A child porn-planting virus: Threat or bad defense?

A story recently surfaced saying malware could plant child porn on innocent people's computers without their knowledge. Just how real is this threat? And how can you keep it from happening to you?

Being accused of possessing child pornography can ruin people's reputations, confront them with overwhelming legal bills and, if convicted, and deprive them of their freedom for years if sentenced to prison time, and perhaps for life, if they're required to register as sex offenders.

That is why, at least in part, a recent case outlined by the Associated Press raised concerns over computer viruses being used to plant child pornography on people's computers. But the innocent have little to fear, according to experts.

The AP story reported about the case of Michael Fiola, a former Massachusetts state employee whose state-owned work computer was found to contain illegal child pornography images. He was fired and charged with possession of child pornography which, had he been convicted, could have landed him in prison for up to five years, according to the AP.

Sexually explicit images of children--who are often being exploited--are not protected by the First Amendment because they may memorialize, celebrate, or encourage sexual crimes against children deemed defenseless victims. Although Fiola avoided a child porn conviction, he reportedly has suffered related indignities, including death threats and friend abandonment. The AP said he and his wife liquidated their savings and spent $250,000 on legal fees.

Ultimately, charges were dropped after Fiola's defense showed that his computer was infected by a virus that was "programmed to visit as many as 40 child porn sites per minute," something that a human couldn't do, even if he or she tried. Other reports about this case indicate that the antivirus software on Fiola's computer was out of date and therefore was not protecting him against malware.

Could it happen to you?
How likely is a case like Fiola's? If viruses are capable of putting illegal content on people's computers, aren't we all at risk of being arrested for serious crimes we never meant to commit? And if it is possible for this to happen, isn't "the virus did it" claim likely to become the mantra of every defense attorney who represents people accused of possessing child pornography?

To help answer these questions, I spoke with security experts, legal scholars, former prosecutors, and Justice Department officials. The consensus? It is indeed possible for malicious software to plant child pornography--or any other type of file, for that matter--on an innocent person's computer, but being possible doesn't mean it's likely. And forensics experts can detect intention.

It is indeed possible for malicious software to plant child pornography, or any other type of file, on an innocent person's computer, but being possible doesn't equate to being likely.

"It's quite possible for a malware creator to include child pornography as part of the payload on an infected computer," according to Symantec spokeswoman Marian Merritt, but "such payloads are not typical."

Most malware authors, Merritt said, "are motivated by money, and there's no clear indication as to how planting child porn on an unsuspecting person's computer would help generate money for criminals."

One possible motive for remotely using someone else's computer to store child porn is to make it possible to access the contraband without running the risk of it showing up if your PC is seized or searched. Merritt worries that "this could become a possible use for malware, going forward," but Michael Geraghty, executive director of the National Center for Missing & Exploited Children Technology Services Division, said that, while possible, it's not an effective way to store child porn and remain undetected.

"If you put the images on someone else's computer, you might not be able to retrieve them when you want them," Geraghty said. He pointed out that the zombie machine storing the data would have to be turned on and connected for the malware sender to access it. If it weren't online, or the files had been deleted, the files wouldn't be there to retrieve.

Another deterrent, of course, is a potential digital trail between your computer and the one you're using to store it. Although there are ways to evade detection, forensic investigators do have ways to trace Internet Protocol addresses to catch people in the act of uploading and downloading material.

"I've never seen it where child porn was intentionally placed on someone's computer because of a virus," Geraghty said. He has, however, seen cases where "someone was redirected to a site where it could have entered the cache." If someone were to go to a legal adult porn site, it's possible that the browser would "open 100 different windows," including some that could contain child porn. "As a result of that, any images on any of these sites would be cached, and there would be a record that you had been there."

But Geraghty said investigators can tell the difference between someone who deliberately downloaded such images and someone who may have inadvertently downloaded perhaps thousands of images because of a virus or misdirected Web site.

Totality of evidence
"A good forensics expert would try to determine how (the images) got on the computer and who was responsible for putting them there," he said. "That would be determined by looking at the totality of the evidence, not just the fact that there were images there."

Things a good investigator would look into include whether the suspect was sitting at the computer at the time the images were downloaded. Was he using the computer to send e-mail or visit other Web sites at the time? "There is always some type of trail we can follow to determine if the person were likely actively involved in the process of downloading the material," Geraghty said.

Investigators can usually figure out if an image was downloaded intentionally, based on other activity that took place on the computer at the time.

Another indicator is the time lapse between image downloads. A virus or Trojan horse is likely to download multiple images at a time, sometimes faster than might be humanly possible to do manually. A person who collects child pornography typically acquires it over a period of time, and a forensic investigation of the computer should reveal that.

Phil Malone, a clinical professor at Harvard Law School and director of its Berkman Center Cyberlaw Clinic, agrees that a good forensic investigator should be able to tell the difference between files placed by a virus and ones deliberately downloaded.

"It's the excuse of the moment for defendants," he said. "Lots of child porn defendants try to blame (images found on their computers) on viruses, but it's almost never true. You can actually figure this out. In the handful of cases that have been problematic, it looks as if everyone moved too quickly. The agency discovered material and immediately jumped to conclusions." Malone added that "good, solid forensics would be able to tell in virtually every case."

Malone agreed with Geraghty, of the National Center for Missing & Exploited Children, that it's fairly common for someone, when viewing adult pornography on a Web site, to inadvertently receive pop-ups that may include images of child porn.

"It's possible to tell if something was opened or saved to a file from the cache," Malone said. Investigators can usually figure out if an image was downloaded intentionally, based on other activity that took place on the computer at the time, he said, adding that it's incumbent on both prosecutors and defense attorneys to launch a thorough investigation that includes analyzing a copy of the hard drive to determine not just which images are stored within, but also how they got there.

Geraghty said it's important to look at other factors. "The computer holds a lot of information about the searches that someone runs. If there were none of those searches and nothing else but some images in the cache, you would question how they got there. You would look for collaborating evidence such as intent to visit the site (and capability) of visiting the site. Did he have knowledge?"

A good investigation will look for exculpatory evidence to see if there are other explanations for the images. That investigation, Geraghty said, should start with making one or more exact copies of the suspect's hard drive and examining those copies to look for evidence of malicious software that could be responsible for the images. Defense attorneys can also gain access to a copy of the drive, but because it may contain illegal child porn images, their experts will probably have to examine the drive at the police station or prosecutor's office; possession of those images--regardless of the reason--is illegal for anyone other than personnel granted immunity.

Burden of proof
"In each case, the prosecution will need to prove (that) the defendant knowingly and intentionally possessed, received, or distributed child pornography," according to Drew Oosterbaan, chief of the Child Exploitation and Obscenity section of the Justice Department. "The proof starts with establishing that the images involved are child pornography and ends with establishing that the person charged is criminally responsible for it. We prove the latter in myriad ways."

Oosterbaan said that when someone is charged with possessing child pornography on his computer, "the computer is, in many ways, a crime scene, and the forensic examination of that computer is critical to meeting the elements of proof in the prosecution." He added that "it's important to remember that in every case, the government carries the burden of proof."

Oosterbaan said he is not aware of any cases in which botnets were used to plant child porn on other people's computers.

A former federal prosecutor now working for a technology company, who requested anonymity, said this may become a bigger issue as we enter the era of cloud computing, in which more and more data is stored on Internet servers instead of hard drives.

"There is no question that perpetrators are going to look for places to hide their criminal activity, including child porn, because they're increasingly aware that if law enforcement comes to their house, they will see the material," the former prosecutor said, adding that companies in the cloud storage business need to be aware that their systems could be used for illegal purposes. "They should reach out to the National Center for Missing & Exploited Children to implement a system to compare uploaded files against hash marks (digital fingerprints) of known child porn images."

As with any other security issue, the best defense is to protect your machine against intrusions. This includes:

• Making sure that your operating system and regularly used software are up-to-date.
• Using good software addressing malware, phishing attacks, and/or spam, and keeping it up to date. Subscriptions to paid programs should be renewed.
• Being cautious about spam and about providing information to sites you navigate to from links within even the most legitimate-appearing e-mails.

Disclosure: I serve without compensation as a board member at the National Center for Missing & Exploited Children, which deals with child porn cases. Still, I don't necessarily agree with all NCMEC policies, nor do I speak on behalf of the organization.

[gerrrg]

Experts have ways to trace IPs, but come on, it's not that complicated to use an open WiFi with a MAC spoof to do nefarious deeds.

[FF2009]

bad defense I'd say.

but then again. This is Windows we're talking about. Anything can happen. Windows is a safe heaven for bad Bots.

[brienza1975]

Words from a Mac fanboy....

[Random_Walk]

Statistically, FF2009 is correct (apply whatever reason you like as to why, but the fact still remains - the majority of compromised hosts are Windows-based machinery).

[bobdjojo]

(apply whatever reason you like as to why, but the fact still remains - the majority of computers are Windows-based machinery).
Fixed :)

[Random_Walk]

Call it what you will (though a quick count of active malware will readily show that the number of Windows malware is a much higher percentage than its marketshare... 'splain that one ;) ).

[Yelonde]

True, but I run a virtual machine copy of Windows 7, so that would give me room to worry.

[viper396]

The topic is Child pornograpy, which can just as easily happen with Mac or Linux boxes, and all you idiots can do is use it as a sad excuse to start another tired anti-Windows thread. Typical and Pathetic.

[chili_picante]

viper396, I agree 100%. They're trolls.

[keith.r.benedict]

I guess all's well that ends well, but is that really the case here? I think not. It doesn't cost the prosecutor a dime of his/her own money to file charges. While a defendant can be out his/her life savings and find themselves hopelessly in the hole financially. What recourse does a falsely accused individual have for recouping the large sums of money required to fight a case like this?

[aaron_van]

Until this becomes a common issue, probably little to none. It's a sad thing that "burden of proof" rests on the government, but it's not necessarily needed to destroy someone financially...

[Random_Walk]

gerrg is correct - it doesn't take much to hide if you really wanted to. Recently, there was a guy arrested up here for tapping into an open WiFi point at a local church - he'd just park his car in the lot and then use the open WiFi point to get his porn fix. The only reason he got caught was that one of the church's neighbors was a housewife/retiree (forget which) and happened to notice a pattern of his parking there at the same time each day. Even then, by luck (his bad, their good), the cop who investigated happened to sneak up and catch him red-handed in the act (with laptop open and downloading like mad).

Note that most sex offenders aren't going to have the requisite brains to hide their activities that well, but enough of them will that a lot of innocent people could get snared by such activites (see also the church example. Now imagine if the IP addy the crim used was the same one that you as a church volunteer wound up with in your Event Log? With no CP on your drive, you likely avoid prison but still get put through Hell trying to erase the instant bad reputation you'd get).

But overall, the author is correct in most aspects - the odds are good that if you're innocent, you (or the police, or your lawyer, etc) can spot the root cause and you can avoid prison time, etc.

OTOH, the guy in the article (Fiola) had to spend a metric crapload of money, lost his career, his retirement savings, likely lost most of his possessions, etc just to avoid being locked-up, and I doubt that a public defender would've been nearly as diligent or aggressive in pursuing his innocence (I assume that most would have just advised him to take a plea bargain). I doubt that he gets any of his money back... and Heaven only knows what his reputation is by now (I'd be surprised if he didn't just move to another state entirely). Sure, he could try to sue the city, his former employer, etc, but that's more wish than reality, IMHO... I wouldn't take odds on him winning that one (and even if he did it would take years to realize).

==

" "If you put the images on someone else's computer, you might not be able to retrieve them when you want them," Geraghty said. "

...and if I were to store something like warez or P2P, I'd at least be smart enough to store it redundantly on multiple compromised web servers, where operation runs 24/7 and it's often months of time before the amateur webmaster(s) realize that anything is there, if ever. How much differently would it be to store things far worse than pirated software/music? The incentive/motive would certainly be higher to find inventive ways of hiding the crap.

The funny thing is, I haven't even touched on encryption, steganography, or a whole bucketload of other ways to store something without the victim host(s) even knowing what it is, even if discovered.

[Hunnter2k3]

You don't even need to be infected.
One website that redirects / popups that contains child porn and you are caught with it, well you're already screwed, in their eyes.
It has happened before.

But this ends up bringing all sorts of crazy cases, what are moderators for sites supposed to do when someone comes along and posts child porn on their site?
They will HAVE to view it to confirm it was and delete it.
It is a moderators duty to do this, blindly deleting things just results in abuse.

The laws around this, just like countless other cases, is just twisted and incoherent that it is annoying, especially with this case.
The instant PEDO is attached to anyone, everyone goes absolutely psychotic towards the person, regardless of innocence.
That attachment is permanent.
Who the hell even caused this Pedoscare anyway?
Somehow being a pedo is much worse than actually KILLING someone these days...

[solitare_pax]

Consider if you will, this may be a budding new form of identity theft - call it digital character assassination.

In a limited mode, a person could attempt to plant a virus or kiddie porn on the computer of a competitor or someone they don't like, then they sit back and watch the mechanized wheels of justice crush the victim as they work hard to prove they are not guilty.

On a broader application, a virus could be unleashed across a larger network, to disguise the actions of the real kiddie porn viewers, or worse, make it look like 'everyone is doing it' - in an attempt to get the laws against it watered down.

Given time, it could become a protection racket - pay up, or get ruined.

While it seems less likely than common criminals stealing your credit card and personal information from that mega-retailer with loose security standards, it seems to be a budding threat industry in the making.

[Random_Walk]

Dunno - the very presence of a communication threatening such things would be enough to get the victim off of any hook in that direction. You simply report it as soon as someone threatens it.

Most of the pedos also are contact offenders: you ask about pedoscare? These pedos destroy lives - dozens at a time and use kids as things. They do more damage than killing someone: when you kill someone they no longer suffer, while these sick bastards continue to torture children.

Please, you should know what in the world you are talking about prior to minimizing this evil. They are predators of our future - and they need to be treated as such, and dealt with as such, in my personal opinion.

[Random_Walk]

Indeed - pedophiles are a particularly nasty group of individuals.

However, is it worth ruining innocent people just to insure safety? A gent by the name of Gerald Amirault (google it) paid for the first round of hysteria in the 1980s with ~20 years of his life, in spite of being innocent.

Like others have said before - I'd much rather 10 guilty men go free than one innocent man be imprisoned. Sure, they deserve nothing less than the full weight of the law, but no innocent man or woman should ever have to suffer such an undeserved punishment.

I agree that no innocent people should ever be punished: better to let guilty go free; however, we have to pursue the truth, and follow it where it leads, objectively. Punishing the innocent does not serve justice.

[Hunnter2k3]

>Punishing the innocent does not serve justice.
But regardless of innocence in these circumstances, that person will always be branded a pedo "by the people".
So much for law, eh?

[Random_Walk]

@Hunnter - that problem has less to do with law, and more to do with mob mentality, which is a basic condition that is hard-wired into every human brain.

[krosafcheg]

It's simply the equivalent of a smart bad guy planting other evidence at the crime scene. I go do a crime, have a little baggy with your hair, maybe a fingerprint or some fiber from your favorite jacket..I sprinkle it around the crime scene and unless you have a superior alibi, you're really hosed.

THAT is how scary it can really be.

[nicmart]

The government should love such malware. There are still a few Americans who haven't been convicted of felonies.

Nicmart, that was one of the most perverted comments I have ever heard: if anything, this is a problem for the prosecution to explain, and the examiner to determine the truth. The Gov has no interest in convicting the innocent in this country, but good to hear your faith in your gov.

[Hunnter2k3]

Haha, really? Did you just climb out a 1000 year old cave habitat?

Why do you think there are so many stupid laws? Oh that's right, it was some little mysterious man nobody knows about, totally not the government that done it, yeah, the government are totally behind the people.

[Random_Walk]

I suspect that nicmart is an avid fan of Ayn Rand... her book Atlas Shrugged explains why a government would want to have every one of its citizens to be guilty of some crime or another.

[nicmart]

You have to recalibrate your suspicions. Just yesterday I criticized Ayn Rand on another web site. I'm an avid fan of James Madison, Thomas Jefferson, and the libertarian spirit of the founders.

[t38ik4qpgg]

so in a user computer they find a photo of a child who probably has been intercepted by the FBI and is out of danger and the user has to pay indefinitely with his lilfe? I'm sorry I don't think the punishment fits the crime

[Had_to_be_said]

Actually... Yes, the government would, and does, love for people to be "convicted" of "crimes". Even, misdemeanors (or, mere, "suspicion") can, and are, regularly used to automatically deny, otherwise perfectly ordinary, people their (supposedly "inalienable") rights, in perpetuity. This has literally become an established way to side-step any "due process" (or "justifiable" treatment), and has become a, recognized, back-door to turning the common-people into second-class citizens. Furthermore, The United States already has one of the highest arrest, and incarceration, rates (of its citizenry) of any industrialized nation (these are simply facts).

But, even more importantly... the mere accusation (of "child-porn" possession), is regularly used to further political-ambitions/careers, and justify all manner of further erosions of personal-rights. And, those "accused", actually DO have their lives, utterly, destroyed... whether they are eventually found innocent, or not. In fact, our local "law-enforcement", actually, calls "the media", and has "news-crews" present, before they even make such a "child-porn" arrest. They [law-enforcement officials] then march the "accused", up and down in front of the cameras, and publish the names, addresses, and photos, of the "suspects" (completely destroying their lives) long before the "suspects" have any chance, what-so-ever, of "due-process", or any finding of "guilt" OR "innocence", in a court of law. Furthermore, many local idiots actually DO consider such PUBLIC-ACCUSATION to literally be the SAME THING as "guilt". Hell... one man was recently arrested under this circumstance, and many local idiots, not only wanted to murder him... outright... without any real evidence, OR, an actual trial.. But, there were also numerous people who, very publicly, stated that his wife (who was in no way accused, arrested, or even suspected by the police) should also be publicly EXECUTED (by a mob)... because she simply, MUST, have been in on it. And, all of this was supposedly needed for the sake of protecting society, and "the children", from these "...evil ...predators".

So... finally... the alleged-possibility that eventually... a "good... computer-forensics examination" could, theoretically, possibly, eventually, clear someone... assuming that there is someone who had the time, access, and money to do it... (an awful lot of IFs) ...is UTTERLY MEANINGLESS in the face of the reality of this situation. And, after literally years of working with computers, I have PERSONALLY seen all manner of Trojans, Viruses, redirects, malware, and files "planted" on computers... through perfectly normal, and innocent, use ...and, YES, that DOES include "child-porn" images from unrequested ("phishing", and "attack") websites.

[Random_Walk]

Err, you do realize that this has nothing to do with any secret governmental motive...

The history of the lynch mob goes back far further than any government that exists today.

[Had_to_be_said]

Actually, posters such as "Random_Walk" are missing the point. No one said anything about a "...secret government motive". Once any government exists, by its very nature, it attempts to increase its power. That is simply a well-established fact (and the nature of any bureaucracy.

What I am talking about is the clearly INTENTIONAL MISUSE of such "mob" mentality for that precise end (I.E. the expansion OF said "power"). And, I am also clearly laying-out exactly how this entire issue can be, and IS being, dangerously abused, and IS already causing direct harm.

And, in my opinion, the REAL threat to any society are those that, not only refuse to acknowledge such, plain, realities... while the are actually happening... but actually take it upon themselves to attempt to scoff-at, and discredit, what has so-plainly been established as actually already taking place (and its, inevitable, consequences).

[estrin1959]

The following article was written after interview with me in 2004.
They named me Jack in this article. Part of this article was written
by me. Just described what happened with me in 2002.

'Browser hijackers ruining lives'

http://www.wired.com/techbiz/it/news/2004/05/63391

I came to US as Jewish Refugee on Human rights violations
in former USSR.
I had my rights violated again in Minnesota.
I was convicted for p..rn possession in 2003, Felony
conviction and placed on s..x offender register in Minnesota. There was
the same situation: promise 100 years in prison if
I was not plead guilty. Here you can find description

http://estrinyefim.newsvine.com/_news/2009/08/25/3191218-punishment-and-hysteria-justice-in-usa

Since 2003 as you may understand I can not find job, only short terms
projects.
Here you can find comparission of my situation as jew pariah in USSR
and predator pariah in US

http://estrinyefim.newsvine.com/_news/2008/07/15/1667739-a-comparission-between-soviet-jews-and-sex-offenders-in-us

[malcarada]

I think it is very likely viruses can plant child porn in your computer becase the definition of child porn is so wide that even includes museum artworks or pictures of clothed children and Simpsons cartoons.

[Dalkorian]

OMG, in the Simpsons movie we got to see Bart's "doodle". I never considered that movie pornographic before though.

[maxihward]

Really a educative and informative post, the post is good in all regards,I am glad to read this post
http://www.prlog.org/10409108-muscle-might-review-does-muscle-might-free-trial-work.html

[Lsavagejt]

Possible vectors for planting such material might be ransomeware and scareware. Social engineering might be another.

[Random_Walk]

ransomware wouldn't work - the mere existence of a ransom note/call/whatever would be sufficient to clear the victim of wrongdoing. Simple Logic.

[Dalkorian]

It would be a rather heartless and brutal way at getting revenge against a co-worker, though.
;-)

[inachu1]

I clean virus infested porn off my companies network almost on a daily basis.
I keep telling the employees to follow the rules!
1. Do not use USB thumb drives from home.
2. Do not let your children/teen use your company laptop.
3. Stop using just ANY site to just get the cheapest parts for your company.
4. Stop using those free email tool things named similar to incredimailer or similar.
5. Stop doing non related work such as if you are the purchaser for your company then you have
no need to be editing HTML for your church on your company pc.

The idea here is to make a smaller footprint which leaves a smaller window of attack for viruses/trojans.
Programs that use web technology can keep open backdoors even if Microsoft patched the issue with windowsupdate. If its not company related then keep it off the system PERIOD!

[biffhenerson]

I agree that it is very unlikely, but possible. One would have to educate the jury on how computers actually work. Perhaps its enough to introduce reasonable doubt. Just because a bloody glove was found on my property doesnt mean that I performed the muder.

[perfectblue97]

This article appear to be forgetting three obvious things. Firstly that not all malware writers do it for profit. Some do it for mischief, because they can, or because they shouldn't. Secondly, a lot of porn rings these days are turning to P2P. It's not beyond the scope of imagination that one might write a virus that distributes the porn to zombie computers and then activates them as nodes on a P2P network. If you distribute the pictures around enough computers it wouldn't matter if they weren't accessible all the time as enough of them would be accessible for enough time to make it worth while. Lastly, it's well known that purveyors of all kinds of porn will seed the internet with filth that is labeled up as something normal in the hope that people will stumble on it and like what they see, and then come back for more. There are many documented cases where people have used misspelt domain names relating to well known companies, products or celebrities in order to trick people into visiting porn sites. So, why not do the same with their hard disks. Plant porn on their computer and put in a browser redirect so that when they searched for more it would come to your website.

It's also not unknown for people to plant porn on other people out of malice or as an act of revenge. It's the modern day equivalent of hiring a PI to take incriminating photographs.

[inachu1]

Well if you read the other internet techie geek website. There was an article about the aresst of a policeman whos job was to go after pedophiles and well low and behold after a 2 year investigation he the policeman was found to have pediphilia on his computer!

So anyway law enforcement policing themselves of pedophili is pretty lame. We all know he had those images from doing his investigative work but either way yet it was there. So how to prove those images on the police investigators pc was for investigative reasons and not of a grave sick personal nature?

It well seems that the british police could not split hairs on the issue. So does that mean that evidence held by police is also illegal if they jail their own?
Sounds stupid to me that they would do this.

[RobertsMF]

Thank you for your article. One quick note, regarding comment that hackers or authors of viruses are profit driven, if the virus connects to a child porn or other sites, doesn't that count as a hit to the site which would increase the marketability of advertising on the site and raise its rating to be more readily found on the web? Therefore causing computers to hit websites would be a fantastic reason to create a virus that could be sold to websites to "dramatically increase hits to the site".

I think this type of virus would be of interest to the porn sites that open and close quickly for a variety of reasons but want to be found on the web and be able to show large number of daily visits.

Good discussion on computer forensics, but note that it is the government that is prosecuting the case that is the only one with the ability and duty to look for exculpatory evidence. If less than fair and completed forensics is done then the exculpatory evidence as in the noted case will be lost. Defendant's need to move for a copy of the hard drive and money for an expert to do the search for exculpatory evidence which most likely was done with the quarter of a million dollars he used to defend himself. For those without that amount of liquidity, a defense may be impossible.

[shar4willia]

I am here to tell you ,it's definately possible. It happened this morning to my daughter's computer. And now she cannot even get back on, computer is totally wrecked. She tried to get on in Safe Mode, but not able to without an internet password,which we can't figure out. Is there a way to retrieve it?