, as we've seen, the NSA has recently been lifted of this restriction, and we're suing over that.) However, they are not restricted on what they do to foreign computers, other than by the burdens of keeping up good relations with our allies.

However, in some cases the ECHELON loophole may be used, where the NSA spies on British computers and MI-6 spies on American computers in exchange.

More simply, these spy agencies would not want to get caught at this, so they would want to use young hackers building spam-networks as a front. They would be very careful to assure that the botting could not be traced back to them. To keep it legal, they might even just not take information from computers whose IP addresses or other clues suggest they are domestic. The criminal botnet operators could infect everywhere, but the spies would be more careful about where they got information and what they paid for.

Of course, spy agencies of many countries would suffer no such restrictions on domestic spying.

Of all the spy agencies in the world, can it be that none of them have thought of this? That none of them are tempted by being able to comb through a large fraction of the world's disk drives, looking for both bad guys and doing plain old espionage?

That's hard to fathom. The question is, how would we detect it? And if it's true, could it mean that spies funded (as a cover story) the world's spamming infrastructure?


There is one other thing that would be too easy for a spy agency to buy off that it is hard to fathom that it hasn't happened: adding some kind of hook to popular closed-source operating systems to leak confidential information into covert channels. The effort required to modify kernel source code so that e.g., passwords or something are encoded into the output of some pseudorandom number generator used for picking e.g., TCP sequence numbers is low enough that a competent coder involved in the process between when the source code is checked out to do the production build and executing the makefile could slip it in with very low probability of detection and nobody would be any the wiser. If spy agencies can spend billions on covert spy satellite programs, surely they can spend a couple million to buy off a programmer involved in production builds to slip in carefully chosen patches. The presence of spy agencies in the world today with these kind of budgets almost guarantees that closed source products (and pre-built open source products) have backdoors. They would be stupid not to.

It follows that if you don't compile your own stuff, you're stuff is probably backdoored. On the positive side, keeping this stuff secret is almost certainly enough of a priority that the spy agencies will probably be keeping your secrets (unless you are doing something they are directly interested in) and third party crackers will probably not be any the wiser.

But in fact it might be simpler to just assure there are security flaws, and then build the botnets, or have them built by your front organizations, which are of course not in the USA. Or just exploiting those that are already there.

Directly compromising Windows is a dangerous thing for the NSA to do. Aside from the fact it is still not supposed to operate inside the USA at all, this could hurt the security of Americans against foreign spies. In fact, the NSA is supposed to be helping to make U.S. computers more secure, it is part of their mission. To go directly against that mission is not beyond them but scandalous if discovered.

Of course this does not apply to foreign spy agencies, they could compromise Windows without breaking their rules. But since Windows is run in so many countries, again this has the risk of scandal.

On the other hand, paying botnet rings to run secret code on non-domestic computers to spy on the owners of those computers would not be the same sort of major scandal. (Creation of the botnets directly would be a scandal, but one they can hide much more easily.) They would mostly get an "attaboy" for spying on foreign computers. They might create a problem with allies if they spied on the computers of allied governments if they were caught, but frankly everybody knows that each spy agency spies on its allies. It's part of the game, though still not something to be caught at.

To do this, they would want to build a system that can identify honeypots and make sure never to put spy code into them. That's hard to do for a criminal hacker ring but easily within the abilities of a big spy agency. Ideally they would use other methods to determine the IP blocks or other attributes of "computers of interest" they wish to spy on, confirm that they really have these computers, and then briefly load spy code in them to rootkit the systems and look for interesting files.

Detection of this would require a very clever honeypot that knows how to look like a "computer of interest" -- once we define what a computer of interest is. I would bet that computers in rural Pakistan, for example, and Iraq, are commonly computers of interest.

First, I think it's much more likely the NSA has already
compromised one or more existing botnets, as opposed to
screwing up Windows. That's Microsoft's job!

Try this on for size. Everybody's heard about the
secret room(s) at AT&T et. al. run by the NSA and supposedly
designed to slurp up all the internet packets, telco phone
meta-data, etc. Perhaps they are covertly working with
the backbone operators to provide peering points where
they can *inject* massive amounts of traffic generated
by their own custom dedicated servers. It's more reliable
if you have your own botnet.

It gets worse, what if it was organized crime, instead of or in addition to spy agencies, engaging in such activities, which of course they are. Spy agencies are normally engaged in criminal activity too, so that's not what makes it worse.

What makes it worse is that ICANN has allowed itself on various levels including registrars and the DNS itself to be increasingly co-opted by organized crime. ICANN's insatiable hunger for money is largely to blame, and criminals have long known how to exploit such a weakness. Read this current article on and follow the link in Fergie's subsequent comment, or my more accurate link to RBNBlog which follows.

The US Government has always been ICANN's overseer, have they just been asleep at the switch? Isn't it ironic that the organized crime Russian Business Network, with likely ties to the Russian government (and they have recently moved some of their activities to mainland China), is co-opting various critical levels of the internet? This is going to turn out badly. -g

Who is behind the so-called targetted advertising systems companies like Phorm are trying to get installed on ISP internal networks? Being able to snoop 70% of the UK's clickstream is an intelligence tool worth billions. Putting aside the fact that Phorm's system breaks a dozen laws, who quality assures or positive vets companies like this? I would've thought allowing a known spyware company that games the legal system and employs foreign nationals to code its software would be a red flag for someone.

Oh, I don't need to go beyond commercial motives to find a reason for Pharm. But more to the point, Pharm is domestic.

The hallmark of a signals intelligence espionage program would be intrusion into foreign computers, ideally non-allied computers or targeted computers, which is within the balliwick of most of these organizations.

Indeed, there might be a desire to simply scan lots of hard drives in rural Pakistan and Afghanistan. And North Korea (the few that are on the internet) and other places, staying away from spying on computers belonging to allies and domestic parties. They could write code to examine machines and determine if they are domestic, or owned by domestic companies. Or even code to say, "Does this computer look like it might be owned by a jihadi?" -- and then start spying on just those computers.

The recent trend in intelligence has been to look for ways to do blanket basic surveillance and then isolate the few actual targets they want to put human beings on. Of course, in the domestic case, such as AT&T, the law says they can't do this. But they want to do it, and in fact we allege in our lawsuit that they did do this -- put in a splitter to divert all data into NSA systems. If they are doing that in the domestic arena, seems likely they are doing it overseas where there is less control.

I guess, this revolves around whether you're really interested in economic, social, or military issues. Former Home Secretary David Blunkett observed that corporate collections of personal data were bigger and less well regulated than the governments. Private companies are fuzzier and less lethal than terrorists but they still have a potential to damage people and society. Sometimes, you could argue, big transnational companies are the cause of terrorism. I'll admit that's going way off topic but it sparked another thought. Instead of sending a cruise missile through someone's letterbox, how might the same intelligence be used to flag people and places where better or more sensitive trade and industry could take off?

Add new comment