We help IT Professionals succeed at work.
Get Started

Is studying malware unethical?  Serious thought question

Last Modified: 2016-07-19
I was just struck by the thought: Is it actually unethical to do the work that antivirus and security companies do, examining a virus program, stepping through the bytes to reconstruct what its activity is, etc?  Seriously, that is.

Lets say that I'm a malware author, and I go out of my way to make sure that there is a strongly worded EULA agreement that prohibits reverse engineering of the file, etc, and for the sake of making it a fully black and white question, lets say that I package it along with a legitimate program that folks want to install like filezilla or such -- so the user runs into the various "Check this box if you dont want to disclude the program from not being installed" nonsense pages that such program installers provide for a plethora of adware etc.  And my installer screen says "Install GPApocalypse!  Is your hard drive getting full of pesky data?  Too many passwords to remember for every application?  Worry no more, this program will eliminate most of the space-hogging material on your harddrive and reduce the need to remember passwords by deleting nearly all the applications from your computer at intervals based on a predictable pattern.  As a bonus, it will choose most of the remaining files in a predictable way learned by your behavior, and encrypt all of your files with a 256bit cyptokey, so you'll only ever have to worry about a single password ever again! " and a smaller warning below that indicates that this software will in fact destroy your system and lock you out, just in case the bubble-gum salespitch above is still too unclear...Installing this program will be interpreted as agreement with the EULA ... )  and such

For the 97 % of the population who whacks away on the next button, they just installed my malware, despite the fact that I didn't trick them one bit - I gave them a eula and a description that indicated that I would fubar their system on them, that I would cause devistation.  So from my point of view from this scenario, they agreed to install my destructive payload, knowingly - even though I know that "knowingly" isn't morally correct, just legally correct.

Lets say that I make it pretty clear that the encrypted password can be calculated or predetermined some way, yet my eula also indicates that the software can not be reverse engineered, or a copy provided to anyone who does not agree to the eula.  

Clearly, I would expect any malware-confronting company to completely disregard any eula wording I provide, in any form, and race off to study the code and find the formula that allows a predictable password to do the encrypting, to identify the pattern for how it identifies the application files to delete, etc, etc..  

My program, my eula, the effort I go to to provide the end-user with the fact that their computer will be fubared -- I'm not being deceptive in the slightest way, I wont install if they dont want it -- I'm both correct (Ethically? Morally? ) in a sense, despite the clearly evil and vile outcome that I fully expect - but given that its a less-invisible agreement than some Apple agreements as to what this thing will do... not hard to picture it being 'legally binding'

What do the malware analysts do?  One is just to say "f'k the Eula, let him take us to court if he wants, I doubt it will happen" on the grounds that the destructive payload of my file is a darker shade of gray compared to violating a eula.  And I would expect that.  
Of course, that then means I can go ahead and violate all the apple and microsoft Eula's on the ground of "Hah, like they'll come after me as an individual in my home doing that" playing the odds that apple will not present me with a legal summons in the future, so its a pretty lame "justification" for 'knowingly violating' something...

The question is, it may be be possible to compare morality levels to determine a clear winning path to take, but being morally right isn't necessarily Ethically right.   (Look at the legal field for that -- a lawyer could violate his ethics to provide key information or obtain key information that would convice someone who has brutally murdered dozens of people and would otherwise go free without it - but morally he feels he violated his ethics for the right reason for his community, his family, his soul...)

Are antivirus analysts being unethical when they reverse engineer malware?  In many cases, clearly no, but what about the grayer ones where there is this agreement to download and install something that is going to "Give you a bunch of animated cursors, and make your colors brighter on your computer! And download special coupon offers as you browse... and also download more payloads each day that may contain new cursors and coupons or file deletion instructions"

Morally wrong to study malware? Never ever.
Ethically wrong to reverse engineer, study a malware exe, esp if there was a eula prior to installation, user interactivity, and the exclusion of sharing the 'file' with anyone who doesnt agree to the eula -- Maybe?

Its not the kind of ethical violation I'd expect someone to lose a second of sleep over, but, IS IT an ethical violation.  If a robot were to do the task, and was programmed to be 100% complient with ethical expectations somehow... would the robot be able to study my malware?  Are there any technical "outs" that render my eula void?  What about the fact that they AGREED to install the software knowing what it will do -- should the robot outright even reject the complaint that my file destroyed a system?  Should the antivirus folks accept that file as a complaint that it erased data and locked their files - I only did what I promised to do, I did nothing in the dark, nothing circumventing the security of the system - just exploiting human behavior...

(Important Info: No, I'm not working on malware or planning to create malware or "whateverware" that this scenario would be called.)
Watch Question
BillDLGeneral Factotum
This problem has been solved!
Unlock 9 Answers and 17 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant

An Experts Exchange subscription includes unlimited access to online courses.

Get Started
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE