Computer virus legal question

Are computer viruses legal?

I thought this would be an easy question (my first thought was “no”), but then I started wondering…

Clearly, there is money to be made from these things… Malware, adware, etc aren’t all created equal. Some of these things are not only annoying, but can ruin your computer.

I understand there are some people out there that just want to see if they can create something that can screw with a stranger’s system because… well, I guess because it’s there. But I don’t see how this could be any different than someone throwing a brick through your window. Vandalism is vandalism.

However, with other types of computer infections, maybe the line isn’t as clear.

If they are legal, why are they legal? And if they are legal, I assume there are companies out there that advertise their “products” to potential customers… Anyone know of a company that creates this crap legally (and for profit)?

If they are illegal, why are they still out there in a never-ending stream, keeping Kaspersky, AdAware, et al in business?

The cynical side of me says that all of these anti-virus companies have a lab somewhere creating these things so they can supply the solution for people and make money by doing so… But I can’t imagine any reputable company doing this for very long before someone working there would blow the whistle on them.

From a law enforcement perspective, I would think these are pretty hard to track down to the source, and the resources required to do this type of investigation would be significant. And then there is the problem of jurisdiction.

Anyone know the straight dope on these things, and how much money can be made by slamming someone’s computer with pop-ups, or tracking every move a person makes on-line, etc?

Computer malware is a violation of the Computer Fraud and Abuse Act (and possibly other statutes). The reason viruses are so numerous, as you note, is that they are difficult and expensive to track to the source, and there are often jurisdictional issues involved, as the groups that write viruses are often located in jurisdictions unfriendly to the US (namely Russia). Antivirus groups are not funding or involved in malware creation–they have enough on their hands already.

There is not a substantial amount of money involved in virus creation, but crackers make up for it in volume. Since infections are almost always automated, they can infect a large amount of computers with little effort.

A long time ago, when I was younger and more interested in exploring strange things on the internet, I remember seeing a price quoted of ~$15/1000 infected computers, for US-based personal computers with no other infections (the malware market is highly specialized and commercialized, with many different groups each specializing in one part of the process). I don’t know how things have changed since then.

You can read this and you can find out that its not as clear cut in some cases.

In the EU/US virus creation and distribution is illegal.

However not everything referred to as a virus is a virus, where it gets murky is adware, spyware & malware.
Some of that stuff is legal but lot’s falls into the “scam” category and is in turn illegal, but it is very hard to find these people and prosecute them.

Interesting price quote info. Thanks for that. I’d love to see the business case.

Thank you for the link.

As for the “hard to find these people and prosecute them”, I agree on the surface. However, in a transaction, there is a buyer and a seller. Are these things always done “on the sly”, paid for in cash or bitcoins, and/or always involving the porn industry (or something just as sleezy)? For anything that would be considered legal, there would be record of a transaction, and the company that makes the -ware would show a sale on their balance sheet. So, we should at least know who is doing some of this stuff. Anyone know of the name of a legit company that does this kind of work?

Spyware can provide very valuable information, and I would think that gathering this info without a user’s permission would be a violation of privacy laws. However, I can see how a company could easily get a user to agree to install any number of things by burying details in the EULA that people rarely read.

I read these more and more, and I have been surprised at what some of the software people install casually on their computers and phones can actually do.

For example, when facebook went to messenger, I remember reading how the program can capture your keystrokes, as well as other info, and send it off to facebook, and/or other parties unknown… A couple of programs on the app store that look harmless, like different keyboards and different alphabet sets, do the same thing. People install it without reading the details anyway. It is amazing.

Computer viruses are one of many things that isn’t strictly legal or illegal. Simple possession of a computer virus isn’t illegal, which is good, since many antivirus programs will quarantine a suspected virus rather than deleting it (and most AV programs, by default, treat every detected virus as only suspected, due to the possibility of false positives).

Also, many* viruses are created by security researches to test a concept (i.e. if a bit of code did a, b, and c, could it fully execute) so a defense can be developed and implemented before malicious users discover and use that method.

Like gun and most tools and weapons, it’s not the item itself that’s legal or not, it’s the actions you take with it.

Making something illegal doesn’t make it go away. You might as well ask why there are still thieves and murderers out there.

We’ve had laws against those things for quite a while, but they persist in spite of them.

Payment is done via mostly done credit card to a payment system that is located in another country, than once or a couple of times transferred to another in & out of countries/banks and then cashed somewhere.

Ukash, Western Union, PayPal, etc is used and abused as well.

To expand on this, malware authors often transfer payments through a dynamically updating list of stolen bank and money-transfer accounts. So the consumer sends money to an emptied and stolen Paypal (or moneygram, or…) account, and the hackers then transfer the money to other accounts, and then to Bitcoin and places unknown. By the time the site operator gets around to freezing the stolen account, the hackers have moved on to using other accounts, and the process repeats ad nauseum.

Thanks for this. :dubious:

Seriously? We’ve had laws against stealing and murder?

I was going to ask how you know all this, and then I read your username.

Perfect!

It’s not really a matter of it being “pretty hard” to track down a virus author. Unless the author made some major errors in relatively straightforward security precautions, it’s impossible.

If the author knew what he was doing, the computers that distributed the virus are nowhere near his home country, and any log files indicating his connection to those computers were erased. He used unregistered, cracked versions of whatever tools were used to write the virus, and it was tested in a lab that is not accessible to investigators.

You’d have much better luck trying to trace the payment trail the virus author used to be paid for his crime - assuming he didn’t do it just for kicks.