.

Malware Analysis and Legality

<<

idr0p

Newbie
Newbie

Posts: 49

Joined: Fri Jun 17, 2011 8:46 pm

Post Thu Dec 29, 2011 10:38 pm

Malware Analysis and Legality

I was having a debate with a coworker of mine about the liability of the analyst when performing Behavioral Analysis of Malware which has a capability to "touch" the wild (www). I know the most ideal environment for malware analysis is a isolated network sometime it is not practical to be able to get the full function of the sample. I know many firms do perform analysis with live samples in the wild, what type of risks are they taking with the malware if it is redistributing to other computers in the wild and/or harboring child pornography?
GCIA GCIH GPEN GWAPT
Up Next: CISA CISSP
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Fri Dec 30, 2011 2:06 am

Re: Malware Analysis and Legality

Malware researchers do try to analyze live samples that are found in the wild using forensic response tools and network security monitoring to determine the malware's behavior.  AV companies also report back on detected malware to identify the spread of a sample and potential new variants.  This is all legitimate, ethical behavior.  Analyzing a piece of malware before removing/disabling it is probably the most prudent course of action when dealing with unknown malware. 

On the other hand, knowingly introducing malware into the wild for any reason is illegal in many places (probably anywhere in the U.S.).  I don't know what the civil liability would be (it exists, but you'd have to talk to an attorney), but if you're caught releasing a virus/worm into the wild you can go to jail.  It won't matter if it was for research or if you were working for an AV company.  If you want to run a sample for analysis, you need to do it on a segregated network for both legal and ethical reasons.
BS in IT, CISSP, MS in IS Management (in progress)
<<

Eleven

User avatar

Full Member
Full Member

Posts: 121

Joined: Thu Nov 10, 2011 6:47 pm

Post Fri Dec 30, 2011 7:04 am

Re: Malware Analysis and Legality

unicityd wrote:Malware researchers do try to analyze live samples that are found in the wild using forensic response tools and network security monitoring to determine the malware's behavior.  AV companies also report back on detected malware to identify the spread of a sample and potential new variants.  This is all legitimate, ethical behavior.  Analyzing a piece of malware before removing/disabling it is probably the most prudent course of action when dealing with unknown malware.  

On the other hand, knowingly introducing malware into the wild for any reason is illegal in many places (probably anywhere in the U.S.).  I don't know what the civil liability would be (it exists, but you'd have to talk to an attorney), but if you're caught releasing a virus/worm into the wild you can go to jail.  It won't matter if it was for research or if you were working for an AV company.  If you want to run a sample for analysis, you need to do it on a segregated network for both legal and ethical reasons.


I always thought that meant introducing as in creating new malware and letting it get out.  You wouldn't happen to know what law(s) it is would you?  I'd like to read it...

Update:  Here is one page that kind of sounds like it is talking about introducing new malware to the Internet.  I would think whether RE  already released malware and accidently letting it attack another computer comes down to whether you were negligent.  Similar to having a honeypot that may of been used to attack another computer.
Last edited by Eleven on Fri Dec 30, 2011 7:14 am, edited 1 time in total.
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Fri Dec 30, 2011 6:35 pm

Re: Malware Analysis and Legality

Here's a list of U.S. state laws:

http://www.ncsl.org/default.aspx?tabid=13487

As an example, here's California:

The crime:

( c) Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:
...
(8_) Knowingly introduces any computer contaminant [defined to include viruses, worms, etc.] into any
computer, computer system, or computer network.

The punishment:


(4) Any person who violates paragraph 8 of subdivision (c) is
punishable as follows:
  (A) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in a county jail not exceeding one year,
or by both that fine and imprisonment.
  (B) For any violation that results in injury, or for a second or
subsequent violation, by a fine not exceeding ten thousand dollars
($10,000), or by imprisonment in a county jail not exceeding one
year, or by imprisonment pursuant to subdivision (h) of Section 1170,
or by both that fine and imprisonment.

[b]From 1170 (h):[/b]

(h) (1) Except as provided in paragraph (3), a felony punishable
pursuant to this subdivision where the term is not specified in the
underlying offense shall be punishable by a term of imprisonment in a
county jail for 16 months, or two or three years.

I can't imagine any law only making it a crime to introduce new malware into a system.  This would give people carte blanche to install any malicious software as long as they didn't write it.  In fact, the law is the other way around.  You can create any software you want and write How-To articles detailing virus/worm techniques; that's all covered by freedom of speech.  But, if you actually send out a virus or worm you're committing a crime.
BS in IT, CISSP, MS in IS Management (in progress)
<<

idr0p

Newbie
Newbie

Posts: 49

Joined: Fri Jun 17, 2011 8:46 pm

Post Fri Dec 30, 2011 11:01 pm

Re: Malware Analysis and Legality

Yes, i think the direction i am going with this is not introducing new malware, but analyzing a current sample of malware to "see what it does", if that code does something harmful to others are you liable for the damages it caused.
GCIA GCIH GPEN GWAPT
Up Next: CISA CISSP
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat Dec 31, 2011 3:19 am

Re: Malware Analysis and Legality

Yes; you would be liable for the damages you caused.  You could also go to jail.
BS in IT, CISSP, MS in IS Management (in progress)
<<

Eleven

User avatar

Full Member
Full Member

Posts: 121

Joined: Thu Nov 10, 2011 6:47 pm

Post Sun Jan 01, 2012 8:45 am

Re: Malware Analysis and Legality

Thanks for the info, unicityd!  Do you know if honeypots are different?  I thought it was only a crime if your honeypot was used to attack another computer if it could be shown you were negligent and didn't take reasonable measures to prevent the honeypot from attacking other computers.  I always thought malware analysis/research was similar to that, I guess not...
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sun Jan 01, 2012 1:13 pm

Re: Malware Analysis and Legality

A honeypot is a passive tool and doesn't cause damage to anyone else.  The act of deploying a honeypot is legal and, in and of itself, causes no liability to anyone else.  The only potential problem is if someone uses your honeypot to hack others.  Whether you would be liable isn't a settled issue.  Here's what Lance Spitzer had to say:

The third issue is liability. Liability implies you could be sued if your honeypot is used to harm others. For example, if it is used to attack other systems or resources, the owners of those may sue. Liability is not a criminal issue, but civil. The argument being that if you had taken proper precautions to keep your systems secure, the attacker would not have been able to harm my systems, so you share the fault for any damage occurred to me during the attack. The issue of liability is one of risk. If I deploy honeypots and they are compromised, what happens if they are used to attack someone else? First, anytime you deploy a security technology (even one without an IP stack), that technology comes with risk. For example, there have been numerous vulnerabilities discovered in firewalls, IDS systems, and network sniffers. Honeypots are no different. However, just as in privacy, different honeypots have different levels of risk. Low-interaction honeypots have far less risk, as they do not give attackers a real operating system to interact with. Instead, they contain attackers within emulated services, controlling the actions of the attacker. High-interaction honeypots, such as Honeynets, are different, they provide actual operating systems for attackers to interact with. As a result, most high-interaction honeypots have greater risk. If liability is a concern for you, you most likely want to focus on honeypots with less risk.

One thing to keep in mind. For years legal experts have been discussing possible liability for an organization that has been compromised and in turn was used to attack, compromise, or harm another system or organization. To date, we have seen no published decision addressing whether the operator of an insecure system can be liable to other operators for the misuse of the system by a hacker. So while liability is an issue, it may be an overblown one, as there is no recorded case of it happening with compromised systems.


http://www.symantec.com/connect/article ... ey-illegal
BS in IT, CISSP, MS in IS Management (in progress)
<<

idr0p

Newbie
Newbie

Posts: 49

Joined: Fri Jun 17, 2011 8:46 pm

Post Sun Jan 01, 2012 10:52 pm

Re: Malware Analysis and Legality

This also brings the question, if you deploy a honeypot are you "leaving your doors unlocked" so to speak. Meaning you would be unable to charge the intruder for trespassing on your network as you invited them in.
GCIA GCIH GPEN GWAPT
Up Next: CISA CISSP
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Mon Jan 02, 2012 12:18 am

Re: Malware Analysis and Legality

You can make it clear that nobody is being invited in.  You can put warning banners on the honeypot(s) prohibiting unauthorized use.  You can also deploy honeypots that are not accessible from the Internet.  These would be useful for detecting someone who already has a foothold on your network and any argument that "the door was left open" would be nullified by the fact that the system isn't publicly accessible. 

Does anyone know of this defense being used successfully?  I'd be curious to see some actual cases where this worked, especially if there were not any exigent circumstances that could have led someone to reasonably believe they were invited in.
BS in IT, CISSP, MS in IS Management (in progress)
<<

Eleven

User avatar

Full Member
Full Member

Posts: 121

Joined: Thu Nov 10, 2011 6:47 pm

Post Mon Jan 02, 2012 8:59 am

Re: Malware Analysis and Legality

idr0p wrote:This also brings the question, if you deploy a honeypot are you "leaving your doors unlocked" so to speak. Meaning you would be unable to charge the intruder for trespassing on your network as you invited them in.


Here is a good example of the police using "bait cars", which I think is pretty similar to honeypots...  http://www.youtube.com/watch?v=RzcXs25dhZ4
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Mon Jan 02, 2012 10:49 am

Re: Malware Analysis and Legality

idr0p wrote:This also brings the question, if you deploy a honeypot are you "leaving your doors unlocked" so to speak. Meaning you would be unable to charge the intruder for trespassing on your network as you invited them in.


So if I don't patch my perimeter systems and they are remotely exploitable, I'm "inviting" trespassers?
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Mon Jan 02, 2012 11:05 pm

Re: Malware Analysis and Legality

The way I see it, the best bet would be to deploy it on a private closed network and monitor the activity at all times. as soon as it makes an attempt to take action outside of phoning home, you shut it down.

I had a GSE say something to this effect when I was in an IDS class, they had to get real samples for us to analyze (pcaps of attack activity taken from a honeypot) and i think he said they barely caught it in time. They COULD have been held liable had the computers attacked other networks, but much more likely, unless real damage was caused, i dont think most companies would pursue anything outside of their net boundary.
sectestanalysis.blogspot.com/‎

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software