Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Microsoft Corp. v. Does

United States District Court, E.D. Virginia, Alexandria Division

October 31, 2018

Microsoft Corporation, Plaintiff,
John Does 1-2, Defendants.


          Michael S. Nachmanoff, United States Magistrate Judge

         This matter comes before the Court on plaintiff Microsoft Corporation's (“plaintiff” or “Microsoft”) Motions for Default Judgment and Permanent Injunction (Dkt. Nos. 46 and 48).[1]Having reviewed the record and the pleadings, and for the reasons that follow, the undersigned Magistrate Judge recommends entering default judgment in plaintiff's favor and ordering a permanent injunction preventing defendants John Does 1-2 (“defendants” or “John Does”) from engaging in further harmful activities.

         I. Procedural Background

         On October 26, 2017, plaintiff filed a nine-count Complaint against defendants alleging that they established an internet-based cyber-theft operation, referred to as “Barium, ” to steal highly sensitive information from plaintiff. Compl. (Dkt. No. 1) ¶¶ 1-2. Plaintiff alleged the following counts: a violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), id. at ¶¶ 62-67; a violation the Electronic Communications Privacy Act, 18 U.S.C. § 2701 (“ECPA”), id. at ¶¶ 68-73; trademark infringement under the Lanham Act, 15 U.S.C. § 1114 et seq., id. at ¶¶ 74-79; false designation of origin under the Lanham Act, 15 U.S.C. § 1125(a), id. at ¶¶ 80-85; trademark dilution under the Lanham Act, 15 U.S.C. § 1125(c), id. at ¶¶ 86-90; common law trespass to chattels, id. at ¶¶ 91-98; unjust enrichment, id. at ¶¶ 99-104; conversion, id. at ¶¶ 105-10; and intentional interference with contractual relationships, id. at ¶¶ 111-16. Plaintiff sought a judgment in its favor, id. at ¶ 117; a declaration that defendants' conduct was willful and that they acted with fraud, malice, and oppression, id. at ¶ 118; a preliminary and permanent injunction enjoining defendants from engaging in harmful activity and giving plaintiff control over the domains, accounts, and profiles used by defendants, id. at ¶¶ 119-20; to disgorge defendants' profits, id. at ¶ 122; and to award plaintiff actual, enhanced, exemplary, and special damages proven at trial, and attorneys' fees and costs, among other requested relief, id. at ¶¶ 121, 123-24.

         On the same day the Complaint was filed, plaintiff sought an Application for an Emergency Ex Parte Temporary Restraining Order and Order to Show Cause Re Preliminary Injunction (Dkt. No. 4) (the “Application”). On October 26, 2017, plaintiff filed a Motion for Protective Order Temporarily Sealing Documents until execution of the Application (Dkt. No. 12), which the Court granted on October 27, 2018 (Dkt. No. 24). That same day, the District Judge held a hearing on plaintiff's Application (Dkt. No. 27) and entered an Order temporarily restraining defendants, including persons in active concert or participation with defendants, from engaging in activities related to Barium (Dkt. No. 26). The Order further directed that the website operators and domain registry of the profiles and domain names at issue redirect the domain names to secure servers through the Domain Name System (“DNS”) and transfer full control of the profiles and all user accounts, pages, documents, posts, and similar content associated with such profiles to plaintiff, among other actions. Id. at 8. The Order set a hearing on the request for a preliminary injunction for November 17, 2017 and required plaintiff to serve defendants by any means authorized by law. The Order set a bond in the amount of $50, 000.00, which plaintiff deposited with the Court on October 30, 2017 (Dkt. No. 32).

         On October 31, 2017, plaintiff filed a Notice of Execution of Ex Parte Temporary Restraining Order and Notice Re Unsealing of Case certifying that the Application had been executed and that the civil action may be immediately unsealed (Dkt. Nos. 28 and 29), which the Court granted on the same day (Dkt. No. 31). On November 17, 2017, the Court held a hearing on plaintiff's request for a preliminary injunction (Dkt. No. 35), which the Court granted (Dkt. No. 36). The Court issued a Scheduling Order on November 30, 2017 stating that the parties had until May 28, 2018 to complete discovery and that the civil action was administratively closed during the discovery period and would be reopened on June 22, 2018 (Dkt. No. 37).

         On May 21, 2018, plaintiff moved for an entry of default judgment (Dkt. No. 39), supported by a declaration of Michael Zweiback stating that plaintiff properly served process on defendants; however, defendants failed to answer or otherwise respond to the Complaint (Dkt. No. 40).[2] The Clerk of Court entered default against defendants on May 22, 2018 (Dkt. No. 41). On July 13, 2018, plaintiff filed a motion for a default judgment and for a permanent injunction (Dkt. Nos. 46 and 48). The hearing on plaintiff's motions was held on September 21, 2018 at which counsel for plaintiff appeared but no claimant appeared on behalf of defendants (Dkt. No. 53).[3]

         II. Factual Background

         The following facts are established by plaintiff's Complaint (Dkt. No. 1) and briefs in support of plaintiff's motion for default judgment and permanent injunction (Dkt. Nos. 47 and 49).

         Plaintiff is a corporation organized and existing under Washington state law with its headquarters and principal place of business in Redmond, Washington. Compl. (Dkt. No. 1) ¶ 3. “Plaintiff is a provider of the Windows® operating system and the Internet Explorer® web browser, and a variety of other software and services, including Microsoft Word, Microsoft PowerPoint, and cloud-based services….” Id. at ¶ 16. Due to the success of plaintiff's products and services and plaintiff's expenditure of significant marketing resources, plaintiff has generated goodwill with its customers that has developed into “strong and famous world-wide symbols that are well-recognized within its channel of trade.” Id. Additionally, plaintiff has registered trademarks for Microsoft, Windows, and Internet Explorer. Compl., Appx. C (Dkt. No. 1-3) 2-6.

         Defendants established an internet-based cyber-theft operation, “Barium, ” which allowed defendants to break into plaintiff's and its customers' accounts and computer networks to steal highly sensitive information. Compl. (Dkt. No. 1) ¶ 1. To conduct the operation, defendants have created a series of accounts, profiles, and domain names used to operate and configure Barium. Id. at ¶¶ 6-7. The accounts and profiles that defendants use include those set forth in Appendix A attached to the Complaint (Dkt. No. 1-1) (“Barium Profiles”) and the domain names used include those set forth in Appendix B attached to the Complaint (Dkt. No. 1-2) (“Barium Command and Control Domains”). Id. at ¶¶ 6-7. Defendants jointly own, rent, lease, or otherwise have dominion over the Barium Profiles, the Barium Command and Control Domains, and related infrastructure and, through those instrumentalities, control and operate Barium. Id. at ¶ 8. Third-parties VeriSign, Inc., VeriSign Information Services, Inc., and VeriSign Global Registry Services (collectively, “VeriSign”) maintain the domain name registry that oversees the registration of all domain names ending in “.com”, including defendants' domain names. Id. at ¶ 5.

         Barium targets high-value organizations holding sensitive data “by gathering extensive information about their employees through publicly available information and social media, and using that information to fashion phishing attacks intended to trick those employees into compromising their computers and networks, compromising legitimate enterprise software provider's products not protected by antivirus software, and disguising its activities using the names of [plaintiff] and other legitimate companies.” Id. at ¶ 17. To do so, Barium has used two methods to compromise victim's computers. Id. at ¶ 18. The first method involves “Barlaiy” or “PlugXL” malware, which primarily uses phishing techniques, and the second method involves “ShadowPad” malware, which involves distributing malware through a third-party software provider's compromised update. Id. at ¶ 19.

         Under the first method, after selecting a victim organization, Barium will identify employees of the organization and attempt to ascertain their personal or work email addresses, in addition to gathering information from social media platforms. Id. at ¶ 20. Using a technique known as “spear phishing, ” Barium sends the targeted individual an email specifically crafted from the information previously gathered to induce that individual to take some action that will lead to the compromise of their computer. Id. In the phishing emails, there are file attachments or links that lead to malicious executable code. Id. at ¶ 23. When the targeted individual clicks on one of these links or opens the files, it causes the malware to be installed on that individual's Windows-based computer. Id. at ¶ 24.

         Both “Barlaiy” and “PlugXL” malware are “remote access ‘trojans, '” meaning Barium is able to gather a victim's information, control a victim's device, install additional malware, and exfiltrate information from a victim's device. Id. at ¶ 25. To transmit stolen information to Barium and to execute additional instructions, the malware needs to communicate with external servers called “Command and Control” (“C&C”) servers. Id. at ¶ 27. To conceal the identity and location of C&C servers, Barium configures the malware to communicate with fake website “profile” pages that defendants have set up on legitimate websites, including Microsoft-branded websites as well as those of other well-known technology companies. Id. at ¶¶ 28, 30. Once installed on a victim's computer, the malware is designed to reach out to these fake websites and search for particular “text strings, ” such as comments or random alphanumeric text, that can be decoded and allow the malware to communicate with C&C servers. Id. at ¶ 29. Barium uses this mechanism to conceal the IP addresses of the C&C servers and to evade detection because, although defendants' accounts and profiles are fake, the general websites being contacted are legitimate websites which many users use for business or other legitimate purposes. Id. at ¶ 30.

         Barium's second method uses third-party software updates to deliver “ShadowPad' malware to windows users to compromise victim's computers. Barium compromised a legitimate company, NetSarang Inc. (“NetSarang”), headquartered in South Korea with a United States subsidiary, that provides products that streamline data transfer over complex networks, including products that are specifically designed to operate on the Windows platform. Id. at ¶ 35. Barium was able to compromise NetSarang's products by modifying a Dynamic Link Library (“DLL”) file and injecting two different bodies of malicious code into the file, each heavily encrypted with advanced algorithms designed to conceal their true purpose. Id. at ¶ 36.

         Barium inserted the modified, malicious DLL file into the NetSarang “build environment, ” which is a highly secured and controlled area with limited access where NetSarang creates the final versions of the software that are ultimately delivered to plaintiff's customers. Id. at ¶¶ 37-38. By doing so, the DLL file is included in routine software updates for NetSarang products. Id. at ¶ 37. Any company using the affected NetSarang products and receiving updates would receive the malicious file through the software update. Id. at ¶ 38. Barium specifically injected the malicious file in five NetSarang products. Id.

         The ShadowPad malware utilizes a two-stage methodology to cause harm. Id. at ¶ 40. The first stage requires the malware to give the infected device a persistent identifier, meaning the malware identifies and communicates with C&C servers to generate a unique internet domain name based on the month and the year of the infected device. Id. The infected device reaches out for instructions to the C&C domains that enables the malware to generate a new C&C domain every month. Id. The malware uses domain registrar QHolster to register these domain names, which requires the registrant to provide “WHOIS” data, meaning the registrant's full name, postal address, email address, phone number, administrative contact details, and technical contact details. Id. The ShadowPad malware uses a “Privacy Protection” service that enables it to remove from public view the WHOIS data used to register the domains and replaces it with generic information. Id. at ¶¶ 42-43.

         The ShadowPad malware does not communicate with the C&C server directly, but instead sends information and receives C&C instructions through a set of processes and servers that tell a computer attempting to visit a particular domain how to resolve a request for that domain and where to find the servers on the internet for content associated with that domain. Id. at ¶ 44. The malware first attempts to perform a customized domain lookup for a given C&C domain by using public DNS servers. Id. at ¶ 45. If the domain lookup fails, then the malware performs a domain name lookup using the DNS facilities that are locally present on the infected devices. Id. The malware collects the user name, machine name, and domain name of the infected device and then communicates to the C&C infrastructure information from the infected device to Barium and to deliver instructions to the victim's device. Id. at ¶¶ 47, 47 n. 3. The malware waits for a custom encrypted response that contains a key to activate the second stage of the malware. Id. at ¶ 50. If the DNS response is incorrect, then the malware attempts to reconnect after eight hours. Id. The second stage allows Barium to customize the functionality of ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.