Microsoft Obtains Ex Parte TRO in Waledac Botnet Case

March 2, 2010. Microsoft filed a complaint [63 pages in PDF] on February 22, 2010, in the U.S. District Court (EDVa) against unnamed defendants alleged to be operators of a controlled network of computers -- a botnet named Waledac -- that is used to send spam e-mail messages.

The District Court issued a sealed ex parte temporary restraining order (TRO), that contains an order directed at non-party VeriSign regarding domain names used in controlling the botnet.

Microsoft's complaint alleges violation of the federal computer hacking statute, CAN-SPAM Act, ECPA, and other claims. It seeks monetary and injunctive relief against the defendants. However, Microsoft brought this action for the purpose of obtaining an ex parte sealed court order directed at registrar VeriSign.

The procedure in this case violates numerous fundamental notions of due process of law, including notice and opportunity for a hearing, adversarial proceedings, public proceedings, and the principle that criminal enforcement is a sovereign function. See, related story in this issue titled "Commentary: Judicial Procedure in the Microsoft Waledac Botnet Case".

Botnet is a slang term of recent origin derived from the words robot network. It is used to describe a collection of software robots that reside on a collection of compromised computers, almost always without the authority or knowledge of the owners or operators, that are controlled remotely for various nefarious purposes. The compromised computers are often referred to as zombies.

The purposes for forming botnets include sending spam, running denial of service attacks, committing click fraud, and infecting computers with spyware. Botnet based spam can be used for less harmful purposes, such as marketing, or for more harmful purposes, such as pump and dump securities fraud, theft of personal and financial information to commit further crimes, and various consumer fraud schemes. Also, Botnet operators sometimes lease spamming capacity to others.

Microsoft stated in a release that "we have executed a major botnet takedown". It continued that "One of the 10 largest botnets in the US and a major distributor of spam globally, Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day."

Microsoft added that the District Court "granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot".

Microsoft elaborated that this "has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent. But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware."

The complaint is 20 pages. Attached are a one page jury demand, and a 42 page appendix that contains a list of botnet domain names and related information.

The complaint contains eight counts:

  1. unauthorized access to protected computer systems in violation of the Computer Fraud and Abuse Act, which is codified at 18 U.S.C. § 1030)
  2. CAN-SPAM Act, which is codified at (15 U.S.C §§ 7701-7713)
  3. Electronic Communications Privacy Act (ECPA) (18 U.S.C. § 2701)
  4. false designation of origin under the Lanham Act, which is codified at 15 U.S.C. § 1125(a)
  5. trademark dilution under the Lanham Act, which is codified at 15 U.S.C. § 1125(c)
  6. common law trespass to chattels
  7. unjust enrichment
  8. conversion

The complaint states that the defendants control "273 Harmful Botnet Domains" listed in the appendix to the complaint.

The complaint lists six domain name registrars, each of which is also identified as a "Third party". These are Verisign, Inc., Xin Net Technology Corp., Xiamen Ename Network Technology Corp., China Springboard, Inc., Wild West Domains, Inc., and Beijing Innovative Linkage Technology Ltd.

The complaint states that the John Doe defendants "maintain computers and Internet websites and engage in other conduct availing themselves of the privilege of conducting business in Virginia", have "directed malicious computer code at the computers of individual users located in Virginia and the Eastern District of Virginia", and have committed other acts that confer authority of the U.S. District Court to exercise personal jurisdiction over them.

The complaint describes the nature and structure of the Waledac botnet. There are uninfected hosts, which are the recipients of spam, and targets for infection by the botnet controller.

There are spammer nodes, which are computers infected with the botnet controller's software, which are not directly accessible from the internet, and which are used to send out spam messages.

There are repeater nodes, which are computers directly accessible from the internet that have been compromised, and which are used for several purposes, including acting as domain name servers (DNS) which translate human readable domain names to their corresponding internet protocol (IP) addresses, relaying communications to obfuscate their true source, and serving as HTTP and SOCKS 5 servers.

Next up the chain of control, there are TSL servers, or reverse proxy servers. The complaint states that these "receive in-bound communications and then pass those on to additional servers. In the Waledac Botnet, the TSL Servers receive in-bound communications from the Repeater Nodes and then pass then to other servers behind the TSL Serves. The purpose of TSL Serves is to obfuscate details about the servers behind them, to prevent direct communications with those servers and evade investigation of those portions of the botnet."

At the top, there are the main command and control servers, which are "responsible for coordinating the Waledac Botnet on the whole and providing the most fundamental definitions, commands and instructions that determine how infected computers will operate and how different botnet components will interact with each other."

There are also as part of the botnet fast flux DNS servers that are "constantly changing the addressing of the domain names that are associated with the command and control and infrastructure components that make up the botnet". These obfuscate the source, location, owner and other attributes of compromised computers that are a part of the botnet by "regularly updating the root name servers for the various fast flux domains used by the Waledac Botnet". These fast flux DNS servers access a web portal to one of the domains' registrars updating the root name servers at the registrars. Moreover, they do this through the repeater nodes (discussed above) to hide their locations.

The complaint states that each of the domains listed in the appendix is one of these fast flux domains.

The complaint seeks judgment against the John Doe defendants. It seeks monetary damages, and injunctive relief. The complaint does not request declaratory or injunctive relief directed at Verisign or any other registrar.

Microsoft stated in its release that the District Court issued a sealed TRO affecting VeriSign. Microsoft stated that this is an order "severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world".

Microsoft added that this has "effectively shut down connections to the vast majority of Waledac-infected computers".

VeriSign had not released any public statement as of March 1.

Microsoft is represented in this action by the law firm of Orrick Herrington & Sutcliff. This case is Microsoft Corporation v. John Does 1-27, U.S. District Court for the Eastern District of Virginia, Alexandria Division, D.C. No. 1:10CV156(LMB/UFA). LMB is the initials of Judge Leonie Brinkima.