Jump to content

What Is Wrong With 'Legal Malware'?


steven36

Recommended Posts

Can malware, malicious by definition, ever be a good thing? Surprisingly, there are law enforcement agencies that would answer yes. There are a growing number of hacking techniques involving malware deployed by governments around the world. Effectively they are using criminal tools, which they claim is a legitimate means to the ultimate, legitimate end – fighting crime, even going so far as deeming their use legal. I disagree. And I think it is a worrying trend generally – one that needs to be nipped in the bud.

My colleague, security-researcher Costin Raiu, just recently published a report summarizing his research findings over the years plus predictions for the future in the murky world of sophisticated advanced persistent threat (APT) cyberattacks. Usually, these are precision strikes carried out by highly professional groups of hackers. Key backers here, presumably, are state security services all over the world, for which the Internet is a warzone in which they stage espionage and sabotage campaigns. However, there are a growing number of criminal groups using such hacking tools to steal money as well. And now, Costin reports, there is also a third player: commercial companies that use the provision of hacking services as a legitimate and lucrative business model.

This third group which develops spyware for various governments includes Italy’s and the UK’s Gamma Group. They produce a range of software tools to hack PCs and mobile devices (including Android and iOS-based smartphones), steal confidential data from them, and even seize control over these devices. These companies claim they sell their products only to ‘responsible governments’ so that they can break into computers belonging – allegedly – to those suspected of committing a crime. Of course, the definition of which governments qualify as ‘responsible’ is open to interpretation, and thus sees this business come close to resembling the international arms trade. Leading arms producers of the world sell weapons to different countries, not all of which exactly qualify as flagships of peace and democracy. The arms trade is widely criticized, but that doesn’t stop it existing.

To some extent, the use of cyber-surveillance tools by governments can be justified. For example, a phone line belonging to a crime suspect can be wiretapped with a valid court order; computers of suspected criminals can be seized and all the files on them examined during an investigation. So what is wrong with sophisticated, easy-to-deploy tools that can be used to remotely break into a computer if they are only used for law enforcement purposes and with all the due supervision?

Here is what I think is wrong:

First of all, such surveillance tools are malware, i.e., malicious software. They act like any other malware: they stealthily penetrate a target computer, compromise it, and steal all sorts of data from it. Put another way, ‘legitimate’ malware behaves exactly like criminal malware: it is designed in the same way. To any antivirus software it looks just like any other threat – another Trojan or malicious remote administration tool (RAT) that needs eliminating.

The second reason legal malware is wrong is related to the first one. As with criminal malware, a victim needs to be lured into having his or her computer infected.

Which means that the attacker needs to employ some social engineering tactics to deceive the target to make him/her open a malicious file or webpage, or click on an infected link. Deception is a dubious tactic for any law enforcement operation, but things get much worse if that deception also causes collateral damage to perfectly innocent third parties. Example: Gamma Group once disguised its spyware installation module as the Firefox web browser, and only stopped the practice once

Firefox’s developer, Mozilla, threatened it with a lawsuit. Another popular method for infecting target computers is by hacking genuine webpages and adding malicious code to them – so-called ‘watering hole attacks’. In a real-world police surveillance operation, it is hardly acceptable to break into the property of completely innocent bystanders anonymously and stealthily, and damage that property. But that is exactly what happens with watering hole and other cyber attacks.

Third, malware is illegal. I, and I am sure you too, have seen plenty of films in which a judge needs gently coercing into granting a search warrant or allowing a wiretapping operation. But judicial oversight in the cyber domain is still in its infancy, and in the meantime, in most, if not all countries of the world, creating and distributing a malicious program is a punishable offence – be it for ‘legitimate’ purposes or not. Law enforcement agencies the world over were created to fight crime, not perpetrate it.

And finally, malware is easily copied. Any malware – just like non-malicious software – is essentially just computer code, and if a high-end software engineer gets hold of that code, he or she would be able to replicate it quite easily. And that could be someone with truly malicious intentions, including a cybercriminal who could use the technology to attack the exact same law-abiding citizens who are supposedly protected by the use of such tools.

Based on the reasons I give above, I think it is fair to say that terms like ‘legitimate malware’ or ‘offensive security’ are oxymoronic and disturbingly dystopian, reminiscent of Orwell’s ‘war is peace’ and ‘freedom is slavery’. Security in a society will not improve if law enforcement services start breaking into properties or detaining people in the street without judicial oversight and without following all the legal procedures required to guarantee the lawfulness of such acts. Similarly, I think it is neither realistic nor proper to design procedures for legally using malware, as it is hard to imagine procedures that would allow police to stage ‘legitimate’ burglaries, fraud or assault. Accordingly, I am calling for the practice of using ‘legal malware’ to be stopped.

This Article Is wrote by : Eugene Kaspersky a Russian specialist in the information security field. He heads the global IT security company Kaspersky Lab

Source : http://www.forbes.com/sites/eugenekaspersky/2014/12/22/what-is-wrong-with-legal-malware/

Link to comment
Share on other sites


  • Views 1.4k
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...