Thursday, September 6, 2012

Contagio mobile file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

Things are better now
See the last and final update on the main page.

I want to thank everyone who offered support, offered help with legal and hosting, and made public posts about it. I truly appreciate, it helped me sort it out.


  1. I really don't want to get involved in this argument. Although you've been providing a tremendous service to the anti-virus researchers, I've never felt comfortable with making malware publicly available. I can point you to several perfectly legitimate (unlike this one) cases of copyright violation and other legal problems that can arise. However, I'd like to make two technical remarks:

    1) Does LeakID actually claim to be the copyright holder? Of malware samples? Thus implying that they are the authors? If I remember correctly, France is one of the few countries where even writing malware is illegal (not just infecting other people's computers with it without their consent, as it is in most other countries) - perhaps you could point that out to their legal team.

    2) Your statement that they could not identify the files because they were in password-protected archive is, technically, incorrect. While the compressed image of the file inside the archive is encrypted, the archive also contains the CRC-32 checksum of the uncompressed (and, of course, unenecrypted) file. This is a pretty reliable way of identifying the file. In the future, you might want to use a more reliable encryption method (e.g., PGP or GPG) or at least ZIP the sample (without a password) into a ZIP archive with a generic name (e.g., and then ZIP that archive into a new archive with a password.

    But, in general, responsible sharing of malware samples in the anti-virus industry is usually done by using a dedicated medium (e.g., an ftp server or a mailing list) to which only known, registered users have access and then the samples themselves are PGP-encrypted with the public keys of the known recipients with whom you share malware samples routinely.

    1. Thank you for your insightful comments, Bontchev.
      1) LeakID use robot crawlers and send same template take-down warnings to thousands if not millions. There is not much thought behind it. But if I have an opportunity to talk to their legal team, I will point it out
      2) It was more of a factual statement as in "could not identify" == "their filename seeking crawler is not capable of identifying" - as evidence suggests.
      Yes, I could have PGP encrypted files and filenames before zipping them again with XOR+random pass that you need to bruteforce with captcha/math quiz/IQ test before you can download but why? I am not distributing pirated movies and strive to be more transparent about file contents not less.

      In general, I am not a part of "anti-virus industry". It is a personal blog and repo one can ask to use. Those who have ethical issues with contagio/contagio mobile, use their PGP member-only repos and there is nothing wrong with that. Coincidentally, I sometimes also see things in antivirus and infosec industry that I disagree with. If I publicly express my opinions, they are free to "agree to disagree" or not but "C'est la vie"

    2. What I meant was - there are pretty good reasons why we do this differently in the AV industry (and no, "just so we can feel self-important" isn't one of them, no matter what the kids claim :D).

      What if some of the malware samples are actually commercial spyware, like MobiSpy? Making them publicly available is clearly a copyright violation. Not to mention that it is probably also a privacy violation, because these packages are usually unique per customer (there is customer-related data in some config file or another inside the package) and at least the vendor can trace them back to the particular customer whose sample was leaked.

      Another example. There was a particular version of a Symbian game which was self-replicating due to a programming error. It was its author who turned our attention to it, released a corrected version, and asked us to detect the faulty one as a virus. Nevertheless, distributing his game publicly would be a copyright violation.

      Yet another example. What if somebody "ad-jacks" a legitimate package? This is done by taking a package that uses one of the popular ad frameworks, disassembling it with APKTool, changing the ad network ID of the author with that of the malware author, re-assembling it back, re-signing it (with the key of the malware author) and distributing it. Although the new package doesn't do anything directly harmful to the device on which it is installed, it can be argued that it is malware, since it "steals" legitimate ad revenue from the original author. Some products might treat the new package as malware. But it would be a copyright violation to distribute it publicly.

      And yet another example. Somebody takes a legitimate game, adds malicious code to it and distributes the new (re-signed) package - we see such things in the Android world all the time. The author of the original game could claim that distributing the new package publicly violates his copyright.

      You see, it is not a problem to give a sample of a malicious program to a fellow anti-virus researcher; this falls into the "fair use" clause. But distributing it without restriction to anyone who bothers to download it can lead to copyright violations...

      In addition, there is the responsibility dilemma. I realize that people are unlikely to infect their devices accidentally without knowing what they are doing, since your samples are password-protected. But what if someone downloads some malware from your site and intentionally uses it to cause damage? Even if you bear no legal responsibility for his actions in your jurisdiction - wouldn't you feel at least ethically and morally responsible for facilitating his actions?

    3. Bonchev,
      thank you again for your comments.

      All the samples are protected by passwords to prevent accidental installations are available for study of malicious code embedded in them. Nobody in their right mind would unzip and install them on their devices for their game value and to save money.

      They are also available on virustotal, which has feeds to thousands of research companies using them for the same reason.

      In any case, if I get any complaints or inquiries regarding spyware and malware packages from the original game authors/distributors or their representatives, I will remove them on a case by case basis. Same applies to contagio postings - I am always careful about protecting the victims but if a legitimate company spoofed or their name is used to attack other victims (e.g. if Paypal do not want to be mentioned in a post about fake "Paypal payment" notices carrying malware), I can edit the posts. That happened in the past on Contagio and I have no objections to such requests and always make changes.

      In my experience, often companies want this exposure as they want their customers know that there is a malicious package circulating using and marring their company/product name. As an added benefit, they also get feedback from researchers sometimes leading to better product security, protection, infection indicators, attribution and other positive results.

      However, in order to alleviate all these concerns, I will stop using the "infected" password scheme for mobile malware and will change it to a scheme that I will share only with those who do not have ideological issues with the contagio concepts and are ethical/smart enough not to not use malicious packages for their game/product value or seek malware laden documents for their content.

      "If someone downloads some malware from [my] site and intentionally uses it to cause damage", I carry as much responsibility as a store selling kitchen knives. I am against releasing malicious code information before vendors issue security patches and don't do it. If malware is not 0day and technical information about the exploit is public, I think it is fair to make it available to researchers - especially who do not work in AV industry and have no privileged access to malware feeds. I do not have issues with sharing information and data with AV industry, software vendors, and security companies as well.


  2. Hi Mila... he won't bother telling you, but Bontchev is his last name. Vesselin (or Vess) is his first name. :)

    Sorry for your predicament. Hope everything works out for you.

  3. Ahm, perhaps I'm failing to get my point across somehow... :-(

    Yes, VirusTotal sends their samples to many AV researchers. The point here is that these samples are NOT publicly distributed without restriction. It is not possible for any random Tom, Dick and Harriet to go to the VirusTotal site and get them. That's why there are no copyright issues there - as I said, giving a piece of malware (or even a suspected piece of malware) to a fellow AV researcher is fine (the "fair use" clause); giving it to anyone who bothers to download it isn't, because it could lead to copyright violations, among other things.

    The problem is not "ideological issues" someone might have; the problem is the very practical issues you might get by distributing these samples publicly and without restriction.

    Using a stronger encryption scheme than just password-protected ZIP archives and sharing the decryption method only with a limited (even if large) set of people known to you (i.e., using some form of registration) for whom you can legitimately claim that they have a need to access these samples should be sufficient to alleviate these problems.

    Yes, I'm Vesselin Bontchev. Google me. ;-)

    1. Apologies for messing up your name, Vesselin.
      I personally think that this new password scheme, which creates a 12 character password different for each file is enough of a restriction.

      When people email me to get it, I sometimes get to know them better than most membership models allow. I will not be creating any member services as I am not interested in maintaining accounts/passwords and be responsible for their security.

      thank you.

    2. P.S. and yes, you might argue that using plain zip archive with a password is not enough. Maybe it is not enough for nuclear launch codes. I think it is ok for malware samples usually found elsewhere. Contagio is not the last and only place on earth to obtain them.