Exploring Legal Action Against Malicious Software Creators/Users

Hello everyone:

Our law office is exploring the viability of bringing legal action against entities that have spread malware, spyware, viruses and malicious software that can damage personal/business computing systems or interfere in the normal operation of same. Of particular concern is software that can render businesses and individuals vulnerable to a breach of privacy/confidentiality and identity theft.

You have been extremely helpful to those suffering from the plights of malware and viral computer infection and that is why I have ventured to receive the insights of this community and its computer experts.

Ultimately some infections, such as W32.Ramnit, are currently beyond the help of communities such as these. Judicial intervention may help stem the tide of dangers associated with malicious software.

Let’s start off with the following question:
Would it be beyond reasonable efforts to ascertain the originating IP for those individuals or entities utilizing malicious software to make unauthorized entry into computer systems?

DISCLAIMER: This is an exploratory discussion. Our office, Samardin, L.L.C., has not yet commenced any action related to this posting nor does this office represent any particular victim associated with the claims herein. This office has not and will not extend any professional responsibility for a legal matter/case until an agreement is signed between attorney and client. Do not rely on any legal advice hereafter until you consult with counsel. No compensation will or has been expressly or impliedly promised to any participants to this discussion.

 

Probably. Not only do they know how to hide, they've had lots of practice at it, and lots of incentive to become good at it. I'm not saying it's not possible... but the cost-benefit analysis is not looking good.

 

Greetings, Samardin.

Sad, but true - the Malware guys now have a stock reply to Ramnit infectees warning of the difficulties with removing that thing. Sure would be nice if you could track down the writers of that particular nasty.

 

Also, there is the international law issue. Depending on what country your malware authors live in, and/or what country they route through, you may or may not have a legal leg to stand on going after them.

 

You are correct about the jurisdictional complications.

 

No it's very easy,one of the best methods is to set a trap known as a honey pot,basically you bait a hacker with an easy in.

http://articles.techrepublic.com.com/5100-10878_11-1042977.html

You can also simply log attack attempts using a basic firewall and investigate this way.

http://www.infohq.com/Computer/Spam/finding-hackers-isp.htm

Like has been said though the hardest thing is how to deal with the IP once you have it as you know you have to establish a burden of proof,multiple pieces of evidence that prove a crime has been committed and even then unless your operation to catch a hacker is under police supervision the evidence you collect won't hold much weight in a court of law.

If you did obtain a log of hackers IP what course of action could you take?

You'll never catch or stop these guys,there are multiple easy ways to upload code without it being traced the easiest is unsecured wi-fi points.

 

The procedure to ascertain identities is dependent on a mix of constitutional, federal and state law. I wouldn't be able to give you an answer without figuring out, at the very least, the ISP. When you speak of probable cause, you are in the realm of criminal law. Our objective is to initiate suits based on torts and related statutes that provide for a civil cause of actions. Essentially, a civil "private attorney general" may be able to vindicate the rights of individuals when other prosecutorial institutions are overly burdened or choose not to pursue these sorts of claims.

Evidence of all sorts, collectively, may hold significant weight or at least sufficient weight to allow a jury or other fact-finder to find liability.

The main issue is finding the IP and from there you determine ISP ownership. Next, you make efforts to collect further personal identifiers by way of subpoena.

The procedure depends on the jurisdiction. Our office would have to limit our defendant target base to those within the United States or those who have assets within our federal or local practice jurisdictions like New York or New Jersey.

 

This won't get far as IP addresses can be spoofed and it is likely that malicious software writers will hide themselves by spoofing. All that is likely to happen is that you get an IP address of a compromised computer in a bot-net that generates malicious information, probably unbeknownst to the owner or uses of the computer.

 

Yup this another problem,that's why you need to take the shotgun approach but this consumes a lot of resources and is expensive.

If you attempt to trace 100 Hack attempts using computer forensics you will for one reason or another run into stumbling blocks for most of them due to the problems mentioned but some you will be able to trace and its these which must pay for all the other failed traces and the main problem with this is any hacker worth is salt and worth catching will be practically untraceable so the only people you end up catching are low level hackers called script kiddies who are mostly kids who have few resources you can sue from them,if you can sue kids or their parents at all I don't know how the law works over there.

Also to sue someone they need to have wronged you in some way and this is the problem unless someone actually breaks into a computer and does damage to said computer,individual or company there isn't really anything you can sue them for,not for the big bucks which you would need to pay for all your failed traces.

'Pretend all that was a question Samardin so it doesn't sound like I'm telling you how to do your job, you know like you lawyers do' Just add "do you not!" after traces.:-D

I'm flying blind here,Samardin do you know of legislation or a legal precedent in the US or New York that would allow for a private organisation to seek monetary compensation for an attempted computer security breach or one that didn't cause any financial harm ?

 

Yes, depending on the state/court that has jurisdiction over the parties/case you may be able to bring a civil action against those that make unauthorized access to your system, exceeding the scope of explicit permissible use. If you're making forces entry to a system, it would be difficult to argue that this was a permissible use.

This is found in an area of law, known as tort. For instance, in the realm of real property (immovable such as land), you may sue an individual for trespassing on your property rights even for minor incursions violative of your rights... depending on the circumstances. Courts have applied this as an analogue to unauthorized incursions on technological property, such as servers.

DISCLAIMER: This is an exploratory discussion. Our office, Samardin, L.L.C., has not yet commenced any action related to this posting nor does this office represent any particular victim associated with the claims herein. This office has not and will not extend any professional responsibility for a legal matter/case until an agreement is signed between attorney and client. Do not rely on any legal advice hereafter until you consult with counsel. No compensation will or has been expressly or impliedly promised to any participants to this discussion.

 

Also, understand that the time and effort that you put into securing your systems, restoring servers, reconstituting documents from backups, costs time and money. Arguably, you can recover these items as damages - consequential or incidental to the breach of your system.

 

I'm not sure I understand that reasoning. Can you clarify?

 

If you are hacked or are plagued by malicious software, you are prevented from using your personal system as intended (without intrusive, unauthorized access of foreign users) and then as many people do, they institute proactive security and recovery methods upon discovery of malicious code. If you pay for anti-virus software or you spend countless time trying to remove the malicious software, you may be able to put a monetary figure on these activities.

This becomes more evident with hosting companies that might have to take costly measures or to use invaluable time to recover/protect their system from specific assaults. Time is money, ergo a potential calculation of damages.

Punitive damages may also create additional incentive, if the trespass is particularly egregious.

 

Okay, I see now. Thank you for elaborating on that.

What I am curious about now then, is how exactly this would work from a practical standpoint. How would you go about determining a culprit in that scenario?

The creators of Ramnit clearly can't be held accountable for any precautions that were taken before their specific piece of malware was released into the wild. It's doubtful they can be held accountable for any precautions that address anything other than specifically what their malware does.

Then there is also the problem that a lot of the most effective protection against malware is not either money or time, but good habits and judgment. For example, if a small business has a computer that is used exclusively to process payroll, and nothing else, does that computer need an internet connection? If the answer to that question is, "not really", then I would argue that if they keep it connected to the internet despite not needing to, they have no case. It takes only a few seconds to disconnect a cable.

One could even argue that if they make the decision to pay for protection software when several of the more effective options are free for "home and small business use" (3-5 licenses), they still don't have a case. No one forced them to pay for something they could have gotten for free.

With that logic, an individual of course is entirely without argument, since it's perfectly possible to defend your home computer using only freeware versions of the major antivirus programs and firewalls. If an individual makes the choice to pay when it's not at all necessary, why should anyone other than them be held accountable for their choices?

 

As for determining a culprit, that is why I started this discussion, as I am not a computer forensic expert. I was hoping you folks can share some knowledge on the subject.

Of course you can argue that you cannot hold an intruder accountable for precautions taken before the fact - those damages seem too remote.

However, I would argue that if you purchase a system that may access the internet, you should be free to do so without having to fear that intruders will purposeful gain access to your system and create problems.

Of course certain precautions are a matter of basic computer usage; however, this does not take away the fact that when a person makes unauthorized access to your system they are infringing on your property rights and you should be compensated accordingly. This is especially the case if the intrusion results in damage and identity theft. At most, your failure to take certain precautions may mitigate damages but it will not destroy your ability to recover damages.

Freeware and most anti-virus programs are no solution to some particularly devastating and hidden viral infections. In those cases, a reformat is necessary. The time you spend reformatting, instead of using your time on more productive activities, is arguably worth some sort of dollar figure.

Damages and so on relies heavily on the country and jurisdiction.

Thanks for participating Mimsy; I hope I am helping you.

My apologies for any typos in previous postings, I can't seem to edit them.

DISCLAIMER: Do not rely on any express or implied legal advice herein until you consult with competent counsel about your particular matter.

 

I should be free to walk alone and half-naked across a college campus in the middle of the night as well, but that doesn't mean I'm going to be stupid enough to try it.

Maybe it's because this is a community of geeks, but I think you will find that to a lot of the regulars here, going online without up-to-date security programs on your computer is the internet equivalent of leaving your car unlocked and with the engine running in a bad neighborhood, and be surprised when someone steels it. Some precautions are so basic and obvious, that it should be second nature to take them. Lock your car, watch your purse, avoid taking the short-cut through the dark and dangerous park in the middle of the night, and keep an anti-virus on your computer.

Insurance companies punish clients who don't take necessary precautions to protect their property, such as locking their car. From my point of view, a computer is no different, and if you buy one, you also accept the responsibility of taking the necessary steps to keep it safe from intruders.

Granted, but that's after a successful attack. My questions earlier was with regards to precautions taken to prevent that, and whether someone can reasonably expect anyone else to accept responsibility for the cost of the precautions they decide to take.

The reason you can't edit your posts by the way is that the forum is configured to remove that ability from all user posts after 15 minutes. (I think it's 15... might be 10.) That way if someone was to make a post that violates the Terms of Use, they can't go back and edit it to get themselves out of trouble.

 

Is it legal to walk around half-naked? Depends on what you mean by that.

You are discussing regulars at this community site, people who are not entirely a good representation of all computer users, many of who probably think that the CD-ROM is a cup holder. I am talking about people at large, the regular internet computer users who lose millions due to identity theft.

If I leave my house or even my farm open, that does not give you the right to enter. You will be liable for all damages resulting in your trespass, or at the very least, nominal damages. If you know it is not yours, do not enter - you will pay the consequences.

Insurance companies are in contract with their clients. I'm talking about basic trespass law. I don't have any contracts with intruders on my systems - insurance law is completely different.

I hope I explained myself before, you are correct about this. This would be an argument to reduce liability, but not to destroy liability.

Thanks.

 

Agreed Tim. I'd love to stick it to the people that want to gain access to confidential information and utilize it unlawfully to make money off of it. I can't do that without the help of victims or people like you, if you are actually an expert in malware.

 

I conceptualized a method whereby some malware "calls home" and somehow this can be traced. Please correct me if I am wrong.

 

No one said it was going to be easy, but when you start speaking of shell companies, you pique my interest. A nice thorough investigation can uncover valuable identities.

 

I can't vouch for the CIA, NSA or Interpol. No one knows what measures, if any, they are really taking in stemming the flow or cyber-criminal syndicates. Are these major governmental agencies concerned about criminal syndicates or have their initiatives shifted towards cyber anti-terrorism operations? Of course you can argue that they are on in the same, but I surmise that illegitimate marketing software and malware are not a priority for law enforcement agencies and should be a priority for the civilian sector.

The best way to fight malware and those that market their products by way of malicious software is to go after the source, instead of playing cat-and-mouse on every new iteration of code.

I just wish someone here has the experience with network forensics to shed some light on this.

 

I agree. I'm mainly playing Devil's Advocate here.

But despite the above, the fact that an intruder will be held liable for damages (if he or she is caught, that is) doesn't in any way change the fact that neither you or I would leave the front door to our home wide open when going away on vacation for a week. It's just not worth the risk.

 

You're right, but people do it anyway. A lot of American case law has been built upon less than stellar thought processes.

I'm starting to think that it may work better to go after the advertisers that use hijacking code to market their sites.

 

I've been away from the forums, here, for some time; but not out of the malware removal business.

Malware distribution points vary, compromised systems, servers, websites. In the case of compromised servers and websites, depending on how long the server/site has been compromised, there may not be any logs to analyse for the source of the compromise. Server/site logs are only kept for a specified length of time. Which varies depending on the hosting company or server admin.

No one is ever truly anonymous on the web. You devote enough time and resources you will eventually discover the originating IP.

Though there are some in the US that are responsible for the creation and distribution of malware the vast majority come from Russia and China. A portion of the hacking, malware activity is also state sponsored. The Stuxnet Worm is most likely state sponsored if not created by a government targeting another government. Are you willing to take on a Government entity if and when it is discovered that the source of the infection is state sponsored?

The computer forensics piece is going to be expensive. You will need a forensics specialist on retainer, as the forensics will most certainly be challenged by any decent lawyer.

 

Of course, nothing is for free. I am simply trying to determine if this is viable.

As for attacks emanating from Russia or other Eastern European websites, our office has Russian, Polish and Ukrainian speaking associates. We would not mind acting as a liaison should a governmental entity seek our help getting another foreign government on-board to punish these individuals.

As I said before, just because these attacks originate from foreign countries is not an instant dead-end. Money talks.

Yes, state sponsored code is a truly interesting and independent issue altogether. Ultimately, for that area you have international law as a guide, especially if there is proof of state involvement. You might be able to bring a claim in the ICJ.

 

You should also consider adding Chinese, French, Turkish, and Korean speaking linguistics, as well.

What you are proposing is doable. What you have to ask yourself, is it worth doing? Any judgments you do get are going to be few and far between. For the most part you will not get much, in anything, back monetarily.

If you choose to proceed, I suggest you initially confine your "legal" activities to the United Sates and nations whose governments are "friendly" to the United States.

Going after individuals in Russia, is somewhat problematic. Unless things have changed in recent years, it is not illegal to author malcode, cracks, keygens, and hack in Russia. So, if the source is from the Russian Federation, getting their cooperation is going to be difficult.

 

Is it worth doing? Monetarily? Absolutely. Malicious technological marketing is big business, the trick is... finding the perpetrators and the assets. Our office does not have a forensic expert... so we could not do this alone. With the correct strategy and team, it is surely worth it. Foreign government cooperation can and has been achieved for many different initiatives. Countries are constantly negotiating on criminal interdiction. For goodness sakes, nuclear stockpiles become smaller due to negotiation. That's the job of politicians and lawyers.

Cyber criminals would not be doing this if it were not for the lucrative results.

I recently contacted some not-for-profit organizations, I will see what they have in mind.

 

The big organised crime guys are who police and government go for and even they can't stop them with all their resources,its wayyyy beyond what a civil organisation could achieve EVEN with unlimited resources.

The criminals have been doing it for decades and know the system inside out,the only way to stop them would be a through a revolution in computer security and international law relations,it is a case of the computer forensics teams calling you when they have something not you calling them as SPD said I think it would be best to offer legal services to high end civil computer forensics teams and gain experience in prosecuting those cases.

To be blunt I think you'd be wasting your time going for these guys,you have to find a niche then specialise in only that niche and the niche to go for IMO are the low level US based hackers who don't take the best security precautions,forget international,organised gangs,malware creators.

Its up to you though,I'm out I think, just rehashing what's already been said 3-4 times in this thread.

EDIT would be nice to hear some sporadic progress reports though whatever course of action your firm decided to take

 

Anyone for a Diploma?

 

We're waiting on responses from some not-for-profits. I will try to keep you all posted.