CRTC Enforces CASL in Case of Malware Distribution

While there has been controversy about the enforcement of the electronic communication provisions of Canada’s Anti-Spam Law (CASL) due to the ambiguities of the complex scheme, there is widespread support for the anti-malware provisions. The Canadian Radio-television and Telecommunications Commission (CRTC) recently enforced those anti-malware provisions against .Mr. Revesz and Mr. Griebel, the partners of Orcus Technologies, pursuant to section 22 of CASL, for a total penalty of $115,000.

The defendants have 30 days to file representations with the CRTC or pay the penalty.

The CRTC alleges that Orcus Technologies developed, distributed, promoted, and sold a Remote Administration Tool called the Orcus RAT. The CRTC Electronic Commerce Enforcement division investigation suggests “Vincent Leo Griebel … developed the Orcus RAT, while John Paul Revesz … provided marketing, sales and support for the software”.

The CRTC claim that the Orcus RAT was not an administration tool it was claimed it to be, but was in fact a Remote Access Trojan, a known type of malware. The CRTC alleges that the software included features, which would allow an administrator to take control of a computer system such as, to disable the notification when the RAT is installed; hide its presence on the victim’s computer, force administrative privileges, record keystrokes, activate the webcam and microphone without notification, and recover passwords.

Section 8 (1) of CASL provides that “a person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system […], unless the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5).” In addition, section 9 of CASL provides that it is “prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8”.

In this case, the Orcus RAT was used by third parties to take control of computer systems of others. The CRTC evidence claimed “HackForums posts authored by Revesz and Griebel … revealed that they both have, to varying degrees, promoted the malicious features of the Orcus RAT. This included a post where Revesz boasted about the ability for the Orcus RAT to recover victim’s passwords.”

The CRTC provided claims of various individuals or groups, including some Canadians, using the Orcus RAT to target Canadians computer systems. As a result, the CRTC has determined that both Griebel and Revesz contravened section 9 of CASL “by aiding malicious actors to install the Orcus RAT without consent, in the course of commercial activity, on computer systems located in Canada”.

The CRTC also alleged that Revesz contravened section 9 of CASL through the sale of a Dynamic Domain Name Server (DDNS) service used by hackers to communicate with infected computers systems, in Canada and abroad. The CRTC issued two Notices of Violation to Mr. Revesz and Mr. Griebel, the partners of Orcus Technologies, pursuant to section 22 of CASL, with a total administrative monetary penalty of $115,000.

The CRTC investigation benefitted from international cooperation and assistance notably from Palo Alto Networks.

The CRTC uncovered evidence of Orcus RAT purchasers based in Canada and abroad. Follow up investigations are underway to determine if these RAT users installed the Orcus RAT on computer systems without consent, in which case the CRTC contemplates additional enforcement actions will be taken.

This case is a reminder that that CASL contains other prohibitions, such as the anti-malware terms, and is not limited to prohibitions on electronic communications in commerce.