A Novel Legal Tool in the Fight Against Botnets

The following is a guest blog post by David Kleban, a Fall 2010 Cyberlaw Clinic Student at the Berkman Center for Internet & Society at Harvard University.

Significant amounts of spam, malware, and phishing scams are propagated via botnets—networks of hundreds or thousands of computers infected with code that, unbeknownst to their owners, causes them to respond to the instructions of a “herder.”  The herder can use the network—or sell the capacity to other malfeasants—to infect computers, capture personal data, initiate distributed denial of service (DDoS) attacks, or, commonly, to send vast amounts of spam to recipients all over the internet.  The Waledac botnet was a particularly prolific network, composed of up to 90,000 compromised computers across the globe and capable of sending 1.5 billion spam messages per day.

Microsoft effectively shut down Waledac this year through a legal tactic pursued in the federal district court for the Eastern District of Virginia.  The court issued an ex parte temporary restraining order (“TRO”), which gave Microsoft control of nearly 300 Internet domains that the company argued were being used in the command and control structure of the botnet.  An ex parte order is issued without giving the defendants (here, the owners of the domains) notice or an opportunity to respond or to argue before the court.  By acquiring access to the domains, Microsoft was able to sever the infected “zombies” from their herder, making the network unusable for continued criminal activity.  Last month, the court granted permanent ownership of the domains to Microsoft after the defendants failed to appear in subsequent proceedings.

The legal procedure used in the case is a novel one in combating botnets.  Microsoft argued that the rarely granted ex parte relief was necessary to prevent Waledac’s herders from reorganizing Waledac’s control structure and destroying evidence before it could be shut down.  Because those responsible for a botnet can be hard to identify (Microsoft’s action was directed against 27 so-called “John Does”), one can imagine how difficult it would be to take one down without access to such relief.

Nevertheless, the approach presents some interesting questions.  For instance, courts as a rule are reluctant to deprive people of their property—or transfer control of property to another private entity—without a hearing.  The court did so here in light of the risks mentioned above (i.e., that evidence might be destroyed or the botnet control structure reorganized).  And, defendants appear to have waived their rights by failing to appear not just initially but in later stages of the legal process as well.  But, at least one observer has noted the peculiarity and secrecy of the procedures followed in this case and the due process issues they raise.  A particular concern with ordering the transfer of control of domains without notice is that parties that may not be intentionally responsible for the underlying bad conduct (e.g., those whose domains have been hacked) will nevertheless be affected until they can respond and resolve the problem.  Indeed, although Microsoft alleged in seeking the TRO that “Doe Defendants have registered [the] domains at issue in this motion solely to control and grow the Waledac botnet” and that “[t]here is no legitimate activity of these domains,” one domain owner told the Wall Street Journal that he was doing nothing wrong from the domain.  (In a posting on its site, Microsoft notes that it “worked with” that defendant and another entity “to successfully address the problems with their respective domains.”  It describes those efforts in more detail in a later court filing.)

Another question raised by this case is the nature of the injury that a plaintiff must allege to demonstrate that it has “standing” to pursue a case like the one Microsoft brought against Waledac.  The most apparent victims of a botnet may be spam recipients, owners of stolen personal data, and users of computers infected with code that dramatically slows performance.  In its complaint and supporting documentation, Microsoft asserted that it too was a victim of Waledac, because Waledac represented an unauthorized intrusion into its software; because many recipients of spam messages were Hotmail users; because many spam messages were made to appear to originate from Hotmail; because it cost Microsoft a lot of money to filter spam from Hotmail; because spam caused a major burden on Microsoft’s servers; and because consumers of Microsoft’s software products would incorrectly think that Waledac-related problems were Microsoft’s fault.  Microsoft said that it had to expend resources to assist customers and correct such misperceptions.  The sufficiency of these interests to establish standing for Microsoft was not fully explored in this case; no parties came forward to challenge Microsoft’s standing, and—in the absence of any opposition—the judge did not view it as an impediment to granting relief. 

The nature and immediacy of Microsoft’s injury in this case, along with the due process concerns discussed above, may lead some to question the appropriateness of enforcement actions like this one being brought by private entities rather than being reserved for government and law enforcement agencies.  It appears that the only previous issuance of an ex parte TRO to combat a botnet was at the request of the Federal Trade Commission.  On the other hand, given significantly limited law enforcement resources and the serious harm that major botnets can cause, private actions such as this one could represent an important new weapon in the fight against malware and spam.

The continued viability of strategies like the one Microsoft pursued will depend on the willingness of courts to grant the extraordinary form of relief that was granted in the Waledac case.  Parties going down this road will have to convince judges:

  • that the continued functioning of a botnet (a concept with which many judges may be totally unfamiliar) will cause irreparable harm to the party seeking relief if not halted immediately;
  • that it is necessary to immediately seize control over the assets of defendants without giving them advance notice or an opportunity to have a day in court; and
  • that the party seeking the TRO will likely succeed on the merits of its argument in a longer-term legal action.

Although the limits of the legal strategy employed in this case remain untested, there is no doubt that Microsoft and its lawyers have successfully employed a new tool in the continued fight against bot herders.

Bavarian Government Gets Up Close and Personal

Posted on July 7, 2008 - 17:05 by lmallek

The German state of Bavaria has approved laws that "allow the police to plant spyware": on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect's home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann "gave short shrift to [privacy] objections, stating that Bavaria is leading the field in 'internal security' in becoming the first German state to approve the plan."

This step taken by the Bavarian government "counters a ruling": earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.

In 2007, the internet was talking, though not over VOIP, about the Bavarian government looking to "monitor and record": Skype phone calls. Documents leaked through Wikileaks showed the thrifty Bavarian government haggling to get a better price on the products needed to invade their citizen's computers.

Zango unsuccessful in suits against anti-spyware companies

Posted on September 5, 2007 - 15:25 by egeorge

Adware company Zango has recently struck out in its lawsuits against two anti-spyware software vendors. Zango had used the suits to challenge makers of security software that labeled its products as spyware.

Zango’s suit against PC Tools was dropped last week. Zango’s corporate blog refers to the decision as a result of PC Tools’ modification of its software to warn against Zango software rather than automatically remove it. PC Tools, however, says it modified its software before Zango’s suit was ever filed, and hails Zango’s decision to drop the suit as a vindication.

One day later, a federal judge ruled against Zango in a similar case, this time against Kaspersky Lab. The ruling found that the federal Communications Decency Act, Section 230(c )(2), creates a “safe harbor†for producers of tools used to filter “objectionable content.†The judge noted that in the context of the safe harbor provision, objectionable content is not limited to content that is actually objectionable, but includes material that users and software providers consider to be objectionable. The court granted summary judgment for Kaspersky, effectively ending the case.

In affirming the rights of security software vendors to classify applications based on the vendors’ own guidelines, the Kaspersky ruling sends a clear message that software producers cannot use lawsuits or the threat of lawsuits to challenge security vendors’ decisions.