.....In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies....

Also, Boris and Dmitri will make unannounced "on-site technical support visits" with an AK-47 and 4 kg of Semtex.

And you though FAST visits were intimidating....

Just surreal. It's like a bizarre comedy universe. You couldn't make it up.

Haven't these folks heard of the GPL?

Mine's the one with Stallman is God written on the back...

It is considered useful to clue Symantec in to malware which is already active enough for the Russian virus writers to have themselves already spotted it?

Symantec isn't expected to be able to spot it by themselves?

I wonder how well they'd be doing if they didn't have the firm support of these Concerned Local Citizens.

Contracts made for illegal purposes such as fraud or extortion are void under common law, so good luck with that one. Also, court records are public knowledge and it would be tricky for botnet herders and their clients to remain anonymous if one decided to sue the other. Personally I'd like to see it if a case like this ever did come to court.

... and thereby making writing malware economically less attractive? Could that spell the end of malware as we know it?

Sounds too good to be true.

The folks that write and sell these ain't exactly the Boy Scouts.

I doubt they'll have much patience for the legal process anyway.

Around these parts, we don't mess with the Russians.

It's the one with the wide yellow stripe down the back...

Doesn't malware 'freely distribute' itself as part of its job description?

if you are a Malware writer and your software makes a few trips around the net and wrecks havok on hundreds of machine people can sue the copyright holder right?

If this is copyright protect there is some kind or govermental agency involved? If so why the hell is there no arrests or convictions? Come on now these people have to be the biggest f@#$tards ever.

/> Paris cause she can relate to these idiots trying to copyright...now "That's HOT!!"

I suspect 'breach of contract' would have a slightly different meaning to virus creators than it does to us ordinary mortals.

Failure to observe the contract is more likely to arise from not bothering to read the End Loser Agreement that a desire to mix it with the Czars of destruction.

And I should think penalty clauses are likely to be more 'imaginative'.

"Symantec isn't expected to be able to spot it by themselves?"

Actually, they're not. No one expects Symantec as a company to detect and analyze this code, and release an update to catch it. Let alone remove the thing.

People buy Symantec AV with failure in mind. "Every­one else believes anti­virus soft­ware must fail to stop some viruses — and so they build failure into their 'solutions.'" -- Rob Rosenberger

http://www.vmyths.com/column/1/2004/7/2/

Virus creators already have "preferred" AV vendors, whom they bribe not to detect their products. Now they will have to deal with other virus creators paying larger amounts **to** detect them .....

Expect something to give anytime soon.

The contract may be legally null and void, but apparently the contract terms HAVE been enforced. It's in the hands of an antivirus company after all.

What *I* wonder is, how many of these types of toolkits are out that have NOT been picked up by antivirus companies (presumably because the purchaser followed the purchase agreement)?

This is probably about installing keyloggers and remote control services more than self-propogating code. You can buy malware to put in an email or host on a website; the goal is not to spread like a virus (thereby giving copies of itself to security firms) but to remain in use in a limited pool of interesting machines and be unlikely to be picked up.

The professional malware industry periodically seed malware into residential IP space to find out if a/v companies are hiding honeypots in them. They know if there are honeypots there, since all of a sudden the signature blocks recognize unreleased malware. (Saw a great slide illustrating a post to a malware forum on this topic a few months ago.)

This is the kind of stuff that folks pay reasonably well for, and is likely to be undetected for months after its initial release (unless there's good network reporting and someone has time to read the sensors and has time to analyze, rather than simply reimage, a compromised machine and they have time to find the original source of infection and escalate that to their a/v vendor. How many machines are you administering? How many of the above processes are automated and hence efficient at most companies? Just the reimaging one. Guess which one managent favors over forensics?)

I see malware sent to users with titles at and above director, and the a/v on server never sees it, and the a/v product on the workstation never sees it. The best stuff is the stuff embedded in word documents, since there's no way to tell the corner offices that henceforth, we're blocking .doc at the gateway. The outbound filter often does block it phoning home. Does it always? Of course not.

Samples of these targeted malware loads submitted to symantec, mcafee, etc. shortly after their purchase would cost the client who'd violated the EULA dough. It would likely lead to earlier detection of the stuff, and an awareness that the CFO's password at the payroll site was blown. Generating new malware is basically free; once you've got the tools to flip a bit in your malware, or repack it with a different packer, you're going to bypass the next signature update and be able to supply your compliant customers with a/v evading product. But if your target is now extra-suspicious, you may not get a second chance to install a keylogger on that CFO's system.

The threat of reporting to the a/v community is a pretty good one. All that a/v can do by itself is react to past threats; you buy it because you have to, and because a lot of malware is crap software that does re-use enough chunks of old attack methods that it may be picked up.

the GPL is too restrictive for me, that's why I use only botnets with FreeBSD licenses!

coat? yes, I'm taking yours, the one with the wallet in it!!!

It's very funny to see these people who abuse other people's trust ending up getting fed up with people abusing their trust.

A bit like the pirate-bay "file sharers" who start off sharing out everyone else's files, then end up getting fed up when people refuse to share back all the stuff they've stolen, and start making little "file sharing communities" where one has to contribute back some files, so as not to be stealing stuff from people who already stole it from someone else.

Perhaps honesty really is the best policy.

...that if you screw around with a Russian malware gang, the repercussions are probably somewhat beyond civil court action...

"Virus creators already have 'preferred' AV vendors, whom they bribe not to detect their products."

As much as I dislike the anti-virus industry, I have to side with them on this one. As much as the industry qualifies as a cartel, there's still fierce competition between them, and something like 'accidentally' releasing a virus is going to get pounced on.

There was speculation after September 11th 2001 whether American AV firms would avoid detecting viruses created by the American FBI. That speculation turned into a major publicity SNAFU for the industry, and AV industry supporters quickly reversed their position:

http://www.wired.com/politics/law/news/2001/11/48648

Further speculation loomed on whether the MPAA / Hollywood would ask American AV firms to avoid detecting anti-piracy viruses developed by the MPAA. Symantec's Chris Paden made their position very clear:

"Our main concern is for our customers. We don't care who has been attacking our customers. We are going to deploy all of our defenses to meet it."

So if Hollywood wants to attack US pirates, they'll have to go through the anti-virus industry to do it.

http://www.vmyths.com/column/1/2002/7/30/

The anti-virus cartel has more important things to do than take bribes from virus writers.