Seriously? USA to legalize rootkits, spyware, ransomware and trojans to combat piracy?


Anti  trojanBy now most users will already be familiar with ransomware, either because they have been affected by it themselves at some point or because they have seen it on a friend’s PC. Ransomware usually refers to a special category of malware that essentially tries to hold a user’s computer and files hostage and demands payment of a ransom in exchange for returning control of the computer back to the user. The general method of operation so far has been to simply confront the user with fictitious legal accusations. However there is a slight chance that in the not so distant future these accusations may no longer be fabricated.

Just a few days ago the “Commission on the Theft of American Intellectual Property” released their 84-page report. Amidst a large amount of rather naive ideas there is one idea that strikes us as particularly insane: The report proposes the use of malware to determine whether or not you are pirating intellectual property and if you are, to lock your computer and holds all your files hostage until you call the police and confess to your crime:

Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved.

It gets even better:

While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

Use of malware to stop piracy isn’t a new idea

Admittedly, this idea, as insane as it may sound, isn’t new at all. In fact, the very first PC virus, Brain, was created for exactly that purpose. Brain’s author, Amjad Farooq Alvi, used it in January 1986 to prevent his medical software from being copied illegally. According to him, the virus was supposed to target copyright infringers only and asked infected users to contact his software development firm to purchase a cure. Now almost 30 years later we know that his initial idea didn’t turn out that well and Brain went on to infect a lot of innocent users’ computers as well.

But we don’t even have to go back that far. Sony thought it would be a wise idea to use rootkits to protect their DVDs and CDs from being ripped just 8 years ago. The public outcry in late 2005 when Sony’s actions came to users’ attention was tremendous, and rightfully so. This was not only because the Sony rootkit didn’t pose any serious obstacle for any of the actual pirates out there, who weren’t affected by it at all, but because the rootkit posed a significant security and stability risk for everyone who purchased Sony’s content legally.

This was mainly due to various bugs within the rootkit itself. The rootkit lacked any kind of verification of which programs were actually allowed to take advantage of it and which weren’t. In fact the rootkit simply hid all files with names that contained a simple string of text. It didn’t take long for actual malware to appear that included this particular marker in their file name, essentially using the Sony rootkit for their malicious purposes. The rootkit itself contained several bugs that could trigger a blue screen of the system during certain operations or could be used by a normal user to obtain administrative rights on a system. Similar issues were found in the dedicated removal tool that Sony offered on their website, which could either be used by hackers to run arbitrary code on a user’s system simply by visiting a website or resulted in loss of access to their CD and DVD drives after they removed the rootkit.

There is no “good malware”

The fallacy in all of this is that the commission clearly believes that something like “good malware” can exist. The reality is, there is no such thing. The amount of different computer configurations out there alone is simply too large to guarantee that a particular program (or malware) will never cause any unwanted bugs or side effects. A false positive in such a system would be disastrous. Given the nature of ransomware and rootkits in general, they often have to rely on undocumented Windows system internals which almost guarantees security vulnerabilities will arise. These vulnerabilities would then be used by software with actual malicious intent to infect the computers of innocent users, leaving the actual pirates unharmed and surely using rips and copies that have the malware-like DRM removed instead.

So where does this leave you as an Emsisoft user, if Congress decides to ignore all the outcry this report will surely cause and pass the requested legislation anyway? The answer is rather simple: We as a company don’t believe in “legal malware”. It doesn’t matter whether a country, Hollywood, or a Russian backyard crimeware gang created it. Malware will always be malicious, no matter the intentions. We have therefore never adhered to requests by law enforcement agencies to whitelist their malware in the past and we don’t plan to do so in the future. This is especially true for our behavior blocking technology, which is technically incapable of reliably determining the origin of a malware file, making it impossible for us to whitelist certain malware based on its origin even if we wanted to or were legally forced to do so.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Have a Great (Malware-Free) Day!

Sarah

Sarah

Malware analyst at Emsisoft. Cryptolocker hitting so many people in 2013 was what really piqued my interested in malware, and especially ransomware.

What to read next