Skip navigation.

Decompiling Malware a Crime?

This question came up in my malware class and I was curious if anyone else had an opinion on the matter. If you have a legal background I would be especially interested.

The question is whether decompiling a piece of malware violates the malware author's copyright. Or in the case of the Sony DRM rootkit fiasco if Sony had any legal standing to sue either the individual who disclosed the existence of the malware or anyone who wrote tools to remove the rootkit.

I dont know the legal issues

But I find it highly unlikely a malware author would try to assert copyright. Its not in their best interest to let the cat out of the bag so to speak in that way.

I think sony realized they had a massive PR nightmare and wanted out of it as soon as possible. Trying to go after Russinovich would have made it all that much worse.

I didnt read the EULA for the sony rootkit (if there even was one) but maybe it didnt make you agree to not reverse engineer it?

It would be pretty strange / horrifying if it was somehow illegal to reverse engineer malware.


New German Anti-Hacking Law

i'm not sure at the moment if it is not illegal here in germany as we have a new anti-hacking law and i've currently don't know, if the tools i'm using for decompiling/analysing malware are illegal or just even if the techniques/PoCs like BITS i have on my site are illegal.

i have some other PoCs here on my disc, which i'd like to release in the near future, showing how todays malwares act, like decompiled code (C/CPP Code) that steals PFX-Certs, Mail-Accounts(Outlook, Hotmail, MSN), Autocomplete Forms/Passes, Protected Password Sites and so forth.

i have to clear these topics with an attorney. if this is an issue i will put my site down.

if you don't know on what i'm speaking about:


The question I have is

The question I have is whether intent plays a large part in the German laws. Anything can be used for evil, and anything can be made into a hacker tool. My favorite is the hammer.

My 2 cents.

To bring in more international views on the matter:

Swedish Copyright Law (SFS 1960:729, Paragraph 26 G, Fourth section) says:

"Den som har rätt att använda ett datorprogram får iaktta, undersöka eller prova programmets funktion för att fastställa de idéer och principer som ligger bakom programmets olika detaljer. Detta gäller under förutsättning att det sker vid sådan laddning, visning på skärm, körning, överföring eller lagring av programmet som han har rätt att utföra."

My translation:
"The person who has the right to use a computerprogram may observe, examine or try the programs function to ascertain the ideas and principles that are behind the programs different details. This is valid under the condition that it is done under such loading, display on screen, execution, transfer or storage of the program that the person has the right to do."

My comment:
So, if you are observing and looking, not running the program in a decompiler with the intent to analyse it then everything would be fine (there are still lots of things that you can learn about a program with tools such as Filemon and similar tools). IANAL, but to me it says that you are not allowed to load code into decompilers (since its not natural execution) but you may attach to the process (i.e. with IDA Pro), and take a peak on the memory. It may also be possible that you could also choose to store the program as decompiled ASM code.

It goes on:
"Avtalsvillkor som inskränker användarens rätt enligt andra, fjärde eller femte stycket är ogiltiga. Lag (1997:790)."

My translation:
"Contracts that prohibits the users right according to the second, fourth or fifth section are void. Law (1997:790)."

My friend from the UK informed me that UK copyright law allows him to examine any invasive program that is running or stored on his computer. (Can someone from the UK confirm this?)

If it really would be any offense to analyse malicious code, then Antivirus software manufactorers would be in for lots of problems.

And i dont think a server that is hosted in country X has to care about laws in country Y anyway.

Chamuco y la ley

I'm just an armchair lawyer, which is to say not at all, so don't take any of my comments for more than what they are. :)

There is one important point about any sort of legal agreement. Any contract made to perform some act that is illegal is invalid. So even if they malware author makes you sign a EULA, and then they break the law, then that contract is void. That in my opinion makes it a non-issue.

The other point I can think of is that to assert copyright and to later to make a claim against someone, the malware author would have to identify themselves. You cannot make a legal claim without presenting proper identification, hiring a lawyer, etc.

Good question!

The thing is, if thy did

The thing is, if thy did that it could be widespread to any kind of tool used speifially to investigae a crime. Imagine if it ws suddenly illegal to take fingerprints, or DNA samples. What ifit was a crimeto use basic physics to investigate a car accident? Jordon ( US TV Show CrossingJordan ) wold be out of business.

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior

Probably not illegal - My two cents

It would really be interesting. I know virus writters copyright their virus and stuff like that and adware writters. But if they were to sue you for it I don't think it would get that far being as in order to sue they would be admitting that they indeed did make a virus or spyware so you would be defending your computer from being infected and files lost you would not get in any trouble. This is judgin from the US ( I live in the US ) but in other contrys I don't know.