United States District Court, E.D. Virginia, Alexandria Division
REPORT & RECOMMENDATION
Michael S. Nachmanoff, United States Magistrate Judge
matter comes before the Court on plaintiff Microsoft
Corporation's (“plaintiff” or
“Microsoft”) Motions for Default Judgment and
Permanent Injunction (Dkt. Nos. 46 and 48).Having reviewed
the record and the pleadings, and for the reasons that
follow, the undersigned Magistrate Judge recommends entering
default judgment in plaintiff's favor and ordering a
permanent injunction preventing defendants John Does 1-2
(“defendants” or “John Does”) from
engaging in further harmful activities.
October 26, 2017, plaintiff filed a nine-count Complaint
against defendants alleging that they established an
internet-based cyber-theft operation, referred to as
“Barium, ” to steal highly sensitive information
from plaintiff. Compl. (Dkt. No. 1) ¶¶ 1-2.
Plaintiff alleged the following counts: a violation of the
Computer Fraud and Abuse Act, 18 U.S.C. § 1030
(“CFAA”), id. at ¶¶ 62-67; a
violation the Electronic Communications Privacy Act, 18
U.S.C. § 2701 (“ECPA”), id. at
¶¶ 68-73; trademark infringement under the Lanham
Act, 15 U.S.C. § 1114 et seq.,
id. at ¶¶ 74-79; false designation of
origin under the Lanham Act, 15 U.S.C. § 1125(a),
id. at ¶¶ 80-85; trademark dilution under
the Lanham Act, 15 U.S.C. § 1125(c), id. at
¶¶ 86-90; common law trespass to chattels,
id. at ¶¶ 91-98; unjust enrichment,
id. at ¶¶ 99-104; conversion, id.
at ¶¶ 105-10; and intentional interference with
contractual relationships, id. at ¶¶
111-16. Plaintiff sought a judgment in its favor,
id. at ¶ 117; a declaration that
defendants' conduct was willful and that they acted with
fraud, malice, and oppression, id. at ¶ 118; a
preliminary and permanent injunction enjoining defendants
from engaging in harmful activity and giving plaintiff
control over the domains, accounts, and profiles used by
defendants, id. at ¶¶ 119-20; to disgorge
defendants' profits, id. at ¶ 122; and to
award plaintiff actual, enhanced, exemplary, and special
damages proven at trial, and attorneys' fees and costs,
among other requested relief, id. at ¶¶
same day the Complaint was filed, plaintiff sought an
Application for an Emergency Ex Parte Temporary
Restraining Order and Order to Show Cause Re Preliminary
Injunction (Dkt. No. 4) (the “Application”). On
October 26, 2017, plaintiff filed a Motion for Protective
Order Temporarily Sealing Documents until execution of the
Application (Dkt. No. 12), which the Court granted on October
27, 2018 (Dkt. No. 24). That same day, the District Judge
held a hearing on plaintiff's Application (Dkt. No. 27)
and entered an Order temporarily restraining defendants,
including persons in active concert or participation with
defendants, from engaging in activities related to Barium
(Dkt. No. 26). The Order further directed that the website
operators and domain registry of the profiles and domain
names at issue redirect the domain names to secure servers
through the Domain Name System (“DNS”) and
transfer full control of the profiles and all user accounts,
pages, documents, posts, and similar content associated with
such profiles to plaintiff, among other actions. Id.
at 8. The Order set a hearing on the request for a
preliminary injunction for November 17, 2017 and required
plaintiff to serve defendants by any means authorized by law.
The Order set a bond in the amount of $50, 000.00, which
plaintiff deposited with the Court on October 30, 2017 (Dkt.
October 31, 2017, plaintiff filed a Notice of Execution of
Ex Parte Temporary Restraining Order and Notice Re
Unsealing of Case certifying that the Application had been
executed and that the civil action may be immediately
unsealed (Dkt. Nos. 28 and 29), which the Court granted on
the same day (Dkt. No. 31). On November 17, 2017, the Court
held a hearing on plaintiff's request for a preliminary
injunction (Dkt. No. 35), which the Court granted (Dkt. No.
36). The Court issued a Scheduling Order on November 30, 2017
stating that the parties had until May 28, 2018 to complete
discovery and that the civil action was administratively
closed during the discovery period and would be reopened on
June 22, 2018 (Dkt. No. 37).
21, 2018, plaintiff moved for an entry of default judgment
(Dkt. No. 39), supported by a declaration of Michael Zweiback
stating that plaintiff properly served process on defendants;
however, defendants failed to answer or otherwise respond to
the Complaint (Dkt. No. 40). The Clerk of Court entered
default against defendants on May 22, 2018 (Dkt. No. 41). On
July 13, 2018, plaintiff filed a motion for a default
judgment and for a permanent injunction (Dkt. Nos. 46 and
48). The hearing on plaintiff's motions was held on
September 21, 2018 at which counsel for plaintiff appeared
but no claimant appeared on behalf of defendants (Dkt. No.
following facts are established by plaintiff's Complaint
(Dkt. No. 1) and briefs in support of plaintiff's motion
for default judgment and permanent injunction (Dkt. Nos. 47
is a corporation organized and existing under Washington
state law with its headquarters and principal place of
business in Redmond, Washington. Compl. (Dkt. No. 1) ¶
3. “Plaintiff is a provider of the Windows®
operating system and the Internet Explorer® web browser,
and a variety of other software and services, including
Microsoft Word, Microsoft PowerPoint, and cloud-based
services….” Id. at ¶ 16. Due to
the success of plaintiff's products and services and
plaintiff's expenditure of significant marketing
resources, plaintiff has generated goodwill with its
customers that has developed into “strong and famous
world-wide symbols that are well-recognized within its
channel of trade.” Id. Additionally, plaintiff
has registered trademarks for Microsoft, Windows, and
Internet Explorer. Compl., Appx. C (Dkt. No. 1-3) 2-6.
established an internet-based cyber-theft operation,
“Barium, ” which allowed defendants to break into
plaintiff's and its customers' accounts and computer
networks to steal highly sensitive information. Compl. (Dkt.
No. 1) ¶ 1. To conduct the operation, defendants have
created a series of accounts, profiles, and domain names used
to operate and configure Barium. Id. at ¶¶
6-7. The accounts and profiles that defendants use include
those set forth in Appendix A attached to the Complaint (Dkt.
No. 1-1) (“Barium Profiles”) and the domain names
used include those set forth in Appendix B attached to the
Complaint (Dkt. No. 1-2) (“Barium Command and Control
Domains”). Id. at ¶¶ 6-7. Defendants
jointly own, rent, lease, or otherwise have dominion over the
Barium Profiles, the Barium Command and Control Domains, and
related infrastructure and, through those instrumentalities,
control and operate Barium. Id. at ¶ 8.
Third-parties VeriSign, Inc., VeriSign Information Services,
Inc., and VeriSign Global Registry Services (collectively,
“VeriSign”) maintain the domain name registry
that oversees the registration of all domain names ending in
“.com”, including defendants' domain names.
Id. at ¶ 5.
targets high-value organizations holding sensitive data
“by gathering extensive information about their
employees through publicly available information and social
media, and using that information to fashion phishing attacks
intended to trick those employees into compromising their
computers and networks, compromising legitimate enterprise
software provider's products not protected by antivirus
software, and disguising its activities using the names of
[plaintiff] and other legitimate companies.”
Id. at ¶ 17. To do so, Barium has used two
methods to compromise victim's computers. Id. at
¶ 18. The first method involves “Barlaiy” or
“PlugXL” malware, which primarily uses phishing
techniques, and the second method involves
“ShadowPad” malware, which involves distributing
malware through a third-party software provider's
compromised update. Id. at ¶ 19.
the first method, after selecting a victim organization,
Barium will identify employees of the organization and
attempt to ascertain their personal or work email addresses,
in addition to gathering information from social media
platforms. Id. at ¶ 20. Using a technique known
as “spear phishing, ” Barium sends the targeted
individual an email specifically crafted from the information
previously gathered to induce that individual to take some
action that will lead to the compromise of their computer.
Id. In the phishing emails, there are file
attachments or links that lead to malicious executable code.
Id. at ¶ 23. When the targeted individual
clicks on one of these links or opens the files, it causes
the malware to be installed on that individual's
Windows-based computer. Id. at ¶ 24.
“Barlaiy” and “PlugXL” malware are
“remote access ‘trojans, '” meaning
Barium is able to gather a victim's information, control
a victim's device, install additional malware, and
exfiltrate information from a victim's device.
Id. at ¶ 25. To transmit stolen information to
Barium and to execute additional instructions, the malware
needs to communicate with external servers called
“Command and Control” (“C&C”)
servers. Id. at ¶ 27. To conceal the identity
and location of C&C servers, Barium configures the
malware to communicate with fake website
“profile” pages that defendants have set up on
legitimate websites, including Microsoft-branded websites as
well as those of other well-known technology companies.
Id. at ¶¶ 28, 30. Once installed on a
victim's computer, the malware is designed to reach out
to these fake websites and search for particular “text
strings, ” such as comments or random alphanumeric
text, that can be decoded and allow the malware to
communicate with C&C servers. Id. at ¶ 29.
Barium uses this mechanism to conceal the IP addresses of the
C&C servers and to evade detection because, although
defendants' accounts and profiles are fake, the general
websites being contacted are legitimate websites which many
users use for business or other legitimate purposes.
Id. at ¶ 30.
second method uses third-party software updates to deliver
“ShadowPad' malware to windows users to compromise
victim's computers. Barium compromised a legitimate
company, NetSarang Inc. (“NetSarang”),
headquartered in South Korea with a United States subsidiary,
that provides products that streamline data transfer over
complex networks, including products that are specifically
designed to operate on the Windows platform. Id. at
¶ 35. Barium was able to compromise NetSarang's
products by modifying a Dynamic Link Library
(“DLL”) file and injecting two different bodies
of malicious code into the file, each heavily encrypted with
advanced algorithms designed to conceal their true purpose.
Id. at ¶ 36.
inserted the modified, malicious DLL file into the NetSarang
“build environment, ” which is a highly secured
and controlled area with limited access where NetSarang
creates the final versions of the software that are
ultimately delivered to plaintiff's customers.
Id. at ¶¶ 37-38. By doing so, the DLL file
is included in routine software updates for NetSarang
products. Id. at ¶ 37. Any company using the
affected NetSarang products and receiving updates would
receive the malicious file through the software update.
Id. at ¶ 38. Barium specifically injected the
malicious file in five NetSarang products. Id.
ShadowPad malware utilizes a two-stage methodology to cause
harm. Id. at ¶ 40. The first stage requires the
malware to give the infected device a persistent identifier,
meaning the malware identifies and communicates with C&C
servers to generate a unique internet domain name based on
the month and the year of the infected device. Id.
The infected device reaches out for instructions to the
C&C domains that enables the malware to generate a new
C&C domain every month. Id. The malware uses
domain registrar QHolster to register these domain names,
which requires the registrant to provide “WHOIS”
data, meaning the registrant's full name, postal address,
email address, phone number, administrative contact details,
and technical contact details. Id. The ShadowPad
malware uses a “Privacy Protection” service that
enables it to remove from public view the WHOIS data used to
register the domains and replaces it with generic
information. Id. at ¶¶ 42-43.
ShadowPad malware does not communicate with the C&C
server directly, but instead sends information and receives
C&C instructions through a set of processes and servers
that tell a computer attempting to visit a particular domain
how to resolve a request for that domain and where to find
the servers on the internet for content associated with that
domain. Id. at ¶ 44. The malware first attempts
to perform a customized domain lookup for a given C&C
domain by using public DNS servers. Id. at ¶
45. If the domain lookup fails, then the malware performs a
domain name lookup using the DNS facilities that are locally
present on the infected devices. Id. The malware
collects the user name, machine name, and domain name of the
infected device and then communicates to the C&C
infrastructure information from the infected device to Barium
and to deliver instructions to the victim's device.
Id. at ¶¶ 47, 47 n. 3. The malware waits
for a custom encrypted response that contains a key to
activate the second stage of the malware. Id. at
¶ 50. If the DNS response is incorrect, then the malware
attempts to reconnect after eight hours. Id. The
second stage allows Barium to customize the functionality of