The creation of malware. Responsibility

    I do not work in RU and the CIS in particular, which means that I am clean before the law. Do not poke me in the Criminal Code of the Russian Federation, I know him perfectly and do not violate. This is our Code of Criminal Procedure, which does not consider a violation of 272/273, if it did not cause harm to the Russian Federation. Thus, I refuse responsibility from what I said here, and also do not bear any responsibility for the actions taken after reading this article. And in general - I started. I am kind, holt and cherish.

    This quote, posted in a now deleted article, provoked in the comments a fairly wide discussion of issues related to the responsibility for writing malware and exploits. Including in the course of research.

    Is the virus writer who created the bootloader responsible? And if he creates his software in another country? And if he does not know at all that his software is used for malicious purposes? There are many questions, we will try to answer them.

    Before you start talking about responsibility in accordance with the provisions of the law, you must say sad. The law is not the coined formulations of ideal TK, which many of those present on this resource are used to. Alas. In this regard, there are comments on each article of the Criminal Code (you can get acquainted with them by typing in a search engine a request such as “Article 273 of the Criminal Code of the Russian Federation”). But these are not general explanations for everyone such as “here we read like this, here it is like that”. Alas, this is the interpretation of specific people posted on specific sites. In most cases, they coincide, but not always - and sometimes opinions are diametrically different. Some examples in the course of the article I will analyze. As a result, the decision on the case will depend (even not counting the quality of the evidence collection procedure and the quality of the case file submitted to the court) on the qualifications of a lawyer, the qualifications of the court, and established practice.

    Let's start with the simplest questions.

    “I do not write programs that encrypt or steal data. I make programs that infect a computer and then load the actual malicious programs on order. There is no article in the Criminal Code for this! ”

    It is impossible to grasp all the laws of the world, therefore we will consider the situation using the example of the Criminal Code of the Russian Federation. Legislation of other countries in most cases are similar.

    To answer the above statement, we read art. 273 of the Criminal Code of the Russian Federation “Creation, Use and Distribution of Malicious Computer Programs” (as amended by Federal Law of 07.12.2011 N 420-ФЗ):

    1. The creation, distribution or use of computer programs or other computer information that is obviously intended for unauthorized destruction, blocking, modification, copying of computer information or the neutralization of computer information protection means - shall be punishable by restriction of liberty for a term of up to four years, or forced labor for a term of up to four years, or imprisonment for the same term with a fine of up to two hundred thousand rubles or in the amount of wages or other income condemned for a period of up to eighteen months.
    2. The acts provided for by the first part of this article, committed by a group of persons in a preliminary conspiracy or by an organized group or by a person using their official position, as well as causing serious damage or committed out of mercenary interest, shall be punishable by restriction of liberty for a term of up to four years, or by compulsory work for a term of up to five years with a deprivation of the right to occupy certain positions or engage in certain activities for a period of up to three years or without it, or imprisonment for a term of up to five years with a fine in the amount of one hundred thousand to two hundred thousand rubles or in the amount of wages or other income of the convicted person for a period of two to three years or without it and with deprivation of the right to occupy certain positions or engage in certain activities for up to three years or without it.
    3. The acts provided for by the first or second parts of this article, if they entailed grave consequences or created a threat of their onset, shall be punishable by deprivation of liberty for a term of up to seven years.

    This article states that liability arises for actions leading to the destruction, blocking, modification, copying of computer information or the neutralization of computer information protection tools. That is, the first reading creates the opinion that if the program does not do anything like this, then there is no responsibility for creating and distributing the same downloader trojans. This is not true. The key word here is “computer information”. What is this determines Art. 272 of the Criminal Code:

    Computer information refers to information (messages, data) presented in the form of electrical signals, regardless of the means of their storage, processing and transmission.

    Thus, information from the point of view of the law is not only documents. This is any bit recorded on a computer. Accordingly, any program that modifies anything on a computer can, under certain conditions, be classified as malicious. The above statement can be considered false.

    “So, can any program that changes anything on a computer be considered malicious?”

    Not any. Let's say network research utilities, remote control utilities - they often refer to programs whose installation antiviruses are suspicious of - it is too painful for attackers to use them to carry out their actions. The border passes by the word “knowingly” and “unauthorized”. A few quotes from the comments on the article:

    Malicious programs in the sense of a commented article are understood to mean programs specially (knowingly) created to disrupt the normal functioning of computer programs. Normal functioning is understood as the execution of operations for which these programs are intended, as defined in the documentation for the program.
    Using a malicious program or malicious computer information should be understood as its direct publication, reproduction, distribution and other actions for their introduction into economic circulation (including in a modified form) committed with the aim of unauthorized destruction, blocking, modification or copying of information, disruption of computer devices or their network. For example, the use of a malicious program is its entry (installation) into the computer’s memory.
    This structure is formal and does not require any consequences, criminal liability arises as a result of the creation of the program, regardless of whether the program was used or not. Within the meaning of the commented article, the presence of the source code of the virus programs is already the basis for bringing to justice.
    Link

    Accordingly, from the point of view of the law, malware includes programs that are installed without notifying users and / or that perform actions that are not reflected in the documentation.

    “I’m a system administrator, I’m installing all the RAdmin over the network - am I going to go to court?”

    Installing programs without notice is a common case in companies and organizations. Therefore, it is advisable to work out this issue, approve the list of used software and make consent for its remote installation in documents signed by company employees. To avoid.

    “Oh, and I spread the virus over the network!”

    Let's start with the funniest quote:

    The use of malware is understood to mean their use (by any person ) in which their harmful properties are activated.
    Link

    Above, I promised to make out examples of discrepancies. The word “notoriously” is not used very well in the law. The phrase “the distribution of ... computer programs ... knowingly intended” can be read in two ways. Imagine a situation where a user or a company administrator spread a malicious program over a network. If you imagine that “knowingly” refers to malware, then any unintentional distribution of a knowingly malicious program from the point of view of the law is not good. And here the difference in approach in the first and second parts of the article plays a role. Recall that "The acts provided for in the first part of this article, committed ... by a person using his official position ... shall be punished." There is no clarification that actions are committed unintentionally - no!

    On the subjective side, the offense under Part 1 of the commented article can only be committed with direct intent, since this article determines that the creation of malicious programs for the creator of the program must lead to unauthorized destruction, blocking, modification or copying of information, disruption of work COMPUTER.
    The use or distribution of malicious programs can also be carried out only intentionally, since in accordance with Part 2 of Art. 24 of the Criminal Code, an act committed through negligence is recognized as a crime only if it is expressly provided for in the relevant article of the Special Part of the Criminal Code.
    Part 2 of the commented article, unlike part 1, envisages the onset of grave consequences through negligence as a qualifying attribute.
    Link

    Another opinion to part 2:

    The content of these qualifying features corresponds to the content of similar features of previously considered corpus delicti
    Link

    One more:

    On the subjective side, a crime can be committed both through negligence in the form of frivolity, and with indirect intent in the form of an indifferent attitude to the possible consequences. When establishing direct intent in the actions of the perpetrator, the crime is subject to qualification depending on the goal that the perpetrator set himself, and when there are consequences that he sought to achieve, and depending on the consequences. In this case, the actions provided for in Art. 273 of the Criminal Code, are only a way to achieve the goal. A committed act is subject to qualification in the aggregate of crimes committed.
    Link

    Funny by the way opinion:

    Malware development is available only to qualified programmers, who, due to their training, must anticipate the possible consequences of using these programs.

    Thus - include anti-virus checking in your software installation procedures, approve the procedures and follow them - do not forget about the 274 Criminal Code of the Russian Federation:

    In accordance with article 274 of the Criminal Code of the Russian Federation, criminal liability arises for violation of the rules for the operation of means of storage, processing or transmission of computer information and information and telecommunication networks.
    The link

    "I just started for myself!"

    Another place where interpretations differ. In most interpretations, it is believed that the difference for themselves or not does not exist:

    The crime in question will be completed from the moment of creation, use or dissemination of such programs or information that threaten the onset of the consequences specified in the law, regardless of whether these consequences actually occurred or not . Moreover, the perpetrator must be aware that the programs created or used by him will obviously lead to socially dangerous consequences specified in the law. Motive and purpose do not affect the qualification of the crime.
    Link The

    answer I think is obvious.

    True, the same interpretation makes indulgence for shots in the leg:

    However, the use of a malicious computer program for personal use (for example, to destroy your own computer information) is not punishable.


    “I do not spread the virus, I put it on the github for a general review and that's it”

    Distribution of programs is the provision of access to a computer program reproduced in any tangible form, including through network and other means, as well as through the sale, rental, leasing, lending for any of these purposes. One of the most typical ways of spreading malware is to place it on various sites and pages of the information and telecommunication network Internet.
    Link

    Thus - any publication is already a distribution. Naturally, the question immediately arises of publishing exploits that demonstrate vulnerability. From the point of view of the law - this is not good. We can recommend publication with changes that make the code inoperable - but it is not known whether this will be taken as an argument by the court.

    “Yes, I didn’t even compile, just for fun, I’ve thrown the code”

    This structure is formal and does not require any consequences; criminal liability arises as a result of the creation, use or distribution of the program, regardless of whether any socially dangerous consequences have occurred as a result of this. Within the meaning of the commented article, the presence of the source code of the virus programs is already the basis for prosecution.
    Responsibility comes for any action provided by the disposition, alternatively. For example, someone may be responsible for creating a malicious program, another for using it, and a third for distributing malware.
    Link

    Even more fun:

    Creating programs is an activity aimed at developing, preparing programs that are capable of unauthorized destruction, blocking, modifying, copying computer information or neutralizing computer information protection tools in their functionality.
    Art. 273 of the Criminal Code of the Russian Federation establishes liability for illegal actions with computer programs recorded not only on computer, but also on other media, including paper. This is due to the fact that the process of creating a computer program often begins with writing its text, followed by its introduction into the computer or without it. With this in mind, the presence of the source code of malicious computer programs is already the basis for prosecution under Art. 273 of the Criminal Code.
    Link

    About writing source codes on paper is certainly cool, but it does not change the meaning. Keeping the source code and even more so malicious programs - if you are attracted to any business - is not good. Judicial practice in this regard is unambiguous. The presence on the computer of programs that can be classified as malicious and the ability to use them due to their qualifications (insanity, I agree, but this is the practice) - serves as aggravating circumstances

    “Yes, I am only on the command line ...”

    Earlier we talked only about programs . But 273rd also contains another: "... the dissemination or use ... of computer information known to be intended." We recall that information is any bit on a computer.

    The Civil Code of the Russian Federation defines a computer program as “a set of data and instructions in an objective form designed to operate computers and other computer devices in order to obtain a specific result, including preparatory materials obtained during the development of a computer program and the audio-visual displays generated by it "
    Link

    Therefore, any actions that are knowingly modifying, destroying, etc., fall under 273 of the Criminal Code of the Russian Federation.

    Even having copied malware can fall under the wording of the law

    A form of committing this crime can only be an action expressed in the form of creating malware for computers, making changes to existing programs, as well as using or distributing such programs. The distribution of machine media with such programs is completely covered by the concept of “use”.
    Link

    "I am not 18 yet!"

    The subject of this crime can be any sane person who has reached 16 years of age.
    The link

    “For what?”

    Depending on the actions and consequences performed by the malware, the responsibility can be not only under Art. 273 of the Criminal Code of the Russian Federation. Two examples

    If the creation, use or distribution of malware acts as a way to commit another intentional crime, then the offense should be qualified according to the totality of crimes. For example, in cases where a malicious program is created or used in order to eliminate the means of individual protection of a computer program established by the copyright holder, responsibility arises in the relevant parts of Articles 146 and 273 of the Criminal Code of the Russian Federation.
    In the event that the perpetrator, when using or distributing malware, intentionally destroyed or damaged computer equipment, which caused significant damage to the victim, his behavior forms the totality of crimes provided for in articles 167 and 273 of the Criminal Code of the Russian Federation.
    The link

    "I am from another country and do not fall under the laws of your country!"

    Alas, this is not so. All actions to create (including as we recall storage), distribution and use - are subject to the Criminal Code. That is, if you are taken with the source code on the territory of the Russian Federation, you perform any actions against citizens and institutions of the Russian Federation - you are subject to the laws of the Russian Federation.

    Examples of criminals who ended up in US prisons are proof of this.

    Whether you refuse responsibility or not - the law does not care. The law excites the committed actions. Whether you are tied up or not - similarly. There are perfect actions and there is responsibility for them.

    LeakedSource (a leak aggregator that collected Vkontakte databases, Mail.ru, Rambler, Last.fm, Linkedin, Dropbox, Myspace and many other resources leaked to the Internet and provided access to passwords for leaked victims to anyone who was willing to pay for them) claims California laws are not applicable to the company because it is based outside the United States.
    The link

    “Why are there so few landings?”

    As far as I personally know, the problem is not related to the desire to land, but to the flaws in the procedures. The difficulties of combining small cases from different departments into one, the experience of collecting evidence

    Other countries. We will not consider everything, we will limit ourselves to two

    Kazakhstan.

    Article 206 of the Criminal Code of the Republic of Kazakhstan. Illegal destruction or modification of information
    1. Intentional unlawful destruction or modification of information protected by law stored on an electronic medium contained in an information system or transmitted via telecommunication networks, as well as the introduction of knowingly false information into the information system if this entails a significant violation of the rights and legitimate interests of citizens or organizations or protected the law of the interests of society or the state, ...


    Article 210. Creation, use or distribution of malicious computer programs and software products

    1. Creation of a computer program, software product or amending an existing program or software product for the purpose of unlawful destruction, blocking, modification, copying, use of information stored on electronic media contained in an information system or transmitted over telecommunication networks, computer malfunction, subscriber device, computer program, information system or telecommunication networks, as well as intentional use and (or) distribution such a program or software product ...


    Pretty much the same. But intentionality of actions is clearly spelled out, accidental distribution is not subject to punishment. But unlawful actions have been added - that in Russia passes under Article 274. The article does not define information, as in the previous version of Art. 273 of the Criminal Code of the Russian Federation, which made it possible to include Persdan and some other categories of data in such information.

    And in the case of Kazakhstan, actions are not required. Enough inaction

    Article 207. Violation of the information system or telecommunication networks
    1. Intentional actions (inaction) aimed at disrupting the operation of an information system or telecommunication networks, ...


    Ukraine

    1. Confirmation by way of victory, redistribution of any sort of hardware, and also of rozpusyushennya any program of technical problems, which is intended for unauthorized computers to operate electronic machines (at least , - shall be punished with a fine of up to five hundred and neopodatkovanih minіmumіv incomes of the masses, but right-wing robots on lines up to two rokіv, but, moreover, amused will on that very lines.
    2. You must reappear a second time after the front serpentine group, but as a matter of fact the stench filled up the significant Skoda, - punish the amusement of the will on lines until five times.
    Link

    Incomprehensible wording "Creation for the purpose of use." Write, but do not check? In any case, the activity of any programs or technical means to change the operation of computers or networks falls under the law. There is a word distribution - intentional or not. I'm afraid that unintentional falls under the law

    Here here you can see the responsibility for the distribution of various types (by type!) Malware.

    You can familiarize yourself with several other approaches to liability for the creation and use of malware by the legislation of different countries here .

    Also popular now: