throbber
Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 1 of 28 PageID #: 1
`
`UNITED STATES DISTRICT COURT
`EASTERN DISTRICT OF NEW YORK
`
`MICROSOFT CORP,
`
`V.
`
`Plaintiff,
`
`JOHN DOES 1-2, CONTROLLING COMPUTER
`BOTNETS AND THEREBY INJURING PLAINTIFF
`AND ITS CUSTOMERS,
`
`Defendants.
`
`Case No.
`
`FILED UNDER SEAL
`
`£.QMPLAmT
`Plaintiff MICROSOFT CORPORATION (“Microsoft”) hereby complains and alleges
`
`that JOHN DOES 1-2 (collectively “Defendants”), have illegally created and are using for
`
`criminal purposes a global network of interconnected computers knows as the “Necurs Botnet”
`
`or “Necurs.” Necurs is comprised of computing devices connected to the Internet that
`
`Defendants have infected with malicious software (referred to as “malware”), including banking
`
`Trojans, spamware, and ransomware. The Necurs botnet is an extremely scaled infrastructure
`
`capable of sending a massive volume of spam and is one of the largest bodies of infrastructure in
`
`the spam email threat ecosystem. To date, Necurs has infected at least 9 million victim
`
`computers. Defendants have used and will continue to use Necurs to send spam email, install
`
`malicious software, steal financial account information, funds and personal information from
`
`millions of individuals. Unless enjoined and held accountable, Defendants will continue to use
`
`Necurs to engage in this harmful activity. Defendants control Necurs through a command and
`
`control infrastructure (the “Necurs Command and Control Domains”) hosted and and operating
`
`through the Internet domains set forth at Appendices A and B to this Complaint. Microsoft
`
`alleges as follows:
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 2 of 28 PageID #: 2
`
`NATURE OF ACTION
`
`1. This is an action based upon: (1) The Computer Fraud and Abuse Act, 18
`
`U.S.C. § 1030; (2) Electronic Communications Privacy Act, 18 U.S.C. § 2701; (3) Trademark
`
`Infringement under the Lanham Aet, 15 U.S.C. § 1114 er seq. (4) False Designation of Origin
`
`under the Lanham Act, 15 U.S.C. § 1125(a); (5) Trademark Dilution under the Lanham Act, 15
`
`U.S.C. § 1125(c); (6) common law trespass to chattels; (7) conversion; (8) unfair competition;
`
`and (9) unjust enrichment. Microsoft seeks injunctive and other equitable relief and damages
`
`against Defendants, to prevent Defendants from engaging in these violations of law and disabling
`
`the Necurs Command and Control Domains. Defendants, through their illegal activities
`
`involving Necurs, have caused and continue to cause irreparable injury to Microsoft, its
`
`customers and licensees, and the public.
`
`gARXlES
`
`2.
`
`Plaintiff Microsoft is a corporation duly organized and existing under the laws of
`
`the State of Washington, having its headquarters and prineipal place of business in Redmond,
`
`Washington.
`
`3.
`
`John Doe 1 controls Necurs and the Necurs Command and Control Domains in
`
`furtherance of conduct designed to cause harm to Microsoft, its customers and licensees, and the
`
`public. Microsoft is informed and believes and thereupon alleges that John Doe 1 can likely be
`
`contacted directly or through third-parties using the information set forth in Appendix A.
`
`4.
`
`John Doe 2 controls Necurs and the Necurs Command and Control Domains in
`
`furtherance of conduct designed to cause harm to Microsoft, its customers and licensees, and the
`
`public. Microsoft is informed and believes and thereupon alleges that John Doe 2 can likely be
`
`contaeted directly or through third-parties using the information set forth in Appendix A.
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 3 of 28 PageID #: 3
`
`5.
`
`Third parties VeriSign, Inc., VeriSign Information Services, Inc., and VeriSign
`
`Global Registry Services (collectively, “VeriSign”) are the domain name registries that oversee
`
`the registration of all domain names ending in “.com,” “.net,” “.cc,” and “.tv” and are located at
`
`12061 Bluemont Way, Reston, Virginia 20190.
`
`6.
`
`Third party Public Interest Registry is the domain name registry that oversees the
`
`registration of all domain names ending in “.org,” and is located at 1775 Wiehle Avenue, Suite
`
`100, Reston, Virginia 20190.
`
`7.
`
`Third party Afilias Limited c/o Afilias USA, Inc. is the domain name registry
`
`that oversees the registration of all domain names ending in “.pro” and is the domain name
`
`registry backend provider for the domains ending in .me, .mn and .sc is located at 300 Welsh
`
`Road, Building 3, Suite 105, Horsham, Pennsylvania 19044.
`
`8.
`
`Third parties Neustar, Inc., is the domain name registry that oversees the
`
`registration of all domains ending in “.biz” and “.us.” Neustar, Inc. is located at 21575 Ridgetop
`
`Circle, Sterling, Virginia 20166.
`
`9.
`
`Third parties Neustar, Inc. and .CO Internet S.A.S. are the domain name registry
`
`backend provider and domain name registry that oversee the registration of all domains ending in
`
`“.CO.” Neustar, Inc. is located at 21575 Ridgetop Circle, Sterling, Virginia 20166 and .CO
`
`Internet S.A.S, World Trade Center Calle 100 No. 8 A - 49 Torre B of. 507, Bogota, Colombia
`
`10.
`
`Third party ICM Registry LLC is the domain name registry that oversees the
`
`registration of all domain names ending in “.xxx” and is located at PO Box 30129, Palm Beach
`
`Gardens Florida 33420.
`
`11.
`
`Set forth in Appendices A and B are the identities of and contact information
`
`for third party domain registries that control the domains used by the Defendants.
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 4 of 28 PageID #: 4
`
`12.
`
`On information and belief, John Does 1-2 jointly own, rent, lease, or otherwise
`
`have dominion over the Necurs Command and Control Domains and related infrastructure and
`
`through those control and operate Necurs. Microsoft will amend this complaint to allege the Doe
`
`Defendants’ true names and capacities if and when ascertained. Microsoft will exercise due
`
`diligence to determine Doe Defendants’ true names, capacities, and contact information, and to
`
`effect service upon those Doe Defendants.
`
`13.
`
`Microsoft is informed and believes and thereupon alleges that each of the
`
`fictitiously named Doe Defendants is responsible in some marmer for the occurrences herein
`
`alleged, and that Microsoft’s injuries as herein alleged were proximately caused by such
`
`Defendants.
`
`14.
`
`On information and belief, the actions and omissions alleged herein to have been
`
`undertaken by John Does 1-2 were actions that Defendants, and each of them, authorized,
`
`controlled, directed, or had the ability to authorize, control or direct, and/or were actions and
`
`omissions that each Defendant assisted, participated in, or otherwise encouraged, and are actions
`
`for which each Defendant is liable. Each Defendant aided and abetted the actions of the other
`
`Defendant, as set forth below, in that each Defendant had knowledge of those actions and
`
`omissions, provided assistance and benefited from those actions and omissions, in whole or in
`
`part. Each Defendant was the agent of each of the other Defendants, and in doing the things
`
`hereinafter alleged, was acting within the course and scope of such agency and with the
`
`permission and consent of other Defendant.
`
`JURISDICTION AND VENUE
`
`15.
`
`The Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. §
`
`1331 because this action arises out of Defendants’ violations of The Computer Fraud and Abuse
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 5 of 28 PageID #: 5
`
`Act (18 U.S.C. § 1030), Electronic Communications Privacy Act (18 U.S.C. § 2701), and the
`
`Lanham Act (15 U.S.C. §§ 1114, 1125). The Court also has subject matter jurisdiction over
`
`Microsoft’s claims for trespass to chattels, intentional interference with contractual relationships,
`
`unjust enrichment, unfair competition, and conversion pursuant to 28 U.S.C. § 1367.
`
`16.
`
`Venue is proper in this judicial district pursuant to 28 U.S.C. § 1391(b) because
`
`a substantial part of the events or omissions giving rise to Microsoft’s claims has occurred in this
`
`judicial district, because a substantial part of the property that is the subject of Microsoft’s claims
`
`is situated in this judicial district, and because a substantial part of the harm caused by
`
`Defendants has occurred in this judicial district. Defendants have conducted business in the
`
`Eastern Distriet of New York and have utilized instrumentalities located in the Eastern District of
`
`New York to carry out the acts of which Microsoft complains.
`
`17.
`
`Defendants have affirmatively directed actions at New York and the Eastern
`
`District of New York by directing malicious computer code at the computers of individual users
`
`located in New York and the Eastern District of New York, by attempting to infect and in fact
`
`infecting those computing devices with the malicious code to make the computing devices part
`
`of the Necurs botnet, by directing malicious computer code and instructions to Microsoft’s
`
`Windows operating system and computers of individual users and entities located in New York
`
`and the Eastern District of New York, in order to compromise the security of those systems, to
`
`install malicious software on those systems and to steal funds and resources from and through
`
`those computers, all to the grievous harm and injury of Microsoft, its customers and licensees,
`
`and the public. Figures 1, 2 and 3, below, depict the geographic location of computer devices in
`
`and around the Eastern District of New York, against which Defendants are known to have
`
`directed malicious code, attempting to or in fact infecting those devices, thereby enlisting them
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 6 of 28 PageID #: 6
`
`into the Necurs botnet.
`
`Figure 1
`
`Figure 2
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 7 of 28 PageID #: 7
`
`It ■ ^
`
`- / \ ^
`
`• ■ ■ r • .r/-.
`A * -
`/ • * #
`
`- ^
`
`Figure 3
`Defendants use certain of the Necurs Command and Control Domains to
`
`18.
`
`communicate with and control the Necurs-infected computing devices located in this judicial
`
`district that Defendants communicate with, control, steal from, update, and maintain.
`
`Defendants have undertaken the acts alleged herein with knowledge that such acts would cause
`
`harm through computing devices located in the Eastern District of New York, thereby injuring
`
`Plaintiff, its customers, and others in the Eastern District of New York and elsewhere in the
`
`United States. Therefore, this Court has personal jurisdiction over Defendants.
`
`19.
`
`Venue is proper in this judicial district under 28 U.S.C. § 1391(c) because
`
`Defendants are subject to personal jurisdiction in this judicial district.
`
`FACTUAL BACKGROUND
`
`Microsoft’s Services and Reputation
`
`20.
`

`(S)
`Microsoft is a provider of the Windows operating system. Microsoft has
`
`invested substantial resources in developing high- quality products and services. Due to the high
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 8 of 28 PageID #: 8
`
`quality and effectiveness of Microsoft’s products and services and the expenditure of significant
`
`resources by Microsoft to market those products and services, Microsoft has generated
`
`substantial goodwill with its customers, establishing a strong brand and developing the Microsoft
`
`name and the names of its products and services into strong and famous world-wide symbols that
`
`are well- recognized within its channels of trade. Microsoft has registered trademarks
`
`representing the quality of its products and services and its brand, including Microsoft and
`
`Windows. Copies of the trademark registrations are attached as Appendix C to this Complaint.
`
`Computer “Botnets”
`
`21.
`
`A “botnef’ is a collection of individual computing devices infected with
`
`malware that allows communication among those computing devices and centralized or
`
`decentralized communication with server computers providing control instructions. A botnet
`
`network may be comprised of hundreds of thousands and sometimes millions, as in this case, of
`
`infected computing devices. The individual computing devices in a botnet often belong to users
`
`who have unknowingly downloaded or been infected by the malware. A user’s computing
`
`device, for example, may become part of a botnet when the user inadvertently interacts with a
`
`malicious website advertisement, clicks on a malicious email attachment, or downloads a
`
`document that contains hidden malware. In each instance where a Necurs malware is
`
`downloaded and successfully executed on the user’s computing device, it causes that device to
`
`become part of the Necurs botnet. Once part of a botnet, the user’s computing device is capable
`
`of sending and receiving communications, code, and instructions to and from other botnet
`
`computers.
`
`22.
`
`Malicious actors leverage the computer powers and Internet-accessibility of the
`
`infected computers to target and infiltrate additional computers.
`
`8
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 9 of 28 PageID #: 9
`
`23.
`
`Many botnets are controlled through a set of specialized server computers
`
`referred to as “command and control servers.” The command and control servers are often
`
`wholly under the control of the botnet creators. These may have specialized functions, such as
`
`sending control instructions to infected computing devices and uploading stolen information
`
`from them.
`
`24.
`
`Criminal organizations and individual cybercriminals usually create, control,
`
`maintain, and propagate botnets in order to carry out misconduct that harm others’ rights.
`
`Cybercriminals factor the use of botnets for many illegal activities because botnets support a
`
`wide range of illegal conduct, are difficult for security experts to disable or eradicate, and use a
`
`variety of networks and firewalls to conceal the identities of the malefactors controlling them.
`
`The controllers of a botnet will use an infected computing device for a variety of illicit purposes.
`
`Unknown to the end user. A computing device in a botnet, for example, may be used to:
`
`a.
`
`Carry out theft of money, credentials, or other sensitive information or
`
`engage if fraud, computing device intrusions, or other misconduct;
`
`b.
`
`Anonymously send unsolicited bulk email or other electronic messages
`
`without the knowledge or consent of the individual user who owns the
`
`compromised computing device;
`
`c.
`
`d.
`
`Deliver further malware to infect other computing devices; or
`
`“Proxy” or relay Internet communications originating from other computer
`
`devices, in order to obscure and conceal the true source of those
`
`communications.
`
`25.
`
`Botnets provide a very efficient means of controlling a large number of
`
`eomputer devices for illegal purposes and a means of targeting any illicit action against the
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 10 of 28 PageID #: 10
`
`contents of those devices, the users of those devices, or against computing devices and networks
`
`connected to the Internet.
`
`NECURS
`
`26.
`
`Plaintiff brings this action to stop Defendants from harming Plaintiff, its
`
`customers, and the public, through the Necurs Command the Control Domains, which are central
`
`to the Necurs botnet’s illegal operation.
`
`27.
`
`Necurs is a prolific and globally diverse spam and malware distribution botnet.
`
`The Necurs botnet has infected over nine million end user computers, of the type commonly
`
`found in businesses, living rooms, schools, libraries, and Internet cafes around the world. These
`
`infected computers exist around the world and are a substantial and robust delivery mechanism
`
`for phishing attacks, distributing ransomware, financial target malware, and other criminally
`
`motivated spam email campaigns.
`
`28.
`
`Necurs is used in a variety of illegal activities and is known to have distributed
`
`the some of the world’s most sophisticated malware, including Game Over Zeus, Dridex, Locky
`
`and Trickbot. Necurs arrives into a victim’s system by being downloaded by other malware,
`
`through either spammed email attachments or malicious advertisements. Once on a system,
`
`Necurs utilizes its kernel mode rootkit capabilities to disable a large number of security
`
`applications, including Windows Firewall, both to protect itself and other malware on the
`
`infected system.
`
`29.
`
`Once the Necurs malware infects a new victim computing device, it contacts a
`
`command and control computer over the Internet from which it begins to receive instructions and
`
`additional malware modules. This effectively places the infected computer under the command
`
`of Defendants, the operators of the botnet.
`
`10
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 11 of 28 PageID #: 11
`
`30.
`
`The user of the infected computer is unaware of Necurs’ activity as Defendants
`
`have designed Necurs to hide itself and its unlawful activity on infected computing devices in
`
`part by disabling the security defenses of the user’s device. The operating system still purports
`
`to be Windows, but, in fact, Necurs has corrupted and thereby converted the Windows operating
`
`system into instruments of fraud aimed directly at the user of the computing device. The typical
`
`user is unaware of Defendants intrusion, theft, surveillance and control of their computing
`
`device.
`
`31.
`
`Necurs is designed as a “pay-per-install” criminal business enterprise that
`
`compensates hackers who distribute the Necurs malware onto additional computers. The user of
`
`the infected computer is likewise unaware that Necurs’ malware is designed to use the infected
`
`computers to spread the malware to additional victim computers, expanding the scope of the
`
`botnet. The Necurs code contains code that transforms the infected computer into a spam email
`
`distribution, a distributor of fraud and ransomware and a target of theft of funds and information.
`
`For example, a single computer infected with Necurs malware is capable of sending
`
`approximately 3.6 million spam emails to approximately 40 million people over 58 days.
`
`The Necurs Botnet’s Infrastructure
`
`32.
`
`Like other botnets, the Necurs botnet is comprised of a large number of victim
`
`computers that have been infected by the Defendants with the Necurs malware. Further, the
`
`Necurs botnet includes computers that have a “command and control” purpose. These command
`
`and control computers are utilized by the Defendants to transfer command and control
`
`instructions to the infected victim computers, in order to maintain control over the operation of
`
`those victim computers and to carry out the numerous types of harmful activities described more
`
`fiilly later in this declaration.
`
`11
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 12 of 28 PageID #: 12
`
`Infected Victim Computers In The Necurs Botnet
`
`33.
`
`The infected victim computers in the Necurs botnet are essentially the workers
`
`of the Necurs botnet, performing the day-to-day illegal activity. For example, Defendants use
`
`these computers to send spam email, encrypt the computers with ransomware and demand a
`
`ransom or install financial theft malware which enables them to ultimately steal money directly
`
`from these individuals’ bank accounts, as well as to steal personal information from the owners
`
`of the infected computers and engage in other malicious activity directed at these victims.
`
`34.
`
`The Necurs malware also serves an additional purpose, to perpetuate additional
`
`malicious actions and infiltrate even more victim computers. The Necurs botnet infects victim
`
`computers with the following malware: Game Over Zeus (financial theft malware), Locky
`
`(ransomware), Dridex (ransomware), and a DDoS module (a module designed to launch
`
`distributed denial of service attacks on other computers). Each of these secondary malware
`
`infections makes further changes to the user’s computing device, including by adding files,
`
`changing registry settings, opening additional backdoors that allow remote control by other
`
`cybercriminals, and allowing yet further sets of malware to be downloaded onto the computing
`
`device. All of these malware variants are designed to attack computing devices running
`
`Microsoft Windows operating systems and may themselves be connected to other criminal botnet
`
`infrastructure beyond Necurs receiving additional commands.
`
`The Necurs Command and Control Computers
`
`35.
`
`As mentioned, after the Necurs malware infects a victim computing device, it
`
`connects over the Internet to one of its pre-programmed command and control servers. These
`
`command and control servers are specialized servers and/or software that Defendants use to send
`
`commands to control the Necurs botnet’s infected victim computers. The command and control
`
`12
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 13 of 28 PageID #: 13
`
`computers send the most fundamental instructions, updates, and commands, and overall control
`
`of the botnets is earried out from these computers. To ereate the command and control servers.
`
`Defendants set up accounts with web-hosting providers—i.e., companies, usually legitimate, that
`
`provide faeilities where eomputers can be connected through high-eapaeity connections to the
`
`Internet and locate their servers in those facilities. By contacting a command and control server,
`
`the Necurs malware can receive updated eommands and modules from and eommunicate with
`
`the Defendants
`
`36. The Defendants are able to send and receive communieations between their
`
`eommand and control servers and the infeeted victim computers in the Neeurs botnet, by means
`
`of three different communication channels. Figure 4 below illustrates these communication
`
`channels of the Necurs botnet.
`
`NECURS COMMUNICATION CHANNELS WITH
`REDUNDANCY
`
`DGA contdins;
`
`Domain
`Gsneralion
`Algortihm
`:OGA|
`
`P2P delivers:
`
`Custom
`Peer to
`'
`Poor
`i
`nelwofk J
`
`Figure 4
`
`37. First, the primary eommunication between victim and Command and Control
`
`(C2) is through (1) a set of IP addresses controlled by Defendants, and used via IP address to IP
`
`address eommunications utilizing Hypertext Transfer Protocol (“HTTP”), and (2) a “hardcoded”
`
`13
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 14 of 28 PageID #: 14
`
`domain that is preprogrammed into the Necurs malware. The hardcoded domain is set forth at
`
`Appendix A to this complaint. Second, the C2 IP addresses are distributed throughout the
`
`botnet via direct download from C2 server or through Peer to Peer (P2P) network which is
`
`comprised of other Necurs infected victim computers. Third, the botnet also uses Internet
`
`domains generated by a Domain Generation Algorithm (“DGA”), as a backup communications
`
`channel. The DGA domains are set forth at Appendix B to this complaint.
`
`38.
`
`The primary communication channel between infected victim computers and the
`
`command and control servers are either particular IP addresses controlled by Defendants (which
`
`are reached by IP address to IP address communications utilizing Hypertext Transfer Protocol or
`
`“HTTP”) or a particular domain name that is preprogramed into the Necurs malware (referred to
`
`as “hardcoded” domain), which are set forth at Appendix A.
`
`39.
`
`A secondary communication chaimel between infected victim computers and the
`
`command and control computers is comprised of IP addresses distributed throughout the botnet
`
`via direct download from command and control servers or through a “peer-to-peer” network
`
`(sometimes abbreviated as “P2P”) which is comprised of other Necurs-infected victim
`
`computers. This communication level ensures information can be continuously transmitted
`
`between the command and control servers and the infected computers if the primary
`
`communication means is disrupted. Both cryptographically signed P2P messages and TCP and
`
`UDP protocols are deployed to ensure this backup channel remains active to perpetuate
`
`Defendants’ fraud and malicious actions.
`
`40.
`
`Necurs also uses internet domain names generated by a Domain Generation
`
`Algorithm (“DGA”) that is contained within the Necurs malware on infected victim computers
`
`as a “fallback” communication channel. When all of the other command and control
`
`14
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 15 of 28 PageID #: 15
`
`communications channels of the Necurs botnet are disrupted, and Defendants cannot use them to
`
`communicate with the infected victim computers, then the Neeurs malware on the infected
`
`victim computers detects that fact and reverts to the DGA in order to ereate domains as a
`
`“fallbaek” baekup communication charmel for the botnet. These domains are set forth in
`
`Appendix B.
`
`41.
`
`DGAs are algorithms that rely upon a pseudorandom schema to generate a large
`
`number of domain names that can be used as rendezvous points with the command and control
`
`servers. In other words, the Necurs malware creates lists of domains and attempts to connect to
`
`them to receive command and control instructions, with the expectation that the Defendants will
`
`register some or all of those domains and be able to re-exert control over the botnet. The
`
`domains are pseudorandomly generated strings of letters or numbers (for example,
`
`"iioxtbyqnuajqftp[.]TLD" etc.). They do not have any commereial value and do not represent
`
`any real words.
`
`42.
`
`The purpose of the DGA is to create lists of domains that are not yet registered
`
`and which are not likely at all to be registered by any party. In this way, after losing control of
`
`the botnet, the Defendants ean register these domains, knowing that the infected victim
`
`computers will eventually be reaching out to those domains seeking instructions. The large
`
`number of potential rendezvous points makes it increasingly diffieult to effectively shut down
`
`botnets, since the infected eomputers will attempt to contaet some of these new domain names
`
`every day to receive updates or commands. Microsoft has identified a staggering 6,144,000
`
`prospective DGA eommand and control domains, across the 15 variants of the botnet, whieh the
`
`Neeurs botnet can deploy at any moment, onee all of the IP address infrastructure and hardeoded
`
`domain infrastructure is disrupted.
`
`15
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 16 of 28 PageID #: 16
`
`5 combinations collected and analyzed
`
`DGA
`Version
`
`2048
`domains per combination
`8
`cycles per month
`12
`months
`25
`months
`
`30,720
`domains per cycle (3-4 days)
`247,760
`domains per month
`2,949,120
`domains per year
`6,144,000
`25 Months (Scope of Operation)
`
`43.
`
`Given that the primary IP address-based command and control infrastructure is
`
`not in use, given the current operational state of the Necurs botnet, and given collaboration
`
`between Microsoft and its private and public partners, Microsoft has prepared means to disable
`
`and disrupt the IP address-based command and control infrastructure of the Necurs botnet. Thus,
`
`it is necessary to disable the “hardcoded” domain and the fallback “DGA” domains, in order to
`
`disrupt the Necurs botnet. Disablement of these domains is the goal of the relief sought in the
`
`instant action.
`
`Harm To Microsoft And Microsoft’s Customers
`
`44.
`
`The Necurs malware infection harms Microsoft, its customers, and the public by
`
`damaging the customers’ computing devices and the software installed on those devices licensed
`
`from Microsoft, including degrading the integrity of the computers and the operating system,
`
`intruding into those devices, disabling some of those systems’ antivirus software, and carrying
`
`out malicious actions from those computers and directed toward the owners of those computers.
`
`16
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 17 of 28 PageID #: 17
`
`During the infection of a user’s device, the Necurs malware makes changes at the deepest and
`
`most sensitive levels of the device’s operating system. Additionally, it makes fundamental
`
`changes at the level of the Windows registry. Microsoft’s customers whose computing devices
`
`are infected with the malicious software are damaged by these changes to Windows, which alter
`
`the normal and approved settings and function of the user’s operating system, destabilize it, and
`
`forcibly draft the customers’ devices into the botnet. Necurs severely damages the computing
`
`devices it infects, making low-level changes to the operating system and, with respect to
`
`Windows 7, degrades the primary security defense of most computing devices - the antivirus
`
`software - by blocking the computing device from getting anti-virus software updates. This
`
`functionality, however, is not possible on a computing device running an updated Windows 7,
`
`with updated antivirus software, and in Windows 10, a more recent version of the Windows
`
`operating system. As a result, for devices using an outdated Windows 7 without updated
`
`antivirus protections, Necurs not only cripples the security mechanism that might result in
`
`removal of Necurs from the computing device, it may leave victim’s computing devices exposed
`
`to against many other types of malware.
`
`45.
`
`Once a computing device is infected, the Windows operating system cease to
`
`operate normally and are transformed into tools of deception and theft. But Windows still bears
`
`Microsoft’s trademarks. This is obviously meant to and does mislead Microsoft’s customers,
`
`and it causes extreme damage to Microsoft’s brands and trademarks. Trademark registrations for
`
`the marks infringed by Defendants are attached to this complaint as Appendix C.
`
`46.
`
`Customers who experience degraded performance of Microsoft’s product may
`
`attribute such poor performance to Microsoft, causing extreme damage to Microsoft’s brands and
`
`trademarks and goodwill associated there with. Even customers who eventually come to learn
`
`17
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 18 of 28 PageID #: 18
`
`their computing devices are infected with malware may incorrectly attribute the infection to
`
`vulnerabilities in Microsoft’s products, because many customers are unaware that they have
`
`fallen prey to Defendants’ attacks.
`
`47.
`
`Moreover, as a provider of Windows, Microsoft devotes significant computing
`
`and human resources to combating Necurs and other malware infections and helping customers
`
`determine whether or not their computing devices are infected and, if so, cleaning them. Not
`
`only does Microsoft expend resources in helping users combat Necurs, these efforts require in-
`
`depth technical investigations and extensive efforts to calculate and remediate harm caused to
`
`Microsoft’s customers. Microsoft, as a provider of the Windows operating systems, must also
`
`incorporate security features in an attempt to stop installation of the Necurs malware and other
`
`malicious software that is distributed by the Necurs botnet. Microsoft has expended significant
`
`resources to investigate and track the Necurs Defendants’ illegal activities and to counter and
`
`remediate the damage caused by the Necurs botnet to Microsoft, its customers, and the general
`
`public.
`
`48.
`
`Necurs also inflicts severe harm on individuals whose computing devices it
`
`infects. Once a computing device is infected with Necurs, Defendants can use the victims’
`
`computers to send spam email or to deliver other malware that, among other things, enables
`
`Defendants to take control of victims’ computers and extort money from them, steal their online
`
`banking credentials, or constantly monitor the online activities of its unknowing victims and also
`
`send commands and instructions to the infected computing device to control it surreptitiously.
`
`Defendants’ primary goal, as made evident by the Necurs’ functionality, is to propagate spam
`
`email, deliver financial theft malware, deliver ransomware, enable attacks against other
`
`computers and to steal online account login IDs, passwords, and other personal identifying
`
`18
`
`

`

`Case 1:20-cv-01217-LDH-RER Document 1 Filed 03/05/20 Page 19 of 28 PageID #: 19
`
`infoimation.
`
`49.
`
`One of the principal activities of the Necurs malware is to cause victim
`
`computers to send massive amounts of spam email to other victims on the Internet. The Necurs
`
`botnet delivers spam by converting a victim computer into an email server that is capable of
`
`sending a vast amount of emails per day, as indicated above. The victim computer receives
`
`specialized templates of the spam email that it is supposed to send, as well as target email
`
`addresses to which the spam email is sent.

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket