Judge Says Fair Use Protects Universities in Book-Scanning Project

Photo: Thomas Guignard/Flickr

A federal judge on Wednesday threw out a copyright infringement lawsuit against universities that participated in a massive book-digitization project in conjunction with Google without permission from rights holders.

U.S. District Judge Harold Baer of New York dismissed an infringement lawsuit brought by the Authors Guild and other writers’ guilds, saying the universities had a fair use defense. The guild accused the University of California, University of Wisconsin, Indiana University, Cornell University and University of Michigan of wanton copyright infringement for scanning and placing the books into the so-called HathiTrust Digital Library.

The trust consists of 10 million digital volumes, 73 percent of which are protected by copyright. The trust provides full-text searches only with a rights holder’s permission, and gives full-text access for readers with “certified print disabilities,” Baer said.

Google has scanned the books for the universities as part of its Google Books project. The Authors Guild is suing Google in related litigation, which is stalled on appeal. Several publishers, also suing Google, settled with Google last week for undisclosed terms.

Fair use is a defense to copyright infringement and may be invoked for purposes such as criticism, commentary, news reporting, teaching, scholarship or research, the judge noted. He said the Americans With Disabilities Act (ADA) also played a major factor.

“Although I recognize that the facts here may on some levels be without precedent, I am convinced that they fall safely within the protection of fair use such that there is no genuine issue of material fact,” Baer wrote. “I cannot imagine a definition of fair use that would not encompass the transformative uses made by defendants … and would require that I terminate this invaluable contribution to the progress of science and cultivation of the arts that at the same time effectuates the ideals espoused by the ADA.”

Google made a deal in 2005 with these universities to scan millions of books in their libraries without the rights holders’ permission, and make “snippets” of those books available online via Google’s search engine. The Mountain View, California, search giant was subsequently sued by individual writers, publishers and the Authors Guild — litigation that has had a tortured history.

HathiTrust Digital Library was an undertaking by the universities to make the scanned copies available to students and faculty members, and audible for the vision-impaired.

Last week, Google and five of the nation’s largest publishing houses settled their long-running legal flaps over the media giant’s scanning of the university library books without permission. The deal is a huge concession by Google, which had maintained it had a fair-use right under copyright law and did not need permission from rights holders to scan the digital library of the future.

The publishers are not a part of the trust litigation. Under terms of the trust, full-text searching is only available to works in the public domain. Copyrighted works in the trust require consent from the rights holder. If consent is not granted, a search query only indicates the page number in a work on which a searched term is found.

U.S. District Judge Denny Chin of New York last year rejected a deal with the Authors Guild and Google that would have allowed Google to scan copyrighted books (including ones whose copyright owners could not be found), sell them on the internet and have them pop up in search results, while allowing up to 20 percent of the text to display in a search.

The rights holders would have gotten 67 percent of the take and Google the remainder. But when it came to millions of so-called orphaned works, Google’s proposal went too far, Chin said. Under the deal, Google would also have been able to scan and sell titles whose rights holder could not be located, setting aside the proceeds if the author turned up later. In rejecting the deal for orphaned works, Chin said Congress, not private parties, should “establish a mechanism for exploiting unclaimed books.”

Litigation between the guild and Google is stalled, as a federal appeals court weighs the judge’s decision to certify the guild’s suit as a class action.

But Wednesday’s decision suggests that the guild’s arguments are vulnerable, even if Google’s use of the scanned books goes further than the universities’ trust does.

JavaScript Worm on Steroids

From time to time during the course of our work, we may discover a novel piece of malware. Whether it is a new technique to infect files, infecting virtual machines, or targeting specific documents, the possibilities are limited only by a malware author’s imagination. 

Such is the case with JS.Proslikefan. While malware can be created using JavaScript or VBScript, it is usually only a few kilobytes in size after it is unpacked. In comparison, JS.Proslikefan weighs in at a whopping 130 kilobytes after it unpacks itself. The upper layers used custom obfuscation as well as the publically available Dean Edwards JavaScript packer. Figure 1 shows the bottom unpacked layer of the threat.

Figure 1. Bottom unpacked layer

Analyzing this file first required deobfuscating all the variable and function names. Once that was completed, the bigger picture of what this threat tries to do became a bit clearer. First, this threat targets Windows computers. If the threat is executed inside a Web browser, the browser must support ActiveX. Typically, this means Internet Explorer, although other browsers have been known to support it as well through plugins. The threat can also be executed using the command line by another malicious program.

This threat has other functionality that is typically not seen in most JavaScript malware. For example, it has the ability to search for keywords hardcoded into the malware on Google, gathering all the URLs from the search results.

Figure 2. SQL injection

As can be seen from Figure 2, once the URLs have been gathered, the threat will then parse each result looking for a specific error that has been known to indicate that SQL injection may be possible in the website. If the error is found, the threat contacts one of the command-and-control (C&C) servers to send back the relevant information.

But the threat doesn’t stop there. It also has functionality to check the results from the Google queries to see if any WordPress blogging sites were found.

Figure 3. WordPress TimThumb vulnerability check

The threat checks the site’s themes directory to see if it is using the TimThumb extension. If it is, the site may be vulnerable to a type of file upload vulnerability. This allows an attacker to upload a file and execute it on the Web server. More information on the vulnerability, discovered last year, can be found here

However, it seems even that wasn’t enough for the malware author. The threat also contains functionality to scan the Cookies directory on the compromised computer in an attempt to find a valid Facebook session. If one exists, the threat can do several things once inside. Depending on the commands given by the C&C server, the threat can "like" or become a fan of certain pages. It can even send chat messages to other Facebook users. Note: Facebook has recently added detection for this malware to help remedy users with compromised devices. Users can visit the Facebook Security Page for more information.

With the amount of functionality put into this threat, the malware author may have wanted it to spread to as many computers as possible. One of the ways it spreads involves placing copies of itself as zip files in folders used by several popular file sharing applications. The threat chooses file names in a unique way:  it contacts a particular RSS page on a popular Torrent site and parses out the content of the XML file, which is then used as the zip file names.

Figure 4. Contacting PirateBay

Of course, the malware author wants the threat to stay under the radar of antivirus companies as it attempts to spread. To avoid traditional antivirus signatures, it copies itself in a polymorphic manner to file sharing application folders as well as several other places. It also has a list of antivirus applications and checks to see if any of them have been installed on the compromised computer. This information is relayed to the C&C servers as well. If any of the applications are found, the threat modifies the Hosts file in order to redirect users to an IP address not related to network security companies. The IP address the malware redirects users to is a Class A address that belongs to a multinational conglomerate involved in energy, technology infrastructure, and capital finance sectors. It’s worth noting that at the time of writing, the IP address in question did not serve any malicious Web content.

Similar to other threats, this piece of malware also possesses the capability to spread to removable drives, run every time the computer starts, end certain processes, download and execute other programs and scripts, update itself, and process commands. We typically do not see this extra functionality the malware author decided to include in our day-to-day analysis of malware.

W32.Phopifas Cons Over 2.5 Million Clicks with LOL Links

An ongoing social engineering attack on Skype and other instant messaging applications has been gathering momentum over the last week. The attack, which looks to have started around September 29, has to date conned over 2.5 million clicks from unsuspecting users. The attack uses the common social engineering tactic of posting a link to instant messaging applications for a potential victim to follow. The following scenario outlines the steps in the attack:

Figure 1. Social engineering attack scenario

When the victim clicks on the goo.gl link they are redirected to a URL on Hotfile.com. The Hotfile.com site prompts the victim to download a .zip file which contains the malware W32.IRCBot.NG disguised as a legitimate instant messaging file. If the victim manually extracts the file and executes it, it contacts an IRC channel to receive commands. In our analysis we have observed the threat being commanded to download and execute another file from Hotfile.com. In each observed test it has been W32.Phopifas that is the second downloaded file, although it is possible that other malware may be downloaded depending on the victim’s geographical IP location. Our analysis of W32.Phopifas has shown that this threat is responsible for the initial postings to instant messaging applications in over 30 different languages that lead back to W32.IRCBot.NG.

Since the cybercriminals have opted to use Google’s goo.gl URL shortening service in their campaign, Symantec is able to follow the success rate of clicks. To date we have seen eight different goo.gl URLs being used by W32.Phopifas and have been able to check the click rate on each one. The graph below outlines the success of each link and the malware .zip file associated to it. The malware .zip file name also contains the date it was used in the W32.Phopifas campaign.

Figure 2. Malicious URL click rates

While we cannot extrapolate from these figures how many victims actually downloaded, extracted, and installed the malware, the figures do show just how successful a simple social engineering ploy can be on instant messaging applications.

In addition to the W32.IRCBot.NG and W32.Phopifas detections, Symantec also protects users with the intrusion protection signature Attack: W32.Ircbot.NG. It is recommended you always use the latest Symantec technologies to ensure the best possible protection against these types of threats. And as Skype reminds users, do not click on any suspicious link or open any unusual files from other Skype users—even if the message is from a known contact.

Supreme Court to Rule on Patents for Self-Replicating Products

Photo: IITA Image Library/Flickr

Imagine a licensing agreement for buying seeds that allows them to be used only once a season. They cannot be resold for planting, and cannot be used for research, crop breeding or seed production.

Those indeed are the terms of seed giant Monsanto’s licensing agreement for its “Roundup Ready” soybeans, regardless of how unnatural the conditions may seem when it comes to farming. This is farming in the age of patented, genetically modified organisms, which in this case concerns soybean crops that withstand herbicide.

The Supreme Court is weighing in on the soybean patents, agreeing to hear an appeal by a Knox County, Indiana soybean farmer who was ordered to pay $84,456 in damages and costs to Monsanto in 2009 for infringing those patents.

Farmer Vernon Bowman’s dirty deed? The 74-year-old bought soybean seed from a local grain elevator that was contaminated with the patented seed, which he used to produce beans on his 299 acres.

The case addresses the question of how far down the stream of commerce — in this instance the farming cycle — can a company control its patents, especially for products like soybeans that easily self-replicate. A lower court, an appeals court and even the Obama administration maintain the stream is virtually endless.

The administration told the Supreme Court in a filing that the justices should not concern themselves with the possibility that such rigid patent protectionism could undermine traditional farming techniques, where parts of one harvest are often used to produce the next. The administration said Congress “is better equipped than this court” (.pdf) to consider those concerns.

If the farmer’s view were adopted, the government argued, “the first authorized sale of a single Roundup Ready soybean would extinguish all of [Monsanto’s] patent rights to that soybean and to its progeny.”

Monsanto agreed, telling the court that if it sided with the farmer, such a decision would doom its business model.

“Without reasonable license restrictions prohibiting the replanting of second- and later-generation soybeans, Monsanto’s ability to protect its patented technology would effectively be lost as soon as the first generation of the product was introduced into the market,” the agriculture giant told the high court in a filing.

Farmer Bowman began purchasing Monsanto’s patented seeds in 1999 and, because of the licensing agreement, did not save any of the seed for future planting. But he also bought so-called “commodity” seed from a local grain elevator, which acts as a clearinghouse for farmers to buy and sell seed.

But given that more than 90 percent of the soybeans planted in the area were Roundup Ready crops, the elevator’s seed was contaminated with Monsanto’s patented seed.

Farmer Bowman planted that commodity seed, which was substantially cheaper to purchase, to produce a second, late-season crop, which is generally more risky and lower yielding. He then used seeds generated in one late-season harvest to help produce subsequent late-season crops.

Monsanto sued him for patent infringement, and he lost.

“Even if Monsanto’s patent rights in the commodity seeds are exhausted, such a conclusion would be of no consequence because once a grower, like Bowman, plants the commodity seeds containing Monsanto’s Roundup Ready technology and the next generation of seed develops, the grower has created a newly infringing article,” the U.S. Court of Appeals for the Federal Circuit ruled last year.

The court noted that, once Monsanto’s patent genie is out of the bottle, Monsanto controls the soybean landscape.

“While farmers, like Bowman, may have the right to use commodity seeds as feed, or for any other conceivable use, they cannot ‘replicate’ Monsanto’s patented technology by planting it in the ground to create newly infringing genetic material, seeds, and plants,” the appeals court added.

Bowman appealed, urging the Supreme Court to analyze whether the law allows patent holders to “continue to assert patent rights after an authorized sale.”

Monsanto’s licensing terms allowed farmers to sell the seed produced by one Roundup Ready crop to grain elevators. But the terms also forbid unauthorized planting of those seeds.

“Practically, this issue affects every farmer in the country and the method of planting that farmers such as Mr. Bowman have used for generations,” Bowman’s attorneys wrote in their petition to the Supreme Court.

The court, which decided Monday to review the case, did not indicate when it would hold oral arguments.