Botnet Badinage: Regulatory Approaches to Combating Botnets Alana M. Maurushat A thesis submitted in accordance with the requirements for the award of the degree of Doctor of Philosophy, Faculty of Law, University of New South Wales 2011 1 ABSTRACT A botnet is a collection of remotely controlled and compromised computers that are controlled by a bot master. Botnets are the main crime tool used by cybercriminals. To use an analogy, many crimes may be committed with a gun ranging from murder to rape to armed robbery to assault to breaking and entering to theft. Likewise, a botnet may be used in many forms of cybercrime and civil wrong ranging from sending spam, to denial of service attacks, to child pornography distribution, to worm propagation, to click-fraud, to keylogging technology and traffic sniffing which captures passwords and credit card information, and to mass identity theft. Botnets are a major crime tool used on the internet in a similar fashion to how a gun is used on the street. This thesis explores the regulation of botnets and the role that botnets play as a tool to commit many forms of cybercrime. In exploring regulation of botnets, countermeasures against fighting this crime tool will be analysed, and policy options evaluated as to under what circumstances society should prioritise combating botnets at the expense of encroaching on civil liberties, in particular the values of privacy and freedom of expression. This thesis argues that Internet service providers, domain name service providers and self-organised security communities are best positioned to effectively combat botnets. In determining the most effective regulatory measures to combat botnets, this thesis has investigated, and at points discounted, a range of other measures such as data breach notification, Sarbanes-Oxley, banking law, user education and training, non-criminal legal remedies, the range of technologies that botnets utilise, economic models to disrupt profitability, national and international criminal law, and technologies non-essential to botnets. This thesis is the result of inter-disciplinary research on botnets, combining insights from the disciplines of computer security, information systems, risk management, economics, regulation and law. Based on this inter-disciplinary research, the thesis demonstrates how cybercrime laws both at the national and international levels are rendered impotent through modern obfuscation crime tools. Reforms to the law are necessary to offer security research exemptions, remote search and seizure by law enforcement and the introduction of unwanted software legislation. At the same time, more safeguards to preserve civil liberties must also be built into Australian regulatory practice. In the course of examining the most effective ways to regulate botnets, the thesis also provides a case study demonstrating weaknesses in Lessig’s Internet regulatory theory. Internet regulatory theories have generally placed emphasis on civil liberties and the struggles between users and governments over control of the regulation of the Internet. These theories, however, ignored the complex issues that cybercrime would bring into the discussion. The regulation of botnets is used to evaluate the utility of Lawrence Lessig’s theory of Internet regulation through four modalities (market, norms, law and code). It is argued that the levels and types of cybercrime which have occurred in the last decade and in the decades to come were not anticipated by these theories and poses new theoretical issues. This thesis will demonstrate 2 that effective botnet regulation will involve some use of illegal means, and inevitably will challenge not only the mindset that the law plays an authoritative role in regulation, but also Lessig’s theory that market, code, and norms are the only significant forms of regulation. Changes or developments of Lessig’s model are required. For example, many of the actions by self-organised security groups to combat botnets may be conceived as effective and moral though, as will be demonstrated, clearly illegal. The work of self-help remedies by these groups does not fit well with Lessig’s theory. Self-organised security communities do not fall within any of Lessig’s modalities and yet, the efforts of such groups are the most important countermeasures in combating botnets, and possibly in combating many forms of cybercrime. 3 ACKNOWLEDGEMENTS I would like to thank my husband, Michael, as well as my parents, Don and Denise, for the sacrifices made and support given to allow me to finish the PhD. As with any PhD there were many obstacles and challenges along the way. I cannot thank enough my supervisors, Graham Greenleaf and Roger Clarke, for their excellent guidance, patience and diligence throughout this process. I am truly grateful to you both. I am indebted to the Faculty of Law and the Graduate Research School at the University of New South Wales for their financial support in the form of scholarships, a submission extension, travel grants, and for all of the advice both professional and personal from members of the Faculty of Law. There are two colleagues at UNSW whom I would like to expressly recognise for their generosity and support: David Vaile and Lyria Bennet-Moses. I would equally like to express my gratitude to my former colleagues from both the University of Hong Kong, Andy Halkyard and Roda Mushkat, and at the University of Ottawa, Daniel Gervais, Ian Kerr , Michael Geist and Greg Hagen. I would also like to recognize the interns whom I have worked with at the Cyberspace Law and Policy Centre for their wit, intellect, diligence, insight and hard work. In particular, I wish to thank Renee Watt, Pauline Rappaport, Adam Arnold, Lauren Loz, Jo Brick, Sarah Lux, Michael Whitbread, Eugenie Kyung-Eun Hwang, Nathalie Pala, David Chau, Pata Gogal and Samuel Sathiakumar. There are several friends whom I wish to thank for their willingness to help out in any way needed including final edits: Jill Matthews, Alex Colangelo, and Keiran Hardy. Lastly, I am wrapping my children, Saskia and Alexandre, up in a bundle of warm hugs and kisses. They inspire me more than words could possibly express and make me a better person. My thesis is dedicated to them. 4 TABLE OF CONTENTS FIGURES AND TABLES 6 ABBREVIATIONS 7 PUBLICATIONS ARISING FROM THIS THESIS 10 CHAPTER 1 INTRODUCTION: BOTNETS IN CONTEXT 12 CHAPTER 2 INTERNET REGULATORY THEORY AND BOTNETS 53 CHAPTER 3 BOTNETS 77 CHAPTER 4 THE AUSTRALIAN CRIMINAL LAW LANDSCAPE FOR BOTNET-RELATED PROSECUTIONS 117 CHAPTER 5 THE INTERNATIONAL CRIMINAL LEGAL FRAMEWORK 158 CHAPTER 6 CHALLENGES IN THE INVESTIGATION AND PROSECUTION OF BOTNET MASTERS 185 CHAPTER 7 THE ROLE OF INTERNET SERVICE PROVIDERS AND DOMAIN NAME SERVICE PROVIDERS IN COMBATTING BOTNETS 211 CHAPTER 8 SELF-ORGANISED SECURITY COMMUNITIES 267 CHAPTER 9 CONCLUSIONS: REGULATING BOTNETS, REVISING LESSIG 305 APPENDIXES 322 BIBLIOGRAPHY 357 5 FIGURES AND TABLES Figure 1(A) U.S. Cert Internet Security Categories Figure 1(B) Bot Propagation Trends (2006 to 2009) Figure 1(C) ShadowServer 2 Year Botnet Status Figure 1(D) Denial of Service Attack as Commercial Service Figure 2(A) Regulation as the Function of Four Modalities Figure 2(B) Modalities Influencing Other Modalities Figure 3(A) Steps in Procuring and Using a Botnet Figure 3(B) Wayback Machine Screen Shot of www.dollarrevenue.com ‘Home Page’ as it Stood on Nov. 9, 2006 Figure 3(C) Key ‘Content from ‘Affiliate Agreement’ Tab from Wayback Machine: Query ‘www.dollarrevenue.com’ Nov. 9, 2006 Figure 3(D) Botnet Countermeasures Figure 4(A): Table Outlining Pre-Botnet and Post-Botnet Offences Figure 4(B) Executable Code in Chatroom Triggering Bot Figure 5(A) Comparison between Substantive Provisions in the Convention and Provisions in the Criminal Code Figure 6(A) Content Warrant Framework in Australia Figure 9(A) Lessig’s Four Modalities Figure 9(B) Self-Help Modality 6 ABBREVIATIONS ACCC Australian Competition and Consumer Commission ACMA Australian Communications and Media Authority AIC Australian Institute of Criminology AISI Australian Internet Security Initiative APEC Asia-Pacific Economic Cooperation ARPA Advanced Research Projects Agency ATC Australian Trade Commission AUSD Australian Dollars AUSTRAC Australian Transaction Reports and Analysis Centre BSA Broadcasting Services Act ccTLD Country Code Top Level Domain CHR Chatham House Rules CC Criminal Code CCA Competition and Consumer Act CCTV Closed Circuit Television CRTC Canadian Radio and Telecommunications Commission DBN Data Breach Notification DNS Domain Name System DNSSEC Domain Name System Security Extensions DOS Denial of Service Attack DDOS Distributed Denial of Service Attack DDP Días de Pesadilla DPI Deep Packet Inspection DR DollarRevenue 7 EFT Electronic Funds Transfer (Code) FCC Federal Communications Commission FQDN Fully Qualified Domain Name FTA Fair Trading Act gTLD General Top Level Domain HTML Hypertext Markup Language HTTP Hyptertext Transfer Protocol HTTP2P Hypertext Transfer Peer to Peer Protocol IIA (Australian) Internet Industry Association ICANN Internet Corporation for Assigned Names and Numbers IETF Internet Engineering Task Force IP Internet Protocol IRC Internet Relay Chat ISO International Standards Organisation ISP Internet Service Provider ITU International Telecommunications Union MCC Model Criminal Code NCFTA National Cyber-Forensics Training Alliance NPP National Privacy Principles NSW New South Wales OECD Organisation for Economic Cooperation and Development OPC Office