Forgot your password?
typodupeerror
It's funny.  Laugh. Security

EULAs For Malware 105

Posted by kdawson
from the must-read-russian dept.
I Don't Believe in Imaginary Property writes "The authors of the Zeus malware have added an end-user license agreement to their product. The buyer is, of course, permitted to infect as many computers with Zeus as they please, but they have no right to distribute it for 'any business or commercial purpose not connected with this sale,' and they can't examine the source, use it to control non-Zeus botnets, or send it to anti-virus companies. Oh, and they commit to paying for future upgrades, too — wouldn't Microsoft love to be able to add that term to their EULA. While it seems silly to imagine Zeus's authors going to the authorities for violations of this EULA, if they're anything like the Russian Business Network, they probably have an extra-judicial means of contract enforcement named Ivan. That said, this is by no means the first EULA-encrusted malware."
This discussion has been archived. No new comments can be posted.

EULAs For Malware

Comments Filter:
  • they probably have an extra-judicial means of contract enforcement named Ivan.

    His name is Bubba, actually.
    • by zwc101 (1134715)
      Fail. It's Tyronne.
    • by omeomi (675045)
      I'm pretty sure a contract that involves an illegal act is an invalid contract, so the EULA would be invalid from the start. Ivan is their only hope.
      • Re: (Score:3, Interesting)

        by s0litaire (1205168) *
        hell.... EVERY E.U.L.A. is invalid. You can't agree to a licence if it's inside a shrink wrapped box before you buy it!...... You can't use the software unless you agree to the EULA. The only way to agree to the EULA is to read it. Only way to read it is to open the Box. By opening the box you Agree to the EULA. Catch 22 without a law degree.
        • Re: (Score:3, Informative)

          by damienl451 (841528)
          A EULA need not be a shrink-wrap contract. If you are shown the EULA before you download the software, it's not invalid. It may also be valid if you have the option to send the software back to the publisher for a full refund (cf ProCD v. Zeidenberg). So-called "clickwrap" licenses are also okay in many cases.
          • by ajs318 (655362)
            It may well be invalid anyway, if it attempts to diminish your statutory rights (which is illegal: your statutory rights are sacrosanct) and doesn't have a severability clause.
          • Talk for your country...

            In mine, you can't forfeit certain rights. Notably the one to decompile.
          • Re: (Score:3, Interesting)

            by Zeinfeld (263942)
            Some clauses of some EULAs are enforceable. But many are not. But this particular EULA is clearly unenforceable (under common law at least) as the courts do not adjudicate disputes arising from criminal conduct. There is an ancient case where one thief sued another for failing to pay him his share of two pocket watched they stole. I don't think they expect the EULA to be observed. They would be fools to expect that as they spend more time ripping each other off than their intended victims (no honor amongs
        • Actually, I don't encounter that very often anymore. Usually what I see is a license popup when I go to install the software - at that point, I can repackage the software and bring it back.

          Oh, wait. Except stores don't accept open, returned software. Well, I'm free to not use the software I paid for! Yeah, yeah, that's the ticket...

        • To play the devil's advocate here, you can find the EULA on the vendor's website. Like for WinXP [microsoft.com].
      • by Xaoswolf (524554)
        Likewise, do you even get a prompt to agree to the EULA?
    • by mazarin5 (309432)

      they probably have an extra-judicial means of contract enforcement named Ivan.

      His name is Bubba, actually.
      You know, everybody makes jokes about Bubba in prison. I always wondered what he did to get there in the first place.

      Now I know.
    • "His name is Bubba, actually"

      Bubba The Terrible, first tzar of Alabama. He's one mean mofo, plays a banjo while his victims fry in an oversized skillet.
    • by Abreu (173023)
      It could be Bubba, Vinnie, Ivan, Lee, or Chuy, depending on the franchise owner.
  • by Axe4ever (1155411)
    astala - vista - baby
    • Re: (Score:1, Offtopic)

      by MaskedSlacker (911878)
      Hasta la vista. Seriously? *sigh*
      • Re: (Score:2, Interesting)

        by Anonymous Coward
        Clearly you haven't heard of Astalavista [astalavista.net] (might have been .com, not sure), taking the piss out of Altavista [altavista.com] back when people still used it.. Twas a warez and serials site which eventually became overrun by popups, spyware, malware and other general nasties. In it's place became asta-killer [asta-killer.com] against all the nasties, although most of it's sites linked now distribute as many as they can..
  • New management: (Score:5, Insightful)

    by Fluffeh (1273756) on Monday April 28, 2008 @11:59PM (#23234120)
    My guess is that the original Malware was written by some nerd who wanted to make a few bucks, but the operation was taken over by a bigger boss who saw more of the picture - and the EULA is trying ti bolster the apparent legitimacy of what they are doing - or in some way provide the weakest of weak arguments to try to sue someone later who does a better job of what they are trying to do now.

    While I want to stab em with a sharp stick like the next guy, got to say that they are covering all their bases nicely.
    • Re: (Score:3, Insightful)

      by Frosty Piss (770223)

      ...to try to sue someone later who does a better job of what they are trying to do now.
      How can you sue someone for doing a "better" job of an illegal thing based on an illegal thing you are doing? Isn't that like calling the cops to report that someone stole some dope from you?
      • by Barny (103770)
        Yup, so long as the thing you are doing is not illegal in your country you can.
      • Re: (Score:3, Insightful)

        by ajs318 (655362)
        You need to know what people really mean when they call the police .....

        "A man in a black Ford Escort wound his window down and offered to sell me some crack". Translation: I paid some money to a man in a black Ford Escort for some dope, and he drove off laughing.

        "They're serving under-age kids in the Lion". Translation: The barmaid in the Lion asked me for ID, which I haven't got because I'm under-age, but she served someone else who is younger than me.
      • by dasheiff (261577)
        And if you read Fark.com, you'd realize that happens way more than it should.
  • I wonder if these guys will start trying to press DMCA lawsuits for people in the US who remove their software next.

    Call me cynical, but I can see some judge hearing some well dressed attornies representing the Zeus guys saying that the user deliberately made the decision to dosable a protection mechanism against an "agreed upon" contract (and pointing out that what the software does is irrelevant), and said judge not knowing any better convicts.
    • Re: (Score:3, Interesting)

      by Fluffeh (1273756)
      I can't imagine anyone enforcing an agreement contract (in this case EULA) that is installed without the user actually consenting it to be installed?

      I mean, if you knowingly install something that snoops on your system and agree to the EULA you need to be kicked in the proverbials, but if something sneaks onto your system without you knowing about it what chance does any user agreement have?

      Personally, I would like to see someone take Zeus to court about intrusion of their system. Wonder what the outc
      • by Nushio (951488)

        Wonder what the outcome would be.

        Sleeping with the fishes.
      • by zappepcs (820751)
        But... but... wait a damn minute. When I bought my last pc it had windows installed without my consent.

        Sure, sure, I realize there is a bit of difference here, but it sounds like they are taking the same business track as MS did in the 90s... well, more or less.

        Foist it on them, sue anyone who disagrees. Buy the dissenters that you can, consolidate, conglomerate, soon you'll be the largest malware pimp in the world!
        • Re: (Score:2, Interesting)

          by cobaltnova (1188515)
          Every time I have opened up a computer and started it up, I have been forced to click "Yes, I accept these license terms" when starting Windows the first time.

          In fact, I believe that, since there is a phrase to the extent of, "If you don't accept this license, you may return it to the seller for a refund," you actually can get rid of MS junk (see this happy story [linuxworld.com])! Though, the follow up suggests that it is hard, if not impossible, to do this.
      • by RiotingPacifist (1228016) on Tuesday April 29, 2008 @12:38AM (#23234402)
        Actually the EULA only applies to the company that buys the malware to distribute it.

        GP is answered by

        In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.
        which covers the people the sell the botnet too, while i think that the article has a point when it says:

        Data thieves and malware authors aren't going to win any "Most Likely to Respect Intellectual Property" competitions
        Assuming that Zeus offers bespoke spyware for companies, or at least different enough that anti-virus companies cant detect them all from one sample (this is where its tricky because once the AV company has one sample they'll be able to figure out the rest), it is quite a good threat:
        if your big enough to pay for mallware
        your going to be big enough to do something with your network
        your not going to risk loosing your network

        Infact this seams like a bigger threat than most EULA, your hitting them hard, unfortunately I think its just as flawed as a normal EULA, its simply impossible to enforce ( i mean vista not on virtualisation, mac on apple only hardware, it just dosent work)

        Perhaps Zeus would be better off by making its money through some shady anti-zeus company that offers 100% protection from zeus.
        • by dwye (1127395)
          > Perhaps Zeus would be better off by making its
          > money through some shady anti-zeus company that
          > offers 100% protection from zeus.

          You are making the assumption that they don't, as well as from renting out the network. Remember, the Soviets funded their foreign intelligence department in the 1920s and early 30s by convincing the Western Powers that there was a big anti-communist underground that just needed some money and they would be able to overthrow Lenin (and later, Stalin). Why shouldn't t
      • In some countries in Europe there is a quite firm push towards "federal trojans" being installed in suspects computers. I wouldn't deem it impossible that removing them could be considered a crime by itself...
    • by sm62704 (957197)
      "By opening this bag of marijuana, you agree that you will..."

      What's next, warrantees on IEDs?

      Like the late Walt Kelly's Pogo said, "common sense ain't so common no more".
  • by ddcc (946751)
    I, for one, welcome our EULA-encrusted malware BSA overlords!
  • This is what happens. You keep fighting the man, fighting the man. The next thing you know, you've been absorbed into the system and now your invested in it, trying to make a buck and cover your ass like all us Joes.
    • by sm62704 (957197)
      That's not what happened to hippies. The hippies were affeced by a certain drug - marijuana. One of its properties is to make you think. Another is to make you forget what you were thinking about, but it doesn't cause total amnesia. If you give enough thought to the subject, you'll realise that it is in everyone's best interests to treat your fellow man fairly and that it's completely stupid to ravage the environment, and that money isn't the be-all and end-all. Everything you do will one day be gone, and t
  • At least if they try to sue through the court system, they will have to reveal their own identity and then you can send your own Uber-Ivan to sort them out.
  • If I'm not happy with this software, can I return it to the point of purchase for a refund?
    After all, every EULA I've read has a refund-if-not-accept clause in it.
  • Precedence? (Score:1, Interesting)

    by Anonymous Coward
    What would have precedence in a case pitting EULA-enforced DMCA and anti-cybercrime laws? Let's say a commercial AV outfit vs. the DMCA which would say that reverse-engineering the product was violating their copyright.
    • Re: (Score:3, Insightful)

      by Hemogoblin (982564)
      Aren't EULA's essentially a form of contract? I'm not a lawyer, but I thought that any contract is not enforceable if its purpose is to achieve an illegal end; so, contracts involving malware would be void. http://en.wikipedia.org/wiki/Illegal_agreement [wikipedia.org]

      Any ACTUAL lawyers here care to comment?
    • Sony already spiced some of their CDs with DMCA protected rootkits.
    • The EULA can only be enforced (if at all) against the legal buyer of a license. Which is, in this case, the person licensing the trojan to infect machines. When your machine gets infected, or if you happen to be an AV researcher who gets his hands on one of these, you are not bound by the EULA. You didn't enter a license contract with the vendor of the malware.

      Yes, it feels odd to write this, not caring that something is malware and just trying to figure out the legal position. I wonder if this is how lawye
  • by suck_burners_rice (1258684) on Tuesday April 29, 2008 @12:39AM (#23234408)
    If, as suggested in this article's hypothetical situation, Microsoft were to write a EULA for malware, it would be pretty ridiculous. Oh, wait...
    • By reading this email you hereby agree to the following conditions:

      1) Allow all emails from our companies to reach your inbox, and you must read them

      2) You in fact must forward these emails, or let our malware forward them for you

      3)You must pay to have your genitalia enlarged with OUR products only, and you must continue paying for these products until you have the advertised girth and lenth

      4) You will not delete our messages, in fact you will archive and catalogue them in an order pleasing to you

      5) B

  • This is f'ing weird!
  • The most interesting thing about this however was not mentioned in the article, sadly - the EULA states that when you violate it, the code will be handed over to various antivirus companies, effectively rendering the code almost useless.
    • by Fluffeh (1273756)
      I think that it is trying to threaten potential hackers with what potential hackers would be scared of - having their hacks made useless. They are simply threatening to take away their work.

      Spose it is in some funny 'honor amoung theives' way, cept that the honor is only extending as far as their peers, not the people they are actually letting this loose on - clearly there is no respect that extends that far.
    • by ajs318 (655362)
      Well, successful malware authors are already paying bakshish to their "preferred partners" in the anti-malware industry (which is by no means above this sort of thing) in order to allow their product to evade detection by specific products. It's possible that a mere code sample submitted by a rival malware gang would have to be accompanied by a bigger bribe than the original author paid in order to have any effect.

      It's the same with taking out a contract for a hit. The person who wants you out of the
      • Unless each copy of the malware is unique, if the malcode is submitted to an AV company, *all* "customers" will be screwed, not just the guy who failed to pay.
        • by ajs318 (655362)
          Depends who is whose preferred partner. If you submit ripped-off code to the rip-off artist's own preferred partner, you'll have to pay them more to get them to do anything about it than they are paying them.

          Example: Suppose I am a malware creator, and I am paying McAfee to turn a blind eye to the malware I create. I copy a piece of malware you wrote. You pass on an example of this to McAfee. They aren't going to do anything about it, unless you pay them more than I am already paying them.
  • If they want to enforce their licensing, they can't be anonymous. I think I see a major opportunity for the Russian military to show their might and perform a few practice attack missions.
    • by dwye (1127395)
      > I think I see a major opportunity for the Russian military
      > to show their might and perform a few practice attack missions.

      Then seize it, and run it for themselves.
  • From http://bash.org/?577451 [bash.org] :

    <DmncAtrny> I will write on a huge cement block "By accepting this brick through your window, you accept it as is and agree to my disclaimer of all warranties, express or implied, as well as disclaimers of all liability, direct, indirect, consequential or incidental, that may arise from the installation of this brick into your building."
    <DmncAtrny> And then hurl it through the window of a Sony officer
    <DmncAtrny> and run like hell
  • So is there an "I don't agree" button or cancel or something if you don't like the EULA? If so, wtf, kinda weak malware lol. If not, it's not a real EULA and won't stand up in court...not that it would anyway lol.
  • by flyingfsck (986395) on Tuesday April 29, 2008 @02:03AM (#23234950)
    Norton AV has always had a EULA. The Zeus EULA is nothing new...
  • _EULA_EULA_EULA_EULA_EULA_EULA_EULA_EULA_EULA

    By looking at my ID, you hereby agree to mod me insightful from now on. click above to proceed.

    _EULA_EULA_EULA_EULA_EULA_EULA_EULA_EULA_EULA

    • by Skreech (131543)
      "Click anywhere on the screen to accept."
    • Nice! way to play to the mod system, that was awesome! I would now have to rate you +funny though, and well, that would mean I'd violate your eula... better prep your attourneys. Just in case they are ready,

      I live @ 1313 mockingbird lane
                        Beverly Hills, CA 90210
                        (360)555-1212
  • In most jurisdiction if one burglar breaks into another burglar's home he
    goes to jail. But... if somebody is sold a very poor quality of cocaine in a
    drug deal they can't sue to get their money back.

    Most jurisdictions will prosecute the crime but will not afford the protections
    of civil law. So in turn somebody might get prosecuted for violating criminal
    statutes, but they can't ever hope to successfully sue for lost profits.
  • EULA (Score:3, Interesting)

    by ettlz (639203) on Tuesday April 29, 2008 @04:02AM (#23235520) Journal
    How does one pronounce it? "Yoo-lah", or "Oi-lah"?
    • by ajs318 (655362)
      Neither, it's pronounced as though it was four separate letters.

      Or you could turn the U into a V ..... as in "evangelism" (from "eu" [= positive] . "angel" [= messenger] . "ism") = spreading good news.
    • by Minwee (522556)
      I think it's "Screw-Ya".
    • by Spatial (1235392)
      Oh god, you're one of those people who say "URL" like "hurl" aren't you.
  • Does the bot binary come with a EULA too?

    "By clicking on this email attachment, you agree to become a member of the Storm botnet indefinitely, and agree to never remove this bot. You further agree to remove all virus protection and open all ports on your computer.

    Oh, and you have agreed to get a better internet connection. Seriously, how am I supposed to spam people over dial-up?

    [Agree] [Own me] [Bend over]"
  • Malware creators already have "preferred partners" in the AV industry (i.e., those to whom they are paying cash bribes in order not to have their products detected by that particular brand of AV software) -- don't make the mistake of thinking the anti-malware industry is any less corrupt than the malware industry.

    Now, their preferred partners will be offered money to detect certain malware.

    It's all going to turn ugly. Very ugly ..... I'm just glad my OS of choice is immune by design to the most comm
  • Does it come up with a "I Agree" "I Disagree" buttons like all other programs now ? if so it would effect its spread rate since people would be able to disagree and therefore it should not install, or if you don't get the option to disagree or read it then it would cause problems when enforcing it legally.
    • by SimonGhent (57578)
      Come on, you don't even have to RTFA. From the summary: "The buyer is, of course, permitted to infect as many computers with Zeus as they please".

      The EULA is for the person buying the product not for the infected.
    • by SimonGhent (57578)
      FFS! (Score:2, Interesting)

      It's on thing the poster not RTFA, but you'd imagine that someone with mod points would at least glance at the summary... ah, it's /.

      Sorry, as I've said before, I'm new here...
  • Malware would be subject to counter-claims that the purpose of the software was not clear. How do you make hidden details reasonably accessible? Surely, on testing a license breach in legal proceedings, there has to be a demonstration that the user knowingly breached the agreement, and reasonable steps were taken by the licensors to communicate their requirements?
  • It's pretty well known that botnet creators are selling their net (and perhaps the bots) to paying clients that want to set up a botnet for nefarious purposes.

    The line "In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies." makes me think this EULA is targeted at those customers, not the zombie victims. The second sentence basically says to me:
    "We have customized your bot so
  • Well both legal companies and the russian malware mafia work on pretty much the same basis. If you break any other EULA, you get a letter. If you break the their EULA, you get a package.
  • George Will, among others, points out the failure in the "War on Drugs" is evidenced by the falling price, and increasing quality, of cocaine and other drugs, both showing an increase in competition for the consumer's dollar.

No amount of genius can overcome a preoccupation with detail.

Working...