Cybercrime Logo



 NYLS Cybercrime.AdvancedStudies.Org


UNIT 03:
Computer Viruses, Time Bombs, Trojans, Malicious Code

Cybercrime, Cyberterrorism, and Digital Law Enforcement
Professor K. A. Taipale (bio) (contact)

Registered Students login to NYLS Portal for updated Course Information and Reading Assignments.

UNIT 03:
Computer Viruses, Time Bombs, Trojans, Malicious Code (Malware)



Putting the "mal" in malware. What is "malicious" (cf. "inadvertent harm," "knock-on effects," "collateral damage")? What are "damages" from intrusions? When is "bad software" malicious (can negligence = malicious)?

Professionalization and the online market for malware.




Chapter 3, Computer Viruses, Time Bombs, Trojans, and Malicious Code," pp. 55-96 (US v. Morris (intended function test); Werner v. Lewis (contract); State v. Corcoran ("delete"); North Texas Imaging ("intent not means of transmission"); Mahru v. CA (own computer and "criminal" cannot turn on breach of contract (?)) ; Shaw v. Toshiba (distribution of bad software).



Shurgard Storage Centers v. Safeguard Self Storage, 119 F. Supp. 1121 (WD Wash. 2000) ("agency theory")

Fugarino v. State of Georgia, 531 S.E.2d 187 (Ga. Ct. App. 2000) ("spite"/motive)

Briggs v. State of Maryland, 704 A.2d 904 (Md. 1998) (malicious password protecting; sys admin is auth; conduct over motive).

EF Cultural Travel v. Explorica, 274 F.3d 577 (1Cir. 2001) (wholesale, "reeks of abuse"; confidentiality agreement)

AOL v. LCGM, 46 F. Supp. 2d 444 (ED Va. 1998) (TOS) v. Vario, 126 F. Supp. 2d 238 (SDNY 2000) (because P objects, D's use of robots was without authorization!)



18 U.S.C. § 1029. Fraud and related activity in connection with access devices.

18 U.S.C. § 1030. Fraud and related activity in connection with computers.

18 U.S.C. § 1037. Fraud and related activity in connection with electronic mail.

18 U.S.C. § 875. EXTORTION and THREATS. Interstate communications.



Cyber-Crime Act of 2007 (S. 2213) (THOMAS) (Would amend Sec. 1030 to add "conspiracy"; change damage threshold from $5,000 to "damage affecting 10 or more protected computers during any one-year period"; and add "cyber extortion").



NEWBERGER v. Florida, 641 So.2d 419 (1994) (what is "modifying").

US v. SABLAN, 92 F.3d 865 (1995) (relationship of "mens rea" to "damages," and how are damages calculated).

US v. MIDDLETON, 231 F.3d 1207 (2000) (Factual Background, pp. 1208-09, Part B. Damages, p. 1213, and Part C. Sufficiency of Evidence, pp. 1213-14).



Symantec, "Internet Security Threat Report," Vol. XII (Sept. 2007).


Trends: "Professionalization" and the online market for malware:

Elise Ackerman, "Hackers' infections slither onto Web sites: ONLINE SECURITY EXPERTS ISSUE WARNINGS ABOUT ORGANIZED INTERNET CRIME EFFORTS," Mercury News/ (Jan. 3, 2007) ("Computer security experts said 2006 was also the year that hacking stopped being a hobby and became a lucrative profession practiced by an underground of computer developers and software sellers").

Brad Stone, A Lively Market, Legal and Not, for Software Bugs, NY Times (Jan. 30, 2007) ("software vulnerabilities — as with stolen credit-card numbers and spammable e-mail addresses — carry real financial value. They are commonly bought, sold and traded online, both by legitimate security companies, which say they are providing a service, and by nefarious hackers and thieves.").

Erik Larkin, "An Inside Look at Internet Attackers' Black Markets," PC World (Aug. 13, 2007) ("Today's underground sites use surprisingly well-developed business practices to hawk viruses, stolen data, and attack services.").

"Symantec Reports Cyber Criminals Are Becoming Increasingly Professional," FindLaw (Sep. 17, 2007) ("[report] concludes that cyber criminals are increasingly becoming more professional – even commercial – in the development, distribution and use of malicious code and services. While cybercrime continues to be driven by financial gain, cyber criminals are now utilizing more professional attack methods, tools and strategies to conduct malicious activity.").

White Paper: "The Online Shadow Economy: A Billion Dollar Market For Malware Authors," MessageLabs (Oct. 2007) (download PDF) ("In an online black market worth more than $105 billion, malware authors can produce new, unique threats targeting businesses and employees every 45 seconds. This ... white paper examines the growth of this online shadow economy. It explores the high level of sophistication with which it operates, the continuous improvement of its techniques and looks at what the future holds for Internet crime.").

Tom Espiner, "Cracking open the cybercrime economy," (Dec. 14, 2007) ("There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a "black" or "shadow" cyber-economy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.").

Brian Krebs, "Cyber Crime 2.0: In 2007, Online Fraud Got More Targeted and Sophisticated," Washington Post (Dec. 20, 2007) ("The year 2007 may go down in the annals of Internet crime as the year when organized cyber criminals finally got serious about their marketing strategies -- crafting cyber schemes that were significantly more sophisticated and stealthy. ... With more computer users than ever guarding their systems with anti-virus, firewall and other security software, Internet criminals have concentrated their efforts on tricking users into opening "backdoors" into their own systems ...[by] ... convincing users to view malicious video or audio content on a Web site that takes advantage of security holes in the user's Web browser or media player, flaws which in turn give criminals the access they need to install software to control the user's machine remotely.").

Jonathan Richards, "Number of computer viruses tops one million," Times Online (Apr. 10, 2008) ("The number of computer viruses in circulation has reached one million for the first time, according to a report by a leading security firm.") (Also: "China ... emerged as the new base of the Russian Business Network (RBN), a shadowy organisation which specialises in the distribution of malicious code, but which virtually disappeared in November last year after a campaign by police and other investigators, the report suggested. The RBN has been credited with devising approximately half of the phishing scams conducted worldwide last year.")

"Study shows businesses face risk from data theft" Reuters (Jan. 29, 2009) ("Businesses risk losing over $1 trillion ... from loss or theft of data and other cybercrime, according to a study released on Thursday by security technology firm McAfee[, which] launched the survey after detecting a rapid acceleration of malicious software, or "malware," last year ... . Malware increased by 400 percent in 2008 ... . "This was a very insidious type of malware that was designed either to steal your data, steal your identity, steal your money, and in many cases the scale as well as the sophistication was very alarming"]

Tim Weber, "Cybercrime threat rising sharply," BBC News (Jan. 31, 2009) ("The threat of cybercrime is rising sharply, .... Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, ... . The internet was vulnerable, ... but as it was now part of society's central nervous system, attacks could threaten whole economies. The past year had seen "more vulnerabilities, more cybercrime, more malicious software than ever before", more than had been seen in the past five years combined, .... . [Is] "the internet at risk?", was the topic of session at the annual Davos meeting.

Jill R. Aitoro, "Survey shows cyberattacks are getting more disruptive," (Dec. 1, 2009). ("Cyberattacks that seek to penetrate computer networks or disrupt online services are increasing significantly, ... . Infections from software designed to infiltrate or damage a computer system were "easily the most prevalent" type of cyberattack in 2009, the ... survey found. More than 64 percent of 443 respondents said they were victims of malware attacks, compared to 50 percent in 2008. Often these were multistage attacks, in which the malware downloaded separate tools to enhance the severity of the infection once inside the network, ....")



Tom Espiner, "Wikipedia used to spread malicious code," CNET News (Nov. 6, 2006)

Robert McMillan, "Google accidentally sends out Kama Sutra worm," InfoWorld (Nov. 8, 2006).

Robert McMillan, "Storm Trojan floods e-mail boxes," InfoWorld (Jan. 19, 2007) ("Malicious Trojan horse software claiming to provide information on topics like the deadly storms that have battered Europe this week has infected thousands of computers over the past 24 hours. ... These e-mails appear to have been particularly effective because they offer information on a topic that is of intense public interest in Europe right now.")

"Cyber criminals move focus to web: Cyber criminals will increasingly turn their attention to the web and away from e-mail security in 2007" BBC News (Jan. 23, 2007) ("The internet now represents the easiest way for cyber criminals to gain entry to corporate networks, as more users are accessing unregulated sites, downloading applications and streaming audio/video. ... They are also subtly changing tactics - instead of sending so-called spyware-infected e-mails, they are sending e-mails linking to websites which contain a malicious downloader [Trojan].")

Hijacked Websites:

Dan Goodin, "Mass web infection leaves researcher scratching her head," Channel Register (Jan. 11, 2008) ("... hundreds of websites that are generating an enormous amount of traffic ... sites are spreading malware ... [these] sites themselves are hosting the malware, which is then foisted on visitors. Most of the time attackers are unable to gain such a high degree of control over the sites they hack, so they redirect end users to servers under the control of bad guys and use them to drop malicious payloads.").

"Poisoned websites attack visitors," BBC News (Jan. 17, 2008) ("Thousands of small web shops have been unwittingly poisoned with malicious code that infects PC users who visit.").

Robert McMillan, "The Web is Dangerous, Google Warns: The search site's bots find that 1 in 1000 Web pages is infected with malicious drive-by download software" PC World (Feb. 16, 2008) ("In the past year the Web sites of Al Gore's "An Inconvenient Truth" movie and the Miami Dolphins were hacked, and the MySpace profile of Alicia Keys was used to attack visitors. Criminals ... have built very successful automated tools that poke and prod Web sites, looking for programming errors and then exploit these flaws to install the drive-by download software. Often this code opens an invisible iFrame page on the victim's browser that redirects it to a malicious Web server. That server then tries to install code on the victim's PC.")

Hardware Devices:

Robert Lemos, "Malware hitches a ride on digital devices," The Register (Jan. 11, 2008) ("... add digital picture frames to the group of consumer products that could carry computer viruses and Trojan horse programs. ... underscore that the proliferation of electronic devices with onboard memory means that consumers have to increasingly be aware of the danger of unwanted code hitching a ride.").

"Electronic gadgets latest sources of computer viruses," News (Mar. 13, 20080 ("From iPods to navigation systems, some of today's hottest gadgets are landing on store shelves with some unwanted extras from the factory: pre-installed viruses that steal passwords, open doors for hackers and make computers spew spam.")

Social Engineered - Video CODEC scammers ("Download this video"):

Kelly O'Connell, "INTERNET LAW - Benazir Bhutto Assassination Websites Used to Spread Computer Viruses," IBLS (Jan. 9, 2008) ("Many websites apparently meant to mourn Pakistani Prime Minister Benazir Bhutto's murder by assassin were really designed to help spread malware for fraud and other nefarious purposes.").

John Leyden, "Scumbag malware authors exploit Virginia Tech tragedy," The Register (apr. 19, 2007) ("Pond-dwelling virus writers have crafted a malware attack that poses as camera phone footage of the shootings at Virginia Tech University that claimed 32 lives on Monday.").

"Beware Hurricane Katrina Scams," (2007) ("Hoaxes, Phishing Attacks, Malware and Other Threats In The Wake Of Katrina").

Linda Rosencrance, "FBI warns of online scams associated with tsunami disaster," ComputerWorld (Jan. 6, 2005) ("One 'relief' site can infect a visitor's computer with a virus").

"Fake media file snares PC users," BBC News (May 8, 2008) ("The fake file poses as a music track, short video or movie and has been widely seeded on file-sharing networks to snare victims.")

Offline/Online Social Engineering:

Elinor Mills, "Fake parking tickets direct to malicious Web site," CNET (Feb. 4, 2009) (In a scary online-offline Internet scam, hybrid cars in North Dakota have been tagged with fake parking citations that include a Web address hosting malicious software that drops a Trojan onto the computer.")



"Hackers Attack UK Student's Web Site," Associated Press (Jan. 18, 2006).

Jon Schwartz, "Cybercrooks hold PC data captive," USA Today (Dec. 18, 2006) ("In the latest online scam ["ransomware"], cybercrooks are breaking into the PCs of small businesses and individuals, locking up data and demanding money in return for freeing it").

Linda Deutsch, NY youths in plea deal in MySpace case, Associated Press/USA Today (Feb. 27, 2007) ("Two New York men accused of trying to extort $150,000 from by developing code that tracked visitors pleaded no contest Monday to illegal computer access in a bargain with the prosecution. Two counts of attempted extortion and another illegal computer access count were dropped in the deal, which gave the defendants three years probation. Each had faced up to nearly four years in prison.")

Sarah Langbein, "Man sentenced to 110 years for extorting naked photos of Florida girls," Orlando Sentinal (Nov. 30, 2007) ("A 33-year-old ... man was sentenced today in federal court to 110 years in prison for hacking into [teenage girls' MySpace pages] extorting naked photos from them.")

"CIA: Hackers demanding cash disrupted power utilities overseas," MIT Technology Review (Jan. 18, 2008) ("Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference.")



"Man Convicted Under Antispam Law," Bloomberg News (Jan. 16, 2007) ("A ... man who defrauded users of AOL by sending e-mail messages requesting credit data became the first defendant found guilty by a jury under [the Can-Spam Act] a 2003 federal law barring Internet ”spam.” ... The statute prohibits sending unsolicited e-mail messages with falsified header, or return address, information. ... [He] operated a so-called phishing scheme that duped AOL subscribers into providing personal and credit information in the belief they were dealing with the company’s billing department. He used the credit card information to make unauthorized purchases.")

Gregg Kelzer, " Spam Volume Jumps 35% In November," Information Week (Dec. 21, 2006) (" The volume of spam surged in November to an average of 85 billion messages a day during two periods ... and the month saw spam tactics that reduced the efficiency of traditional anti-spam filters").

Jeremy Kirk, "US Indicts 11 Over Pump-and-Dump Stock Spam," IDG News Service (Jan. 4, 2008) ("Eleven people, including one of the top spammers in the world, were indicted on Thursday for allegedly sending millions of unsolicited e-mails intended to inflate the price of Chinese penny stocks.")

Larry O'dell, "Va. court upholds spammer's conviction," USA Today (Feb. 29, 2008) ("A divided Virginia Supreme Court affirmed the nation's first felony conviction for illegal spamming on Friday, ruling that Virginia's anti-spamming law does not violate free-speech rights.")



Ryan Naraine, "'Pump-and-Dump' Spam Surge Linked to Russian Bot Herders," (Nov. 16, 2006) ("The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers. ... the gang functions with a level of sophistication rarely seen in the hacking underworld.")

John Markoff, "Attack of the Zombie Computers Is a Growing Threat, Experts Say," NY Times (Jan. , 2007) ("These systems, called botnets, are being blamed for the huge spike in spam that bedeviled the Internet in recent months, as well as fraud and data theft.")

Joris Evers, Dutch botnet hackers sentenced to time served, CNET News (Jan. 31, 2007) ("... for commandeering millions of computers last year with a Trojan ... used the hijacked systems in a network, popularly called a botnet, to steal credit card numbers and other personal data, and to blackmail online businesses by threatening to take down their Web sites.")

US DOJ Press Release, "Over 1 Million Potential Victims of Botnet Cyber Crime," (Jun. 13, 2007).

Ray Lilley, NZealand Arrests Top Cyber Suspect, Associated Press (Nov. 29, 2007) ("[p]olice detained ... suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said. ... The case is part of an international crackdown on hackers who ... assume control of thousands of computers and amass them into centrally controlled clusters known as botnets [and] then use the computers to steal credit card information, manipulate stock trades and even crash industry computers.")

Jonathan Richards, "Number of computer viruses tops one million," Times Online (Apr. 10, 2008) ("... the Russian Business Network (RBN), a shadowy organisation which specialises in the distribution of malicious code [and which controls the Storm Botnet], but which virtually disappeared in November last year after a campaign by police and other investigators, ... . The RBN has been credited with devising approximately half of the phishing scams conducted worldwide last year.") For more on the Russian Business Network, see


Logic Bomb:

"Prosecutors: New Jersey worker put data-wrecking 'bomb' in computers of drug company," AP (Dec. 19, 2006) ("A computer administrator angry about possibly losing his job planted an electronic ''[logic] bomb'' in the systems of one of the nation's largest prescription drug management companies, prosecutors said Tuesday.")

Associated Press, "Man gets 8 years for computer sabotage," (Dec. 13, 2006) ("A former UBS ... systems administrator was sentenced ... to eight years ... for attempting to profit by detonating a "logic bomb" program that ... caused millions of dollars in damage to the brokerage's computer network ... . ... [he] was angry ... because he expected an annual bonus of $50,000 but got $32,500 ... [he] ultimately lost $23,000 he invested in a stock market bet against UBS because the ploy failed to reduce the company's share price. .... . [The day the logic bomb was to go off, he] went to a broker and bought ... "put options" for UBS stock, ... . ... the right to sell shares for a fixed per-share price, so the lower a stock falls the more valuable the option becomes.)

"U.S. man gets record sentence for computer sabotage," Reuters (Jan. 8, 2008) ("A computer systems administrator was sentenced to 30 months in prison on Tuesday for trying to sabotage his company's servers out of fear he was about to lose his job, prosecutors said.")

Thomas Claburn, "Fannie Mae Contractor Indicted For Logic Bomb," Information Week (Jan. 29, 2009) ("A contract software engineer at a federal agency is accused of planting a logic bomb in the agency's system after he was fired for making a mistake. The malware could have shut down operations for a week at mortgage bank Fannie Mae had it gone off as scheduled.")

Stefanie Hoffman, "Fannie Mae Logic Bomb Attack 'Tip Of The Iceberg'," ChannelWeb (Jan. 30, 2009) ("The contracted Fannie Mae engineer indicted ... for allegedly planting a logic bomb represents the beginning of a trend of insider attacks responding to layoffs and job insecurity because of the weak economy ... 2009 will likely be a "big year" for insider threats and data breaches due to the weak economy that resulted in massive layoffs within the IT sector and other industries. Consequently, it would not be difficult for disgruntled or laid-off IT employees to infiltrate corporate networks and plant malicious code, which could be used to shut down systems or steal information ... . ")

SF WAN Case Study:

Jaxon Van Derbeken,"S.F. officials locked out of computer network," San Fransisco Chronicle (Jul. 12, 2008) ("A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday. .. Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest.")

Richard Adhikar, "Rogue Sys Admin Still Haunts San Francisco," InformationWeek (Sep. 12, 2008) ("Terry Childs, the system administrator who is in jail awaiting trial for, in effect, holding San Francisco's fiber-optic wide area network hostage back in July, continues to darken the lives of members of the city's IT department."

Richard Adhikari, "SF's Rogue IT Admin Facing 4 Felonies," InformationWeek (Dec. 29, 2008) ("San Francisco District Attorney ... announced ... that Terry Childs, 43, will be arraigned ... He is accused of tampering with the city and county of San Francisco's network system in such a way as to deny other authorized administrators access to the network, and to set up devices to gain unauthorized access to the system.")



Matt Hines, "Rootkits, Smarter Hackers Pose Growing Security Threats," (Apr. 17, 2006).

Dan Goodin, "Excuse me sir: there's a rootkit in your master boot record," Channel Register (Jan. 9, 2008) ("The rootkit modifies a PC's master boot record (MBR), which is the first sector of a storage device and is used to help a PC locate an operating system to boot after it is turned on. The result: the rootkit is running even before Windows loads. ... that allows it to persist even after removal ... can even survive reinstallation of the operating system [and, because it] lurks deep within the hard drive, well below the operating system, most antivirus programs don't detect the malware.")

"Warning on stealthy Windows virus," (Jan. 11, 2008) ("Security experts are warning about a stealthy Windows virus [dubbed "Mebroot"] that steals login details for online bank accounts. ... Many are falling victim via booby-trapped websites that use vulnerabilities in Microsoft's browser to install the attack code. ... the virus [a type known as a rootkit] is dangerous because it buries itself deep inside Windows to avoid detection.  ...  Once installed, the virus ... usually downloads other malicious programs, such as keyloggers, to do the work of stealing confidential information. ...  Mebroot ... uses its hidden position ... so it can re-install these associated programs [keyloggers, etc.] if they are deleted by anti-virus software.  Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect [Mebroot's] presence [and it] cannot be removed while a computer is running.").



Michael Lee, et al., Electronic Commerce, Hackers, and the Search for Legitimacy: A Regulatory Proposal, 14 Berkeley Tech. L. J. 839 (1999).

Note, "Immunizing the Internet, or: How I Learned To Stop Worrying and Love the Worm," 119 Harvard L. Rev. (Jun. 2006).


Registered Students login to NYLS Portal for updated Reading Assignments.


Course Outline/Class Units

Registererd NYLS students login to for updated outline and assignments.

  1. Overview, What is Cybercrime?
  2. Computer Intrusions and Attacks (Unauthorized Access)
  3. Computer Viruses, Time Bombs, Trojans, Malicious Code (Malware)
  4. Online Fraud and Identity Theft; Intellectual Property Theft; Virtual Crime
  5. Online Vice: Gambling; Pornography; Child Exploitation
  6. International Aspects and Jurisdiction
  7. Infrastructure and Information Security; Risk Management
  8. Investigating Cybercrime: Digital Evidence and Computer Forensics
  9. Interception, Search and Seizure, and Surveillance
  10. Information Warfare, Cyberterrorism, and Hacktivism
  11. Terrorism, Radicalization, and The War of Ideas
  12. Trade Secret Theft and Economic Espionage
  13. National Security
  14. Case Study: CALEA, VoIP

Course Information



Registered Students login to NYLS Portal for updated Reading Assignments.

All original material on this or any linked page is copyright the Center for Advanced Studies in Science and Technology Policy © 2003-2009. Permission is granted to reproduce this material in whole or in part for non-commercial purposes, provided it is with proper citation and attribution.


 NYLS Logo