Those people include Thorsten Holz, a aPh.D student researching botnets at the University of Mannheim in Germany. During research in which Holz and colleagues impersonate a bot, Holz says he gained access to 33GB worth of keylogger data related to 170,000 victims.

"This contained private information such as what victims are typing, their passwords, very detailed information about more than 170,000 people," Holz said during the panel. "This is something where we had a lot of internal discussions [and discussions with lawyers and police] on what to do with it, and what are the legal and ethical implications."

Holz says his research team decided to share information in a way that victims could be notified.

Panelists and audience members discussed the legal concept of misprision, which calls for the prosecution of people who fail to report felonies, and debated what level of responsibility researchers have in notifying victims. Notifying someone that they are the victim of a botnet is the equivalent of picking a candy wrapper up off the street, Paxson opined. But if a researcher takes over a botnet and cleans it, there is more uncertainty ethically because the researcher could potentially cause unforeseen damage, he said. Many worms can have surprising behavior not anticipated by their authors, he noted.

Attorney Aaron Burstein, also sitting on the panel, said that following one's own ethical code won't necessarily protect a researcher from the rule of law.

"Frequently, we find it's possible to break the law while doing something ethical, and conversely fouling the law doesn't necessary ensure that you are acting ethically," he said.

Holz said it's a good idea to work with law enforcement, but noted that it is difficult. "The typical police officer is not aware of many things that happen in cyberspace," he said.