Skip to main content
READ THIS BEFORE PROCEEDING: This page contains critical information about legal, ethical, and security concerns. Failure to understand and comply with these warnings may result in serious legal consequences.

Critical Warning

This Software is Malware

PROONE IS MALICIOUS SOFTWARE. It is designed to scan networks, exploit vulnerabilities, and propagate itself across computer systems without authorization. Using this software on systems you do not own or have explicit permission to test is ILLEGAL.

Message to General Public

The following statement is taken directly from the project README:
This software is a malware. This software has been tested to work in an orchestrated virtual environment. In principle, it works by scanning the Internet and local network for computers with security vulnerabilities. This software is programmed to do something illegal! If you wish to use this software, please do so in a controlled environment safely isolated from the Internet.
Proone actively scans networks for vulnerable devices and exploits security weaknesses to gain unauthorized access. This behavior is illegal in virtually all jurisdictions.

Criminal Offenses

Deploying or operating Proone in an unauthorized manner may constitute multiple criminal offenses:
  • 18 U.S.C. § 1030: Accessing computers without authorization
  • Penalties: Up to 10-20 years imprisonment for repeat offenses
  • Civil Liability: Victims can sue for damages
Even “testing” on systems you believe to be vulnerable without explicit authorization violates federal law.
  • Unauthorized access to computer material: Up to 2 years imprisonment
  • Unauthorized acts with intent to impair: Up to 10 years imprisonment
  • Making, supplying or obtaining articles for use in offense: Up to 2 years imprisonment
Possession of this software with intent to use it unlawfully may itself be criminal.
Most countries have similar computer crime statutes:
  • European Union: Various cybercrime directives
  • Canada: Criminal Code sections 342.1, 430(1.1)
  • Australia: Criminal Code Act 1995
  • Japan: Unauthorized Computer Access Law
Cross-border attacks may result in prosecution in multiple jurisdictions.
In many jurisdictions, creating and distributing malware tools can be illegal even without deploying them:
  • Aiding and abetting computer crimes
  • Conspiracy charges if others use the tool
  • Export control violations for security tools

Civil Liability

Beyond criminal prosecution, unauthorized use can result in:
  • Monetary Damages: Victims can sue for financial losses
  • Injunctions: Court orders prohibiting future activities
  • Restitution: Being ordered to pay back costs incurred by victims
  • Reputation Damage: Permanent impact on professional career

Ethical Considerations

The Hacker’s Dilemma

Knowledge vs. Action: Understanding how malware works is essential for defense, but creating and deploying malware crosses ethical boundaries.
This project exists in a gray area:

Legitimate Use Cases

  • Security research in isolated environments
  • Educational purposes in controlled labs
  • Understanding attack vectors for defense
  • Academic study of malware architecture

Illegitimate Use Cases

  • Scanning production networks without permission
  • Deploying on any internet-connected system
  • Testing on devices you don’t own
  • Building botnets for any purpose

The “Greater Good” Fallacy

There is no “vigilante justice” in cybersecurity. The idea of “pruning bad devices” from the internet, even with good intentions, is:
  • Illegal: Unauthorized access regardless of motive
  • Dangerous: Unintended consequences and collateral damage
  • Unethical: Taking unilateral action against others’ property
  • Ineffective: Does not address root causes of IoT vulnerabilities
The original author explicitly abandoned this concept, recognizing its flaws.

Technical Risks

Risks to Your Environment

Risk: Raw socket operations and aggressive scanning can:
  • Trigger intrusion detection systems (IDS)
  • Cause network performance degradation
  • Alert security teams and law enforcement
  • Violate terms of service with ISPs
Mitigation: Only use in completely isolated virtual networks with no internet connectivity.
Risk: Proone is designed to spread autonomously:
  • May escape isolated environments through misconfigurations
  • Could propagate to other systems on your network
  • Difficult to contain once deployed
  • Creates legal liability for all infected systems
Mitigation: Use air-gapped virtual environments with snapshots for immediate rollback.
Risk: Active exploitation of vulnerabilities:
  • SSH brute forcing generates authentication logs
  • May damage or corrupt target systems
  • Could exploit zero-day vulnerabilities
  • Creates forensic evidence of attacks
Mitigation: Only test against systems you control and have explicitly configured as vulnerable targets.
Risk: Self-modifying and multi-architecture support:
  • Creates multiple variants difficult to track
  • May behave unexpectedly on different platforms
  • Can evade traditional malware signatures
  • Increases forensic complexity
Mitigation: Understand the binary recombination process before any testing.

Safe Usage Requirements

Mandatory Safety Protocol

If you choose to work with this software for legitimate research or educational purposes, you MUST follow these requirements:

Environment Isolation

# Example: Isolated Virtual Network Setup
# Create a completely isolated virtual network
# NO bridge to host network, NO internet access

# 1. Use hypervisor (VirtualBox, VMware, KVM)
# 2. Create internal-only network
# 3. Deploy vulnerable test VMs
# 4. Monitor all activity
# 5. Snapshot before running
# 6. Destroy after testing
1

Air-Gapped Environment

Deploy in virtual machines with no physical or virtual network connection to production systems or the internet.
2

Documented Authorization

Maintain written documentation of your authorization to test, even on your own systems.
3

Controlled Test Targets

Only deploy against systems you have explicitly configured with known vulnerabilities for testing purposes.
4

Monitoring and Logging

Implement comprehensive logging and monitoring to understand all actions taken by the software.
5

Containment Plan

Have a documented plan for immediate shutdown and containment if the software escapes isolation.
6

Disposal Protocol

Properly destroy all instances after testing, including snapshots and backups.

Organizational Requirements

If using Proone in an institutional setting (university, research lab, security company):

Institutional Review Board (IRB)

Obtain approval for security research involving network scanning and exploitation techniques.

Legal Review

Have your organization’s legal counsel review the research plan and confirm compliance with applicable laws.

Ethics Committee

Get ethical approval for research involving potentially harmful software.

Insurance Coverage

Verify that cyber liability insurance covers security research activities.

Red Team Usage

Professional Penetration Testers: Even with authorization, using Proone in production assessments is high-risk and generally inadvisable.
If considering use in professional security assessments:
  1. Explicit Written Authorization: “Penetration testing authorization” is insufficient. Specific authorization for autonomous worm deployment is required.
  2. Scope Limitations: Worm behavior makes it difficult to restrict to authorized scope.
  3. Alternative Tools: Use purpose-built penetration testing tools with better controls.
  4. Liability: Consider professional liability for any unintended propagation.
  5. Notification: Stakeholders must understand the nature of self-propagating malware.

Educational Use

Students and Educators: This software can be valuable for understanding malware architecture, but requires careful handling.

Academic Guidelines

  • Use university’s isolated lab network
  • Obtain departmental approval
  • Supervise all student activities
  • Document educational objectives
  • Restrict code distribution
  • Focus on defensive applications
  • Publish responsibly (no weaponizable details)
  • Coordinate with security team
  • Archive research data securely
  • Consider ethics of dual-use research
  • Study source code without compilation
  • Analyze architecture and design patterns
  • Understand subsystem interactions
  • Learn from implementation techniques
  • Use as a case study for malware analysis

Reporting Vulnerabilities

If you discover vulnerabilities in IoT devices through analysis of Proone’s techniques:
1

Do Not Deploy Proone

Never use Proone itself to discover or verify vulnerabilities in production systems.
2

Responsible Disclosure

Follow coordinated vulnerability disclosure practices with affected vendors.
3

Document Safely

Create proof-of-concept demonstrations in isolated environments only.
4

Engage CERTs

Work with Computer Emergency Response Teams (CERTs) for widespread vulnerabilities.

Disclaimer

Author's Disclaimer

The author of Proone has published this software for educational and research purposes only. The author:
  • Does not endorse or encourage illegal use
  • Bears no responsibility for misuse by others
  • Explicitly abandoned operational deployment
  • Intends this as an “art project” and learning tool
Your Responsibility: Regardless of the author’s intent, you are personally and legally responsible for your actions with this software. “I was just testing” or “it’s for educational purposes” are not legal defenses for unauthorized access.

Resources and Further Reading

Ethical Guidelines

Academic References

From the original project documentation:

Legal Analysis of IoT Botnets

Academic paper examining legal frameworks around IoT security

Security Research Thesis

University thesis on related malware research

Final Warning

By accessing, downloading, compiling, or using the Proone software, you acknowledge that:
  1. You understand this is malicious software
  2. You will only use it in isolated, controlled environments
  3. You will not use it against systems without explicit authorization
  4. You accept full legal responsibility for your actions
  5. You understand the criminal and civil penalties for misuse
  6. You will comply with all applicable laws and regulations
If you cannot agree to these terms, do not proceed.

When in Doubt

If you have any questions about whether your intended use is legal and ethical, consult with a lawyer and your organization’s security team before proceeding. It is always better to ask for permission than to face prosecution.
This security notice is not legal advice. Consult with qualified legal counsel regarding your specific situation and jurisdiction.
Copyright (c) 2019-2022 David Timber <[email protected]>

Build docs developers (and LLMs) love

Get started for freeTalk to us