You have probably seen the articles about the 0zapftis (a.k.a. the German Federal Trojan) malware used by the German police for investigation. There’s a lot going on in Germany and the German parliament, so we’d like to point out the issue of dissecting governmental malware and its relation to common sense and the law. The politician Patrick Sensburg accused the Chaos Computer Club to have thwarted investigations and thus the punishment of potential perpetrators. This violates German law (§ 258 Strafvereitelung, to be exact, description is in German). So is it legal to analyse malicious software or is it illegal?
Mr. Sensburg has already answered three questions regarding his statements in parliament. He clarified his message. He criticises that the code had been published on the Internet instead of contacting the appropriate government agencies. The argument for doing this was that the security leaks introduced by Backdoor:W32/R2D2.A (one of the official names used in malware signatures) pose a threat to the general public and that the authorities should be informed first. Then he said that he had merely asked the question if the publication of the code and its analysis would endanger ongoing investigations. For Mr. Sensburg a better course of action would have to have contacted the authorities first and then publish the findings in a press conference hosted by the CCC and the government.
The problem is that this suggestions mixes different scenarios known to security researchers, namely full/responsible disclosure and malware detection.
When it comes to malicious software you usually cannot take the course of full or responsible disclosure since you most certainly won’t treat the authors of malware as vendor, give them time to fix their bugs and delay the distribution of signatures for your anti-virus filters. If you do this, then your anti-virus solution cannot be trusted any more. Knowingly manipulating security measures to not to detect threats is a really bad idea (keep this in mind since the German Computerbild claims that at least one anti-virus vendor did this). There is no good malware. Malicious software compromises a computer system and executes code without consent of the owner. This was the very purpose the German Federal Trojan was built for otherwise the investigators could simply have asked the suspects to install their software. And we are not even talking about the compromised security due to the bugs of the code. If analysing malware really was against the law, then all anti-virus filters would probably be illegal, too. In addition we could probably label DeepSec 2011 as a gang meeting of major „security cyber-thugs“. ☺
Fortunately judge Ulf Buermeyer contradicts Mr. Sensburg in his private blog. Mr. Buermeyer states that the CCC’s actions lack intent to thwart investigations or punishment. As often, it’s the thought that counts (keep this in mind when writing advisories or talking at conferences). He continues to explain that any „evidence“ gathered by the police malware will probably be useless in court since the code allows for arbitrary manipulations of data and code on the victim’s computer (we’re speaking of compromised systems, remember?). Mr. Buermeyer closes with the conclusion that prosecuting the CCC for violation of §258 would most certainly compromise the rule of law as well.