Microsoft Corp. v. Does

Microsoft Corp., Plaintiff, v. John Does 1-2, controlling computer botnets, Defendants.

No. 20-CV-1217 (LDH) (RER)

United States District Court, E.D. New York

May 28, 2021

To the Honorable LaShann DeArcy Hall United States District Judge

REPORT & RECOMMENDATION

RAMON E. REYES, JR., U.S.M.J.:

Plaintiff Microsoft Corp. (“Plaintiff” or “Microsoft”) brings this action alleging that Defendants John Does 1-2, allegedly controlling computer botnets (“Defendants”), illegally created a global network of interconnected computers for criminal purposes. (Dkt. No. 1 (“Compl.”) at 1). Microsoft alleges that Defendants' conduct violates the Lanham Act, 15 U.S.C. §§ 1114, 1125, Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, Electronic Communications Privacy Act (“ECPA”), 18 U.S.C § 2701, and the common law. (Id. ¶¶ 54-59, 60-65, 66-72, 73-78, 79- 83, 84-91, 92-96, 97-99 100-106).

Your Honor has referred to me Microsoft's Motion for Default Judgment. (Order dated 9/10/2020). Microsoft seeks a permanent injunction “(1) prohibiting the Defendants from operating or propagating the Necurs botnet, and (2) preventing registration of malicious domains identified in the Court's preliminary injunction order” issued March 31, 2020. (Dkt. No. 18-1 (“Pl.'s Mem.”) at 1; see Dkt. No. 14). For the reasons which follow, I respectfully recommend that Your Honor grant Microsoft's motion and convert the Court's preliminary injunction into a permanent injunction as outlined in Microsoft's proposed order.

BACKGROUND

I. Facts

As required by Federal Rule of Civil Procedure 55, the following facts are accepted as true:

This action involves malicious activity carried out by two unidentified Defendants who use the Necurs Botnet (“Necurs”) to harm computing devices running on Microsoft's Windows operating system.

“A ‘botnet' is a collection of individual computing devices infected with malicious software [(“malware”)] that allows communication among those devices and centralized or decentralized communication with server computers that provide control instructions.” (Compl. ¶ 21). In sum, a botnet provides malicious actors with an efficient means of controlling a large number of computer devices. (Id. ¶ 25). Individual users can inadvertently cause their device to become part of a botnet by interacting with a website advertisement, email attachment, or other document that contains hidden malware. (Id. ¶ 21). A botnet can include anywhere from hundreds to millions of infected computing devices. (Id.).

The botnet at issue here-Necurs-is a global botnet, comprised of computing devices connected to the internet, that distributes spam and malware. (Compl. ¶¶ 25, 27). It is a criminal enterprise that has infected millions of end-user computers around the world, including those found in businesses, living rooms, schools, libraries, and internet cafes. (Id. ¶¶ 27, 31). Defendants have caused Necurs to attempt to infect and in fact infect the computers of individual users and entities located within the Eastern District of New York. (Id. ¶¶ 17-18).

Computing devices that run on Microsoft's Windows operating system have been forcibly connected to Necurs, which degrades the integrity of the system, disables its antivirus software, and carries out malicious actions from those computers without the knowledge of the device owners and users. (Compl. ¶¶ 44, 30). Although the operating systems of infected devices still purport to be Windows, Necurs code corrupts and coverts the operating system for its own purposes. (Id. ¶ 30). Necurs malware makes changes to “the deepest and most sensitive levels of the [infected] device's operating system.” (Id. ¶ 44). This includes altering the normal and approved Windows settings such that it destabilizes the operating system. (Id.). As a result, the Windows operating system no longer operates normally, although it continues to bear the Windows and Microsoft marks. (Id. ¶ 45). For users with the Windows 7 operating system but without updated antivirus software, Necurs causes a heightened security risk that leaves the user exposed to additional malware. (Id. ¶ 44).

Necurs then uses the infected computers to spread malware to other computers, thereby expanding the scope of the botnet. (Compl. ¶ 31). Its code causes an infected computer to distribute spam email, fraud, and ransomware, install financial theft malware, and steal personal information, among other malicious activity. (Id. ¶¶ 31, 33). According to Microsoft, a single infected computer can send more than 3.6 million spam emails to approximately 40 million people over 58 days. (Id.¶¶ 31, 50). Necurs infects computers with additional malware that adds files and changes registry settings. (Id. ¶ 34).

The threat does not end with Necurs itself. Necurs malware enables other criminal actors to transmit their own malware to infected devices. (Compl. ¶¶ 34, 51). These secondary infections make additional changes to the device, including by adding files, changing registry settings, opening additional backdoors that allow control by other cybercriminals, and allowing even more malware to be downloaded to the device. (Id. ¶ 51). The malware variants are designed to attack devices running Windows operating systems and may be connected to other botnets. (Id.).

Microsoft identified two John Doe defendants who jointly own, rent, lease, or otherwise have dominion over command and control domains and related infrastructure through which Defendants control and operate Necurs. (Compl. ¶¶ 3-4, 12). Defendants' goals are “to propagate spam email, deliver financial theft malware, deliver ransomware, enable attacks against [victims'] computers and steal online account login IDs, passwords, and other personal identifying information.” (Id. ¶ 48). To these ends, Defendants use command and control computers and/or pre-programmed command and control servers to transfer instructions to infected computers. (Id. ¶¶ 32, 35). Defendants created these servers through accounts with web-hosting providers. (Id. ¶ 35). The providers include legitimate companies that “provide facilities where computers can be connected through high-capacity connections to the internet and locate their servers in those facilities.” (Id.).

Communication between the command and control serves and the victim computers occurs through three different channels also controlled by Defendants. (Compl. ¶¶ 36-42). Communication channels include IP addresses, a “hardcoded” domain within Necurs malware, and internet domains. (Id. ¶ 37). Necurs uses a Domain Generation Algorithm contained within its malware to generate a large number of internet domains that Defendants can register to exert control over the botnet when other communications channels fail. (Id. ¶ 40-41). Third party domain name registries oversee the registration of internet domain names and control domains, including those used by Defendants. (Id. ¶¶ 5-11).

Microsoft collaborated with private and public partners to identify and prepare means to disable and disrupt IP address-based communication from Necurs command and control servers to infected computers. (Id. ¶ 43). Microsoft seeks continued injunctive relief to ensure that domain-based communication from Necurs command and control servers to victim computers remains disabled. (Id.).

II. Procedural History

Microsoft brought this suit to enforce its rights under the Lanham Act, CFAA, ECPA, and common law. (Compl. ¶ 1). On March 5, 2020, the Honorable Eric R. Komitee granted Microsoft's ex parte motion for a temporary restraining order (“the TRO”). (Dkt. No. 11). On March 31, 2020, Your Honor held a telephonic hearing and granted Microsoft's motion for preliminary injunction and for discovery. (Dkt. Nos. 14, 14-1). Your Honor also permitted alternative service by email and publication on a publicly available internet website, in addition to personal delivery to the extent that Defendants provided accurate contact information. (Dkt. No. 14 ¶ 11).

Microsoft executed the TRO on March 10, 2020, meaning that the Necurs command and control infrastructure was redirected to Microsoft servers effectively severing communication between infected devices and Defendants. (Dkt. No. 16-1 (“Ramsey Decl.”) ¶ 6). This resulted in an inability of Defendants to grow Necurs and steal online credentials and personal information. (Id. ¶ 7). Defendants are likely aware of this impact. (Id.). The TRO “[was] crafted to disable the operation of the Necurs botnet while causing the least amount of burden on the third-party domain registries responsible for administering those domains.” (Pl.'s Mem. at 9). The relevant third parties have not taken issue with the effects of the Court's preliminary injunction. (Id.).

To register the domains used for the command and control of Necurs, Defendants provided email addresses to the relevant domain registrars. (Ramsey Decl. ¶ 10). Microsoft identified email addresses associated with Defendants' through pre-filing investigation, informal discovery efforts, and discovery responses. (Id.). Microsoft served Defendants at all identified email addresses on March 11 and 30, 2020. (Id.; Pl.'s Mem. at 1). Microsoft also served defendants through publication beginning March 10, 2020 at the website http://www.noticeofpleadings.com/necurs. The service of process sent via email included the link to that website, on which Microsoft has also posted all subsequent pleadings and orders. (Ramsey Decl. ¶ 9).

Microsoft investigated the physical addresses Defendants provided to register Necurs domains; however, those mailing addresses either do not exist or are associated with fake names. (Ramsey Decl. ¶¶ 11, 13). In other words, the addresses provided are not a viable means to communicate with Defendants...