Manga Management and Malware

You might think it strange, but the creation of viruses and malware isn't illegal in most jurisdictions. Most virus-writers have been prosecuted on secondary grounds such as unauthorized access or modification, malicious damage and so on. More recent malware authors, botmasters and such may also fall foul of similar issues, or other criminal activities such as fraud or even extortion (for example, threatening a DDoS – Distributed Denial of Service – attack). This, of course, reflects a general shift from virus writing for laughs and bragging rights to malware for profit.

An interesting recent example of a nation going against the flow is Japan, which recently plugged a malware-shaped hole in its legislation by criminalizing not only the creation and distribution of malware without reasonable cause (hopefully, working in this industry constitutes reasonable cause!), but also its acquisition and storage.  

And now the Mainichi Daily News has reported that one Yasuhiro Kawaguchi was arrested yesterday on suspicion of "saving a virus on his computer," though the story suggests distribution of malware too. Apparently he has admitted intending to infect users of the "Share" file exchange program with the offending malware, as punishment for "chaotic" file sharing behaviour. Which seems bizarre, given that the malware was discovered when police investigated him regarding a suspected breach of copyright legislation by illegal sharing manga.

Historically, legislation based on the suppression of malware at source hasn't been particularly successful, so it will be interesting to see how effective it is in Japan. Especially as it includes some of the provisions of the Budapest Convention on Cybercrime, to which the US is also a signatory, and underpins the law-enforcement provisions of the White House's International Strategy for Cyberspace.  

Hat tip to Jonathan Poon for flagging the Mainichi article and to Geekosystem for the Japanese legal background.

Author David Harley, ESET

  • jim02

    "You might think it strange, but the creation of viruses and malware isn't illegal in most jurisdictions."
    Why would I think that was strange? I've written programs that would probably be considered malware by most people, and I certainly didn't think it was illegal. There's a BIG difference between writing malware, and actually distributing it- I will never release any of my "malware" in any way. Writing programs to test AVs, or for other similar purposes, should not be illegal, and since there is no way to tell why the malware was created, (many malware variants were originally created for college assignments) there is no reliable way to prosecute only the "bad guys." I have also saved malware on my computer, because I don't know of any other way to analyze it. While I do agree that malware *distributers* should be punished, there needs to be a line between distrubuting malware, and simply writing it or 'saving it to your computer.'

    • David Harley

      Well, I don’t think you’re exactly typical of the audience for an ESET blog. I don’t necessarily disagree with you: I don’t actually care how many viruses or Trojans you write, personally, if you don’t distribute them. But then, since the concept of malicious software normally includes intent, there’s obviously an argument that stuff that never leaves your own systems isn’t malware, irrespective of what it does, whether it replicates and so on.

      Still, I think that many people who aren’t too familiar with the technology or the relevant legislation will assume that “virus writing” is illegal. And they’re the “you” that I had in mind.

      There’s actually an AMTSO document that tries to address some of the issues around malware creation (particularly with reference to testing AV). I suspect that you won’t agree with it (actually, I don’t agree with every detail, even though I participated in putting it together: that happens with a collaborative document…) but I’d be interested in your views.

      The fact that I commented on the Japanese legislation doesn’t mean I’m totally agreement with it. Actually, I’m not well enough acquainted enough with it to judge. But I do think it will be interesting to see how well it works.

  • Nick Selby

    Well, I'm with @jim02 and I don't believe that I'm exactly out of the mainstream either. There's an undercurrent in nyour theory that writing malware is something which is objective, and it is not. It is entirely about intent, and one man's malware is another man's network troubleshooting tool.
    Take, for example, data loss prevention: Dan Geer, when he was at Verdasys, used to (correctly) refer to that company's DLP product as "a data surveillance rootkit". BitArmor, which made a software-agent-based encryption module, was clearly the same thing: a rootkit which hooked right into the Windows kernel. John the Ripper is a password cracking tool which can be used for good and evil. Metasploit? Same same.
    In fact, most security software – including anti-virus and intrusion detection and prevention from Eset, I might add, which, too is a data surveillance rootkit hooking into the OS at the kernel level – could easily be used for both good and evil. A hammer, after all, may be used to build a house or to bash someone's brains in.
    Which brings me to my point in commenting: you seem to be espousing legislation to fix these "problems," when I aver that a) defining "malware" is as easy as defining "love" and b) legislation does not eradicate issues. Murder, for example, is against the law in nearly every country and territory around the world. The last time I checked, people were still being murdered. Legislation does not solve problems, but it makes us all feel better about it, because we've "done something." It is this philosophical outlook which brings us TSA-style airport security: it looks good, but in fact it's worthless against real threats.
    I think your intent is good but your expression is misguided. If we were to carry your apparent support of anti-malware legislation to its fullest extent, security researchers would be in legal peril for creating innovative attack software and exploit code – tools used by security professionals around the world each day to defend against criminal attackers.  

    • David Harley

      Nick, lots of people think as you do (including me in some respects, but I’ll save that for another blog, I think) but it doesn’t make you a “typical” reader of this blog. Actually, I don’t have much idea as to who is “typical”, though I know perfectly well that quite a few hardcore security people do read it. But as far as I know, it was intended to reach the general reader rather than the security community. Though if you look back at my blogs, you’ll probably observe that I don’t always feel bound by that expectation: in any case, I’m pretty sure that quite a few people are surprised that “virus writing” isn’t illegal.

      Of course laws don’t eliminate crime. That isn’t an argument for not having laws, any more than the inability to eliminate sickness is an argument for not having medicine. I’m not “espousing” that law at all: since I don’t read Japanese, my understanding of its provisions is strictly second-hand, and I don’t take up causes that lightly.

      The point that both you and @JM02 are missing is that I’m fully aware that the term malware by definition normally* includes the assumption of malicious intent (didn’t I say that already???). The clause “without reasonable cause” does suggest that the Japanese legislature has tried to take into account that software not intended for malicious purposes is not malware. Whether the implementation actually puts legitimate research into peril will be one of the measures of its effectiveness. In fact, one of the measures of effectiveness for any law is whether it hurts the innocent more than the guilty. However, I don’t have any problem with the principle of security researchers being accountable to the rule of law.

      * Some esoteric AV discussion years back about accidental trojans notwithstanding….

  • jim02

    I assume the AMTSO document you mentioned is "Issues Involved in the 'Creation' of Samples for Testing?" This is quite an interesting document, and I think it does a pretty good job of presenting both sides of each argument. That said, I do disagree with a few of its points, especially some of those on the definition of "Creation." In my opinion, simply modifying an existing malware sample is not "Creation," but modification. Modification can be useful in many cases, such as modifying crucial bits to disable malware, or packaging the malware, and then testing an AV's response. The term "Creation" should only apply if the sample was actually written by the "creator," not just modified. 
    A couple of the programs I have written were designed for the purposes of testing heuristic scanners. Similar to the example in item 9 on page 19 of the document, I wrote a keylogger, and scanned it with every tool I could get my hands on, with their heuristics cranked up to the highest level, and *none* of them returned a positive. Needless to say, I was rather disappointed, especially since I didn't obfuscate or pack the executable in any way. I did use a rather unusual method to log the keystrokes, but it still should have been detectable. The failure of all of the tools I tested does not make me feel very good about how well those tools are actually working.
    Can I ask what you meant in your last line of the comment above, "However, I don’t have any problem with the principle of security researchers being accountable to the rule of law."? If all you are saying is that, if their samples "escape" into the wild, the person who created the malware should be held responsible, security researcher or not, I completely agree. 

    • David Harley

      Yes, that’s the one. I agree that modification isn’t creation, any more than a derivative work is original. :) I always felt that AMTSO and/or the AV industry would do better to focus on the technical objections in specific contexts rather than rely on a simplistic ethical stance. The ethical issues are real and cause great concern in the AV industry, but it’s unreasonable to expect everyone to abide by AV researcher ethics without question.

      I can’t really comment usefully on your keylogger, of course, but even advanced heuristics tend to be based on similarities to known malicious code and techniques: maybe your approach was just too innovative for the industry. A good job you’re not a malware author… But you’re right to be concerned: no-one should expect miraculously accurate diagnosis of malicious intent in 100% of unknown malware, because it isn’t possible. That’s why companies use other approaches such as whitelisting and reputation services, but there is still no 100% detection/0% false positive solution that I’m aware of.

      Accountability… your interpretation is part of what I meant, but it’s actually simpler than that. I simply don’t think that a security researcher should consider himself above the law, even an unreasonably restrictive law. However, there are instances where a bona fide researcher can get some kind of dispensation or MoU for protection in the event of a scenario which may be a technical breach. And in fact, the Japanese law this blog refers to seems to allow for that. Of course, if a researcher decides that a law is unreasonable and decides to breach it anyway, that’s up to him but he’s still accountable for his own actions.

Follow us

Copyright © 2018 ESET, All Rights Reserved.