BBC programme builds 22,000-strong botnet

The BBC's Click programme team assembled a botnet as part of an investigation into cyber crime

A team of journalists and security experts from the BBC have purchased a botnet containing more than 22,000 infected PCs.

The network was constructed as part of an investigation into cyber crime by the television programme Click. The BBC said that it obtained access to the infected systems by purchasing information from cyber criminals in chat rooms.

After assembling the botnet, the researchers tested it by ordering the infected machines to spam a pair of test email accounts. A denial-of-service attack was also performed on a test web site.

The BBC said that the botnet has since been disabled and the infected users have all been notified and provided with security tips to prevent further infection.

The rise of botnets has been well documented and observed by security experts in recent years.

Huge examples such as Storm controlled hundreds of thousands of infected machines at their peak, and were leased to other cycber criminals for spam runs and online attacks.

While the BBC's botnet was modest in comparison, experts say that the experiment was still dangerous and possibly illegal.

"This is clearly an unauthorised modification of computer data and is, to my mind, a breach of the Computer Misuse Act," wrote Sophos senior security consultant Graham Cluley in a blog post.

"The law says you cannot mess around with other people's computers without authorisation. The BBC did not have the permission of the computer users to send those spam mesages.

"Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal, it does not make it right."

The BBC plans to reveal details of the experiment in the 14 March episode of Click.