Malware Analysis and Legality

Viewing 12 reply threads
  • Author
    Posts
    • #7197
      idr0p
      Participant

      I was having a debate with a coworker of mine about the liability of the analyst when performing Behavioral Analysis of Malware which has a capability to “touch” the wild (www). I know the most ideal environment for malware analysis is a isolated network sometime it is not practical to be able to get the full function of the sample. I know many firms do perform analysis with live samples in the wild, what type of risks are they taking with the malware if it is redistributing to other computers in the wild and/or harboring child pornography?

    • #44956
      unicityd
      Participant

      Malware researchers do try to analyze live samples that are found in the wild using forensic response tools and network security monitoring to determine the malware’s behavior.  AV companies also report back on detected malware to identify the spread of a sample and potential new variants.  This is all legitimate, ethical behavior.  Analyzing a piece of malware before removing/disabling it is probably the most prudent course of action when dealing with unknown malware. 

      On the other hand, knowingly introducing malware into the wild for any reason is illegal in many places (probably anywhere in the U.S.).  I don’t know what the civil liability would be (it exists, but you’d have to talk to an attorney), but if you’re caught releasing a virus/worm into the wild you can go to jail.  It won’t matter if it was for research or if you were working for an AV company.  If you want to run a sample for analysis, you need to do it on a segregated network for both legal and ethical reasons.

    • #44957
      Eleven
      Participant

      @unicityd wrote:

      Malware researchers do try to analyze live samples that are found in the wild using forensic response tools and network security monitoring to determine the malware’s behavior.  AV companies also report back on detected malware to identify the spread of a sample and potential new variants.  This is all legitimate, ethical behavior.  Analyzing a piece of malware before removing/disabling it is probably the most prudent course of action when dealing with unknown malware.  

      On the other hand, knowingly introducing malware into the wild for any reason is illegal in many places (probably anywhere in the U.S.).  I don’t know what the civil liability would be (it exists, but you’d have to talk to an attorney), but if you’re caught releasing a virus/worm into the wild you can go to jail.  It won’t matter if it was for research or if you were working for an AV company.  If you want to run a sample for analysis, you need to do it on a segregated network for both legal and ethical reasons.

      I always thought that meant introducing as in creating new malware and letting it get out.  You wouldn’t happen to know what law(s) it is would you?  I’d like to read it…

      Update:  Here is one page that kind of sounds like it is talking about introducing new malware to the Internet.  I would think whether RE  already released malware and accidently letting it attack another computer comes down to whether you were negligent.  Similar to having a honeypot that may of been used to attack another computer.

    • #44958
      unicityd
      Participant

      Here’s a list of U.S. state laws:

      http://www.ncsl.org/default.aspx?tabid=13487

      As an example, here’s California:

      The crime:

      ( c) Except as provided in subdivision (h), any person who commits
      any of the following acts is guilty of a public offense:

      (8_) Knowingly introduces any computer contaminant [defined to include viruses, worms, etc.] into any
      computer, computer system, or computer network.

      The punishment:

      (4) Any person who violates paragraph 8 of subdivision (c) is
      punishable as follows:
        (A) For a first violation that does not result in injury, a
      misdemeanor punishable by a fine not exceeding five thousand dollars
      ($5,000), or by imprisonment in a county jail not exceeding one year,
      or by both that fine and imprisonment.
        (B) For any violation that results in injury, or for a second or
      subsequent violation, by a fine not exceeding ten thousand dollars
      ($10,000), or by imprisonment in a county jail not exceeding one
      year, or by imprisonment pursuant to subdivision (h) of Section 1170,
      or by both that fine and imprisonment.

      From 1170 (h):

      (h) (1) Except as provided in paragraph (3), a felony punishable
      pursuant to this subdivision where the term is not specified in the
      underlying offense shall be punishable by a term of imprisonment in a
      county jail for 16 months, or two or three years.

      I can’t imagine any law only making it a crime to introduce new malware into a system.  This would give people carte blanche to install any malicious software as long as they didn’t write it.  In fact, the law is the other way around.  You can create any software you want and write How-To articles detailing virus/worm techniques; that’s all covered by freedom of speech.  But, if you actually send out a virus or worm you’re committing a crime.

    • #44959
      idr0p
      Participant

      Yes, i think the direction i am going with this is not introducing new malware, but analyzing a current sample of malware to “see what it does”, if that code does something harmful to others are you liable for the damages it caused.

    • #44960
      unicityd
      Participant

      Yes; you would be liable for the damages you caused.  You could also go to jail.

    • #44961
      Eleven
      Participant

      Thanks for the info, unicityd!  Do you know if honeypots are different?  I thought it was only a crime if your honeypot was used to attack another computer if it could be shown you were negligent and didn’t take reasonable measures to prevent the honeypot from attacking other computers.  I always thought malware analysis/research was similar to that, I guess not…

    • #44962
      unicityd
      Participant

      A honeypot is a passive tool and doesn’t cause damage to anyone else.  The act of deploying a honeypot is legal and, in and of itself, causes no liability to anyone else.  The only potential problem is if someone uses your honeypot to hack others.  Whether you would be liable isn’t a settled issue.  Here’s what Lance Spitzer had to say:

      The third issue is liability. Liability implies you could be sued if your honeypot is used to harm others. For example, if it is used to attack other systems or resources, the owners of those may sue. Liability is not a criminal issue, but civil. The argument being that if you had taken proper precautions to keep your systems secure, the attacker would not have been able to harm my systems, so you share the fault for any damage occurred to me during the attack. The issue of liability is one of risk. If I deploy honeypots and they are compromised, what happens if they are used to attack someone else? First, anytime you deploy a security technology (even one without an IP stack), that technology comes with risk. For example, there have been numerous vulnerabilities discovered in firewalls, IDS systems, and network sniffers. Honeypots are no different. However, just as in privacy, different honeypots have different levels of risk. Low-interaction honeypots have far less risk, as they do not give attackers a real operating system to interact with. Instead, they contain attackers within emulated services, controlling the actions of the attacker. High-interaction honeypots, such as Honeynets, are different, they provide actual operating systems for attackers to interact with. As a result, most high-interaction honeypots have greater risk. If liability is a concern for you, you most likely want to focus on honeypots with less risk.

      One thing to keep in mind. For years legal experts have been discussing possible liability for an organization that has been compromised and in turn was used to attack, compromise, or harm another system or organization. To date, we have seen no published decision addressing whether the operator of an insecure system can be liable to other operators for the misuse of the system by a hacker. So while liability is an issue, it may be an overblown one, as there is no recorded case of it happening with compromised systems.

      http://www.symantec.com/connect/articles/honeypots-are-they-illegal

    • #44963
      idr0p
      Participant

      This also brings the question, if you deploy a honeypot are you “leaving your doors unlocked” so to speak. Meaning you would be unable to charge the intruder for trespassing on your network as you invited them in.

    • #44964
      unicityd
      Participant

      You can make it clear that nobody is being invited in.  You can put warning banners on the honeypot(s) prohibiting unauthorized use.  You can also deploy honeypots that are not accessible from the Internet.  These would be useful for detecting someone who already has a foothold on your network and any argument that “the door was left open” would be nullified by the fact that the system isn’t publicly accessible. 

      Does anyone know of this defense being used successfully?  I’d be curious to see some actual cases where this worked, especially if there were not any exigent circumstances that could have led someone to reasonably believe they were invited in.

    • #44965
      Eleven
      Participant

      @idr0p wrote:

      This also brings the question, if you deploy a honeypot are you “leaving your doors unlocked” so to speak. Meaning you would be unable to charge the intruder for trespassing on your network as you invited them in.

      Here is a good example of the police using “bait cars”, which I think is pretty similar to honeypots…  http://www.youtube.com/watch?v=RzcXs25dhZ4

    • #44966
      ziggy_567
      Participant

      @idr0p wrote:

      This also brings the question, if you deploy a honeypot are you “leaving your doors unlocked” so to speak. Meaning you would be unable to charge the intruder for trespassing on your network as you invited them in.

      So if I don’t patch my perimeter systems and they are remotely exploitable, I’m “inviting” trespassers?

    • #44967
      SephStorm
      Participant

      The way I see it, the best bet would be to deploy it on a private closed network and monitor the activity at all times. as soon as it makes an attempt to take action outside of phoning home, you shut it down.

      I had a GSE say something to this effect when I was in an IDS class, they had to get real samples for us to analyze (pcaps of attack activity taken from a honeypot) and i think he said they barely caught it in time. They COULD have been held liable had the computers attacked other networks, but much more likely, unless real damage was caused, i dont think most companies would pursue anything outside of their net boundary.

Viewing 12 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?