The federal government is seeking more legal power to step in and shut down botnets through an amendment to the existing criminal law, which would allow the Department of Justice to obtain injunctions to disrupt these malicious networks.
The Obama administration has proposed an amendment to existing United Stated federal law that would give it a more powerful tool to go after botnets such as GameOver Zeus, Asprox and others. In recent years, Justice, along with private security firms and law enforcement agencies in Europe, have taken down various incarnations of a number of major botnets, including GameOver Zeus and Coreflood. These actions have had varying levels of success, with the GOZ takedown being perhaps the most effective, as it also had the effect of disrupting the infrastructure used by the CryptoLocker ransomware.
As part of those takedown operations, the Department of Justice files civil lawsuits against alleged operators of the botnets, and sometimes their hosting providers, and also obtains injunctions that enable the government to sinkhole C2 servers or take physical control of those machines. Now, the administration would like to expand those powers.
“One powerful tool that the department has used to disrupt botnets and free victim computers from criminal malware is the civil injunction process. Current law gives federal courts the authority to issue injunctions to stop the ongoing commission of specified fraud crimes or illegal wiretapping, by authorizing actions that prevent a continuing and substantial injury. This authority played a crucial role in the department’s successful disruption of the Coreflood botnet in 2011 and the Gameover Zeus botnet in 2014,” Leslie R. Caldwell, assistant attorney general in the criminal division at the Department of Justice, wrote in a blog post explaining the administration’s position.
“The problem is that current law only permits courts to consider injunctions for limited crimes, including certain frauds and illegal wiretapping. Botnets, however, can be used for many different types of illegal activity. They can be used to steal sensitive corporate information, to harvest email account addresses, to hack other computers, or to execute DDoS attacks against web sites or other computers. Yet — depending on the facts of any given case — these crimes may not constitute fraud or illegal wiretapping. In those cases, courts may lack the statutory authority to consider an application by prosecutors for an injunction to disrupt the botnets in the same way that injunctions were successfully used to incapacitate the Coreflood and Gameover Zeus botnets.”
In order to obtain an injunction in these cases, the government would need to sue the defendants in civil court and show that its suit is likely to succeed on its merits.
“The Administration’s proposed amendment would add activities like the operation of a botnet to the list of offenses eligible for injunctive relief. Specifically, the amendment would permit the department to seek an injunction to prevent ongoing hacking violations in cases where 100 or more victim computers have been hacked. This numerical threshold focuses the injunctive authority on enjoining the creation, maintenance, operation, or use of a botnet, as well as other widespread attacks on computers using malicious software (such as “ransomware” ),” Caldwell wrote.
One hundred machines is a low number for a botnet, and indeed would barely even qualify as a botnet in today’s environment, which includes many networks comprising hundreds of thousands or millions of compromised PCs.
Mark Jaycox, a legislative analyst for the EFF, said that the proposal from the Obama administration may be overreaching.
“The blog post posits that IP/trade secret concerns are reasons that are not already covered to take down botnets. That’s a civil/private context and we’ve seen private companies use the Lanham Act to handle that angle. Seems like the DOJ is pushing for a more expansive law. As of now, we’ve seen DOJ been able to handle takedowns with the resources and laws that are already provided to them,” Jaycox said.
“We’d like to see a particular use case where they couldn’t use their already aggressive interpretation of the current law to take down botnets. If anything, we should be narrowing the current anti-hacking statute and computer laws because of their excessive breadth.”