Randall D. Haimovici ( Pro Hac Vice Pendingnoticeoflawsuit.com/docs/Complaint.pdf · Randall D. Haimovici (Pro Hac Vice Pending) [email protected] Rachael M. Smith (Pro Hac Vice

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF

Randall D. Haimovici (Pro Hac Vice Pending) [email protected] Rachael M. Smith (Pro Hac Vice Pending) [email protected] SHOOK, HARDY & BACON L.L.P. One Montgomery, Suite 2700 San Francisco, California 94104-4505 Telephone: 415.544.1900 Facsimile: 415.391.0281 Tony M. Diab (Nevada State Bar No. 12954) [email protected] SHOOK, HARDY & BACON L.L.P. 5 Park Plaza, Suite 1600 Irvine, California 92614-2546 Telephone: 949.475.1500 Facsimile: 949.475.0016 Robert J.B. Flummerfelt (Nevada State Bar No. 11122) [email protected] Rami Hernandez (Nevada State Bar No. 13146) [email protected] CANON LAW SERVICES, LLC 7251 W. Lake Mead Blvd., Suite 300 Las Vegas, Nevada 89128 Telephone: 702.562.4144 Facsimile: 702.866.9868 Attorneys for Plaintiff MICROSOFT CORPORATION

UNITED STATES DISTRICT COURT

DISTRICT OF NEVADA

MICROSOFT CORPORATION,

Plaintiff,

vs. NASER AL MUTAIRI, an individual; MOHAMED BENABDELLAH, an individual; VITALWERKS INTERNET SOLUTIONS, LLC, d/b/a NO-IP.com; and DOES 1-500,

Defendants.

) ) ) ) ) ) ) ) ) ) ) ) )

Case No. FILED UNDER SEAL COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF

Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 1 of 27

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

1


Plaintiff Microsoft Corporation (“Microsoft”) complains and alleges as follows against

Defendants Naser Al Mutairi, an individual; Mohamed Benabdellah, an individual; Vitalwerks

Internet Solutions, LLC, d/b/a No-IP.com (“Vitalwerks” or “No-IP”), a Nevada company; and Does

1-500; who author, control, and/or distribute malicious software through approximately 18,472 sub-

domains of Internet domains registered, owned, and controlled by No-IP (“Malware Domains”), set

forth in Exhibit A to this Complaint, as follows:

NATURE OF ACTION

1. This is an action based upon: (1) The Computer Fraud and Abuse Act, 18 U.S.C. §

1030; (2) The Anti-Cybersquatting Consumer Protection Act, 15 U.S.C. § 1125; (3) Nevada’s

Unlawful Acts Regarding Computers and Information Services, N.R.S. § 205.4765; (4) Trespass to

Chattel; (5) Conversion; and (6) Negligence. Microsoft seeks injunctive and other equitable relief

and damages against the cybercriminals who created, distributed, and infected computers with

Bladabindi and Jenxcus malware, and against the registered owner of the Internet domains that have

been used to facilitate the malware infection that has and will continue to cause irreparable harm to

Microsoft, its customers, and the public.

THE PARTIES

2. Plaintiff Microsoft is a corporation organized under the laws of the State of

Washington, having its headquarters and principle place of business in Redmond, Washington.

3. Defendant Naser Al Mutairi, an individual who on information and belief resides in

Kuwait City, Kuwait, is the author, owner, and distributor of the Bladabindi (also known as njRAT)

malware. Defendant Mutairi uses several online aliases or user names including “njq8,” “xnjq8x,”

“njq8x,” and variations of “njrat.”

4. Defendant Mohamed Benabdellah, an individual who on information and belief

resides in or around Mila, Algeria, is the author, owner, and distributor of Jenxcus (also known as H-

worm), a malware that is closely related to Bladabindi. Defendant Benabdellah uses several online

aliases or user names including “Houdini,” “houdinisc,” and “houdini-fx.”

5. Defendant Vitalwerks Internet Solutions, LLC, d/b/a No-IP.com is a company that is

located at 5905 South Virginia Street, Suite 200, Reno, Nevada 89502. Vitalwerks is the registrar


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

2


and registrant-owner of several Internet domains affiliated with malware distribution. On

information and belief, Vitalwerks enables the infrastructure used to infect innocent victims

worldwide.

6. Defendants Mutairi and Benabdellah provide free and open access to Bladabindi and

Jenxcus as well as tools that can be used by other cybercriminals to create custom variations of this

malware. On information and belief, Doe Defendants 1-500 have downloaded Bladabindi/Jenxcus

and infected consumers’ computers with the malware, or variations thereof, either alone or

injunction with others, and have thereby caused harm to Microsoft and consumers worldwide. These

Defendants use the malware for illicit purposes, including but not limited to, recruiting victims’

computers for botnets. Microsoft is unaware of the true names and capacities of Doe Defendants 1-

500, and therefore sues these Doe Defendants under fictitious names. Microsoft will amend this

Complaint to allege the Doe Defendants’ true names and capacities when ascertained. Microsoft

will exercise due diligence to determine Doe Defendants’ true names, capacities, and contact

information, and to effect service upon those Doe Defendants.

7. The actions and omissions alleged in this Complaint were undertaken by each

Defendant individually, were actions and omissions that each Defendant authorized, controlled,

directed, or had the ability to authorize, control or direct, and/or were actions and omissions for

which each Defendant is liable. Each Defendant aided and abetted the actions of the Defendants as

set forth below, in that each Defendant had knowledge of those actions and omissions, provided

assistance, and benefited from those actions and omissions, in whole or in part. Each of the

Defendants was the agent of each of the remaining Defendants, and in doing the things alleged in

this Complaint, was acting within the course and scope of such agency and with the permission and

consent of other Defendants.

JURISDICTION AND VENUE

8. This action arises out of Defendants’ violation of the Computer Fraud and Abuse Act

(18 U.S.C. § 1030) and the Anti-Cybersquatting Consumer Protection Act (15 U.S.C. § 1125).

Therefore, the Court has subject matter jurisdiction of this action pursuant to 28 U.SC. § 1331. This

is also an action for Unlawful Acts Regarding Computers and Information Services (N.R.S. §


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

3


205.4765), trespass to chattel, conversion, and negligence, of which this Court has supplemental

jurisdiction pursuant to 28 U.S.C. § 1367.

9. Defendants Mutairi, Benabdellah, and Does 1-500 (“Malware Defendants”) have

directed actions at Nevada, including the division of Las Vegas, by directing malicious computer

code at the computers of individual users located there, and infecting those user computers with the

malicious code, which is used to injure Microsoft, its customers and the general public. Microsoft is

aware of over 1200 computers in Las Vegas alone that have encountered the Defendants’ malware.

With this malware, Defendants are able to steal login credentials, such as user names and passwords,

from victims’ computers, and set up networks of computers that are under their control. The

following is a map showing the concentration of these computers in Nevada, which shows the

predominant area of infections occurring in Las Vegas.

10. Defendant Vitalwerks is a limited liability company registered in and operating under

the laws of Nevada. This Defendant conducts business in the state by offering Dynamic Domain

Name System and other domain hosting services through its website, www.no-ip.com, where

consumers located in Nevada and elsewhere can sign up for free and paid services. Defendant’s

services are used to facilitate the Malware Defendants’ computer hacking activities.

11. Additionally, Defendant Vitalwerks is on notice that its services are being used to

support criminal and malicious activities directed at hundreds of thousands of computers across the

Fig. 1


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

4


United States, including those located in the state of Nevada and the city of Las Vegas. Defendant

has a contractual obligation to take reasonable and prompt steps to investigate and respond to reports

of Internet or computer abuse, and the company has also made representations to the public that it

has an “abuse team” to police and take action against such malicious activity. Yet Defendant has

failed to take sufficient action to stop, prevent, or effectively control this malicious conduct in

breach of its contractual obligations and best practices of the industry, causing further harm to

Nevada and Las Vegas residents.

12. All Defendants have undertaken the foregoing acts with knowledge that such acts

would cause harm through user computers located in Nevada, thereby injuring Microsoft, its

customers, and others in Nevada and elsewhere in the United States. Therefore, this Court has

personal jurisdiction over them.

13. Pursuant to 28 US.C. § 1391(b), venue is proper in this judicial district. A substantial

part of the events or omissions giving rise to Microsoft’s claims occurred in this judicial district, and

a substantial portion of the property and individuals harmed through such acts are located in this

district. A substantial number of computers infected with malware are located in the state of Nevada

and specifically the city of Las Vegas. Venue is also proper in this judicial district under 28 U.S.C.

§ 1391(c) because the Defendants are subject to personal jurisdiction in this judicial district.

FACTUAL BACKGROUND

Overview of No-IP and Dynamic DNS

14. According to Defendant Vitalwerks Terms of Service located on the No-IP.com

website, “No-IP.com is an Internet-based Web site that offers DNS Hosting, dynamic DNS, URL

Redirection, email hosting, domain name registration, server monitoring, and software utilities.”

No-IP provides free Dynamic DNS services to individuals who would like to host a website on their

computers or servers that have dynamic Internet Protocol (“IP”) addresses.

15. The Domain Name System, or DNS, is the system by which computers connected to

the Internet locate and communicate with other computers. A domain is simply a network location.

Although domains are often associated with websites, they can also be connection points for

computers with no website interface. When a computer user types an Internet address into his web


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

5


browser such as www.microsoft.com, the user’s computer must resolve the domain name

(microsoft.com) into an IP address (12.10.38.33). Once the IP address is known, the computer will

be able to connect to the computer or server that hosts the microsoft.com website.

16. A computer will not have IP addresses for every computer on the Internet stored in its

memory. Instead, this information is stored on many DNS or name servers. Collectively, these

servers constitute an IP address database that serves as an address book for the Internet. If a person

wants to connect to a particular domain, that person’s computer will need to request the IP address

from the DNS server, which will ultimately submit the request to the name server for that domain.

17. When a user enters www.microsoft.com into a web browser, his computer will reach

out to a local DNS server requesting the site’s IP address. The local DNS server will forward this

request to an upstream DNS server, and it will reply to the local DNS server with the IP address of

the authoritative name server for microsoft.com. The local DNS server will then contact the

authoritative name server and request the IP address for microsoft.com, and the authoritative name

server will respond with 12.10.38.33. The user’s computer can then connect with the computer that

hosts the microsoft.com website.

18. Computers can have either static or dynamic IP addresses. When a computer has a

static or permanent IP address assigned to it, that address will be stored in the DNS database. When

a request is made for the IP address for that computer’s domain, the requesting computer will be

directed to the authoritative name server that will have the correct IP address. However, not all

computers have static IP addresses. Internet Service Providers typically provide their customers

with dynamic, or changing, IP addresses because this is a more cost-effective way to do business.

Instead of having an IP address for every customer subscribing to its Internet service, the ISP will

have a smaller number of IP addresses, and it will lease an IP address to its customers’ computers for

a defined period of time. When the lease is up, the computer is assigned a different IP address.

Some providers will assign a new IP address to a computer every time it connects to the Internet. So

if a computer has a dynamic IP address, the computer’s domain name will not always point back to

the same IP address. This makes it difficult for other computers to resolve the dynamic IP address


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

6


computer because it may not be possible to locate a DNS server that has the domain’s current IP

address.

19. No-IP offers a free service that will constantly update IP address changes with DNS

servers so that a computer user with a dynamic IP address can have a domain name that will always

point back to his computer. If a user would like to subscribe to No-IP’s free Dynamic DNS service,

he can do so through No-IP’s website. After creating a user name and password and giving an e-

mail address, the subscriber will receive up to three domain names, which will expire in 30 days

unless the subscriber renews his free service. The subscriber installs No-IP’s Dynamic Update

Client to his computer, and this program will update the computer’s changing IP address to No-IP’s

name servers so that the subscriber’s domain name will always point to the current IP address.

No-IP Leases Its Sub-domains to Its Free Subscribers

20. No-IP is the owner and registered name holder of domains that it uses for its free

Dynamic DNS Service (“No-IP domains”). As part of its free service, No-IP does not register a new

domain name to its subscriber. Instead, No-IP allows the subscriber to use a “sub-domain” of one of

the company’s registered domain names subject to No-IP’s Terms of Service. A sub-domain is

essentially a sub-address of another domain. For example, Defendant Vitalwerks owns the domain

“no-ip.biz,” but it leases the sub-domain “thebest007.no-ip.biz” to a free Dynamic DNS subscriber

subject to the Terms of Service set forth on No-IP’s website. The free subscriber must select which

No-IP domain he would like to use (e.g., no-ip.biz), but he can create his own sub-domain name

(e.g., thebest007).

21. By leasing to subscribers a sub-domain of one of its registered domains, many of the

reporting and accountability requirements imposed by authorities who regulate DNS are not

followed.

22. Each Top Level Domain (this is the part of the domain name after the period such as

“.com,” “.net,” or “.edu”) is controlled by a registry operator. For example, the “.com” TLD is

operated and controlled by Verisign, Inc. If a person wishes to register a domain name ending in

“.com,” he must find a registrar that is authorized by Verisign to register .com domain names.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

7


23. A registry operator oversees the administration, regulation, and security of the TLD

by setting forth rules and regulations that must be followed by registrars, or entities that are

authorized to register domain names for that TLD. For an entity to become a registrar, it must agree

to be bound by the registry operator’s rules and regulations (usually by entering into a Registry-

Registrar Agreement) as well as become an accredited registrar with Internet Corporation for

Assigned Names and Numbers, or ICANN. ICANN is the organization that oversees the Domain

Name System, and it sets forth regulations that must be followed by registrars and registered name

holders.

24. Defendant Vitalwerks is a registrar authorized by the relevant registry operators to

register domain names ending in .biz, .com, .info, .name, .net, .org, .pro, and .tel. Pursuant to the

agreements with ICANN and the registry operators, Defendant is required to make certain

information publically available for each new domain name it registers, which includes the

registered domain name, the registered domain holder’s name and address, and the name, address, e-

mail address, telephone number, and fax number for the domain name’s technical and administrative

contacts.

25. Defendant Vitalwerks is the registrar and registrant of the No-IP domains. However,

because Defendant leases sub-domains of its registered domains to its free subscribers, Defendant is

not expressly required to make the identities and contact information of its sub-domain subscribers

publically available. And in fact, Defendant does not collect, store, or make public this information

about its sub-domain users. This causes its service to be favored among cybercriminals.

Investigation into Malware Threats Uncovered Abuse of No-IP

26. Dynamic DNS is a vital part of the Internet because it allows anyone to have a

domain name even though they have a changing IP address. However, if not properly managed, a

Dynamic DNS service can be susceptible to abuse.

27. In early 2014, Microsoft began investigating the top malware threats impacting its

customers. To do this, Microsoft began to monitor data it was receiving from anti-malware utilities

running on its consumers’ computers. When malware is detected and cleaned, it sends data back to

Microsoft, and from this data, Microsoft can determine which malware was removed and whether


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

8


the malware was trying to communicate with other computers. What Microsoft determined from

this initial investigation was that in a significant number of cases, the malware was programmed to

reach out and communicate with a No-IP sub-domain, owned and leased by Defendant Vitalwerks as

part of its free Dynamic DNS service.

28. Further investigation revealed that No-IP is functioning as a major hub for 245

different types of malware circulating on the Internet. The figure below shows the diversity of

malware that No-IP supports, each a threat to Microsoft and its consumers.

29. Through No-IP sub-domains, a very large number of small, transient web addresses

are provided a continuous Internet presence. For example, malware on a person’s infected computer

might be programmed to contact “hacker-0005.no-ip.biz.” The person’s computer would first

contact no-ip.biz to get the address of the virus sub-domain, which has a dynamic IP address and is

frequently changing. The name server for no-ip.biz, however, would have the current IP address due

to the Dynamic Update Client constantly updating No-IP’s servers, and the name server would be

able to direct the person’s computer onward. Thus, the Dynamic DNS system provides computers

that move from IP address to IP address a stable domain name for malware infected computers to

contact. In the example above, the hacker-0005.no-ip.biz sub-domain can operate from a changing

set of IP addresses. As long as that sub-domain updates no-ip.biz as to its current IP address,

Fig. 2

Diversity of Malware


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

9


malware infected machines attempting to reach it will always be able to do so.

30. Dynamic DNS can be exploited to support and monetize cybercrime activities. This

fact is evident from the massive number of malware supported by No-IP domains. By studying

thousands of samples of malware, Microsoft has been able to identify approximately 18,472 sub-

domains of No-IP that are used by cybercriminals, and there are likely many more. Other

researchers have observed the same. In April 2013, one researcher identified No-IP as the most used

Dynamic DNS service for malicious purposes. Less than a year later, another security researcher

concluded the same. For example, sub-domains of “zapto.org” (a No-IP domain) were found to be

blocked 100% of the time by web browsers based on the domain’s reputation for being associated

with malicious activity. Moreover, of the top Dynamic DNS domains most abused by malicious

actors, No-IP domains had the highest number of malware samples than any other Dynamic DNS

domain. The great variety and quantity of malware using No-IP sub-domains as infrastructure is

testament to the utility of this kind of system for those engaged in illegal Internet activities. The top

six types of malware currently using No-IP domains are described in the table below.

Malware Purpose

Bladabindi/Jenxcus A family of Remote Access Trojan malware with several components including key logger and backdoor.

Fynloski A family of Remote Access Trojan malware whose different variants include Trojan Droppers, backdoor Trojans, and unauthorized access and control of an affected computer.

Sisron A group of Trojans that perform a variety of common malware behaviors.

Rebhip A family of worm malware that steals sensitive information from the victim’s computer.

Bifrose A backdoor Trojan that connects to remote IP addresses and allows attacker to access the victim’s computer and perform various actions.

Comrerop Downloads additional threats onto the victim’s computer.

31. These categories are explained in the following table.

Malware Type Purpose

Backdoor Allows an attacker to perform at least the same activity as the user that is compromised. This includes turning on web camera and eaves dropping via microphone, taking screenshots, copying/moving/deleting files on the user’s system, and keystroke logging.

Trojan Packaged as legitimate software, this malware contains code to compromise a


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

10


victim’s computer by installing one of the other listed types of additional malware.

Trojan Dropper An application whose sole purpose is to download and execute software on a victim’s computer. Also used to denote an application that is downloaded and executed on a victim's computer.

Trojan Downloader

An application whose sole purpose is to download files onto a victim’s computer. Also used to denote an application that is copied to a victim's computer.

Keylogger Password Stealer. This type of malware logs user keystrokes or retrieves text typed by the user with the sole purpose of obtain user credentials.

Remote Access An application that allows remote connections to a victim’s computer. This program, once run on a computer, allows visual/keyboard/mouse/audio control over victim’s computer.

Defendant Vitalwerks Is on Notice of the Dynamic DNS Abuse and

Has Failed to Take Corrective Action

32. The Internet security community has noticed the abuse occurring on No-IP’s sub-

domains. In April 2013, OpenDNS published an article online detailing its investigation into

Dynamic DNS abuse, and it identified No-IP sub-domains as the most used for malicious intent of

any other provider. No-IP published the following response, representing that the company had a

strict abuse policy and had an abuse team to combat computer fraud and crimes:

At No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep our domains free of spam and malicious activity. Even with such precautions, our services do fall prey to cyberscammers and spammers. We highly encourage our users and others to let us know if they come across a hostname that isn’t abiding by our Terms of Service. We dislike spammers and scammers just as much as everyone else. To report a violation of our TOS or any other abuses of our services, please email [email protected].

33. Despite its representation of having a “very strict abuse policy,” the abuse on No-IP

sub-domains continued. Another Internet security group, Cisco, published an article on February 11,

2014 that again outlined the extensive abuse occurring on No-IP domains, including the distribution

of malware. No-IP published a similar response and even provided that the company “work[s] with

law enforcement daily to ensure that we are doing our part to keep the internet safe.”

34. OpenDNS Security Labs and Cisco are not the only security firms that have reported

on the No-IP abuse. Other firms such as FireEye, Symantec, and General Dynamics have published

reports detailing this abuse. The report Symantec published in March 2013 specifically identifies a

group of Bladabindi malware distributors that is using No-IP sub-domains.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

11


35. Defendant Vitalwerks directs visitors to its website to email the company at

[email protected] to report violations of its Terms of Service. Pursuant to No-IP’s Terms of

Service, attached as Exhibit B, subscribers are prohibited from engaging in the activities that Internet

security firms have noticed are occurring through the No-IP domains. These prohibitions include

abusing or fraudulently using the No-IP service, interfering or tampering with another subscriber’s

use of the service, or any use that violates local, state, or federal law or otherwise violates Internet

regulations, policies, or procedures. No-IP expressly prohibits particular types of abuse as well, such

as sending unsolicited e-mail, Denial of Service attacks, and causing or attempting to cause harm to

another computer or network.

36. Although Defendant Vitalwerks is on notice and should be aware that its services are

heavily abused, it has failed to take sufficient steps to correct, remedy, or prevent the abuse and to

keep its domains free from malicious activity. In its report, Cisco recommended that No-IP could

implement a security measure, called DNS Response Policy Zone, that could be used to block

malicious traffic. Additionally, other security measures exist that would curtail the malicious abuse

of the No-IP domains, such as the use of a web reputation service. However, on information and

belief, Defendant Vitalwerks has failed to employ the best practices available to stop the abuse.

After the February 2014 Cisco report was published, Microsoft continues to see 2,000-3,000 new

unique malware samples per month that are supported by No-IP.

The Majority of Malware Using No-IP is Bladabindi/Jenxcus

37. By far, the majority of malware using No-IP domains is Bladabindi and a related

malware called Jenxcus. Microsoft’s investigation thus focused on this family of malware.

38. Defendant Mutairi created the Bladabindi malware and Jenxcus malware that is

closely related in function to Bladabindi. He promotes its use to other cybercriminals by making the

malware publicly available for download, publishing updates to the malware online, and providing

instructions and tutorials on how to use and customize the malware. The following is a screen shot

of a publicly-available YouTube tutorial that specifically instructs the viewer to obtain a No-IP

account:


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

12


39. Defendant Benabdellah created a popular variant of the Jenxcus malware. Bladabindi

and Jenxcus share a common code base, and on information and belief, Defendant Benabdellah used

the code for Bladabindi to create his Jenxcus malware.

40. Bladabindi/Jenxcus malware can be downloaded by other cybercriminals who then

can use the malware’s “dashboard” to customize the malware to suit their needs. The dashboard is a

user interface that allows the user to customize the malware and control the infected computers. The

dashboard can display a list of all infected computers’ IP addresses and locations, and it can even

display real time screen shots of the infected computers’ desktop. Below is a screenshot of a

dashboard for Bladabindi, also known as the njRAT dashboard, showing what information is

available to the Malware Defendant once he has control over an infected computer.

Fig. 3


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

13


41. Malware Defendants have distributed and infected user computers with

Bladabindi/Jenxcus. Microsoft has detected over 7,486,833 instances of Windows computers that

have encountered one or more versions of Bladabindi or Jenxcus malware in the past year. This

likely represents only a small subset of the number of computers because Microsoft is only able to

monitor machines running its anti-malware software. Based on market share data, the total number

of detections over the past year may easily be two to three times this amount.

Bladabindi/Jenxcus Infected Computers Become Part of a Botnet

42. When a computer is infected with Bladabindi or Jenxcus, it becomes part of a

“botnet.” A botnet is a collection of individual computers, each running malware that allows

communications between the infected computers to one or more other computers controlled by the

distributor of the malware, typically referred to as the “command and control,” as shown in the

figure below.

bot

herder command & control server

(Dashboard)

Infected victim computers (“bots”)

Fig. 4

Fig. 5


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

14


43. Through the command-and-control computer or computers, cybercriminals or “bot

herders” are able to control the infected computer, steal information from the infected computer, and

provide instructions or additional malware modules to the infected personal computers and upload

data from them. Cybercriminals often use botnets because of their ability to support a wide range of

illegal conduct, their resilience against attempt to disable them, and their ability to conceal the

identities of the malefactors controlling them.

44. Botnets provide a very efficient means of controlling large numbers of computers and

targeting any action internally against the contents of those computers or externally against other

computers on the Internet. The third parties running the botnet can use the network of infected

personal computers for various nefarious and criminal activities including spam, denial of service

attacks on other computers connected to the Internet, theft of financial and banking data,

eavesdropping, stalking, and other schemes. Access to the compromised personal computers can

also be sold, leased, or swapped by one criminal group to another.

45. Microsoft has carefully studied the Bladanindi and Jenxcus botnet architecture,

design, and functions. A Bladabindi/Jenxcus botnet consists of two tiers: the infection tier and the

command-and-control tier. The infection tier is comprised of infected personal computers owned by

innocent and unsuspecting people. These might be office or home desktop computers, laptop

computers, computers in public libraries, and so forth. Computers can become infected in one of

several ways. A person may use an infected thumb-drive borrowed from a friend or colleague that

contains the malware; access a malicious link or hacked website on which the malware downloader

is staged; or download other malware containing instructions to download Bladabindi or Jenxcus. In

fact, Jenxcus is particularly infectious when spread through thumb-drives because the infection

happens automatically when a user inserts a thumb-drive into the infected computer instead of

requiring the botnet operator to enable this function through the dashboard.

46. Once Bladabdindi/Jenxcus has been downloaded, in some instances, the user still

needs to access the malicious file for the malware to become active. Here, some forms of the

malware trick consumers into opening and running the file by disguising itself as a legitimate file.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

15


The malware uses deceptive file names and icons that are familiar to the user, such as

““MyPictures.exe,” or that entice the user to open the file like “StartupFaster.exe” or

“NewDocument.exe.” Some Jenxcus variations create a shortcut file containing the malware that

has the same name and icon of a file present on the user’s thumb-drive. This method of mimicking

the user’s actual files is designed to ensure that the user will click on the file and activate the

malware.

47. When the malware is run, it will copy itself to a location on the user’s computer that

ensures that the malware will run every time the computer is started. The malware avoids detection

because it disguises itself as a critical process running on the user’s machine. The spread of the

malware in this way is not related to any vulnerability in Microsoft’s systems, but is instead

achieved by misleading people into taking steps that result in the infection of their computers.

48. Once a computer is infected with the malware and the malware has been activated,

the malware will instruct the computer to contact the botnet controller’s command-and-control

computer. The command-and-control is the second tier of the botnet. Typically, botnets have many

command-and-control computers in this tier, which are in turn controlled by a bot herder. In

contrast, a Bladabindi/Jenxcus botnet consists of one command-and-control computer through which

a single hacker (a Malware Defendant) communicates and controls the infected computers through

the malware’s dashboard. However, there can be many Bladabindi/Jenxcus botnets at any given

time, each one controlled by a different Malware Defendant, creating a syndicate of botnets.

49. The infected computer will contact the command-and-control computer to let it know

that the malware has been activated and that the computer is ready to receive instructions from a

Malware Defendant. When a Malware Defendant creates his version of Bladabindi/Jenxcus, he

programs the malware to let the infected computer know to reach out to a specific domain, which

will resolve to the IP address for Malware Defendant’s command-and-control computer, as depicted

in the diagram below. Once the infected computer is directed to the command and control, the

Malware Defendant can then directly communicate with the infected computer.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

16


936, 7%

11612, 93%

Bladabindi/Jenxcus Malware Domains

OTHERS NOIP

50. No-IP domains are a significant part of the botnet infrastructure. Without No-IP

domains, the infected computers would not be able to locate the Malware Defendants’ command-

and-control computers, which have dynamic IP addresses. Through No-IP’s Dynamic DNS service,

an infected computer is able to locate the command-and-control through the No-IP sub-domain. No-

IP domains are the necessary means by which the first point of contact occurs between the infection

tier and the command-and-control tier.

51. No-IP is the predominant Dynamic DNS service used by the Malware Defendants for

Bladabindi/Jenxcus botnet communication. As shown in the figure below, out of all Dynamic DNS

providers, No-IP domains are used 93% of the time to support Bladabindi/Jenxcus infections.

Fig. 6

Fig. 7


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

17


Bladabindi/Jenxcus Gives Malware Defendants Control Over Consumer Computers

52. Once the computer is infected with Bladabindi or Jenxcus, the Malware Defendants

gain control over the consumers’ computers, and they can conduct a variety of illegal and harmful

activities, including accessing the user’s files, turning on the computer’s video camera or

microphone to record victims (which includes minors), recording keystrokes to obtain sensitive

information like passwords and credit card numbers, taking snapshots of the user’s desktop, and

sending commands to download additional malware.

53. Malware Defendants control user computers through the malware dashboard, which

has a variety of commands that can be executed. The following is an example of a dashboard with

the different commands that are available to the hacker.

Fig. 8


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

18


54. One of the malware’s primary functions is to steal information, such as passwords

and account credentials. The information stealer can be found on a file included with the dashboard

called “pw.dll.” This feature of the dashabord is coded to steal login credentials for No-IP accounts,

which is easy to do because of a vulnerability in the Dynamic Update Client installed on No-IP’s

subscribers’ computers. The Dynamic Update Client stores the subscriber’s user name and password

without using any encryption in the registry of the subscriber’s computer which easily accessible to

other programs on the computer. This is contrary to best practices used in the industry. An Internet

security firm, FireEye, identified this vulnerability in a 2013 article, but on information and belief,

Defendant Vitalwerks has not remedied the problem.

Defendants Cause Irreparable Harm to Microsoft and Its Customers

55. Microsoft is the provider of the Window operating system and a variety of other

software and services. Microsoft has invested substantial resources in developing high-quality

products and services. Due to the high quality and effectiveness of Microsoft’s products and

services and the expenditure of significant resources by Microsoft to market those products and

services, Microsoft has generated substantial goodwill with its customers, has established a strong

brand, has developed the Microsoft name and the names of its products and services into strong and

famous world-wide symbols that are well-recognized within its channels of trade. Microsoft has

registered trademarks representing the quality of its products and services and its brand, including

the Windows marks.

56. Defendants’ actions, including but not limited to the distribution of malware, injure

Microsoft and its reputation, brand, and goodwill because users subject to the negative effects of

these malicious applications incorrectly believe that Microsoft or Windows is the source of their

computer problems. The Malware Defendants further this belief by using sub-domains, owned and

leased by Defendant Vitalwerks, for their malicious activities that contain the phrases “Microsoft”

and “Windows.” Additionally, Microsoft devotes significant computing and human resources to

combating the distribution of Bladabindi, Jenxcus, and other malware infections and helping

customers determine whether or not their computers are infected, and if so, cleaning them.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

19


Customers’ frustration with having to deal with malware infection on their computers diminishes

their regard for Windows and Microsoft, and tarnishes Microsoft’s reputation and goodwill.

57. Microsoft’s customers may incorrectly attribute the negative impact of the malware

supported by No-IP to Microsoft. Additionally, there is a serious risk that customers may move

from Microsoft’s products and services because of such activities. And, there may be significant

challenges to having such customers return, given the cost they bear to switch to new products and

perceived risks.

58. Microsoft and its customers are injured when the malware is maliciously introduced

onto people’s computers without their knowledge or consent. The installation of malware by

deceiving consumers and without Microsoft’s authorization is an intrusion into the Microsoft

Windows operating system (which is licensed to Microsoft’s customers), without Microsoft’s

authorization.

59. The malware supported by No-IP installs and runs without the customers’ or

Microsoft’s knowledge or consent. The malware specifically targets the Windows operating system.

For example, it mimics particular files that are specific to the Windows operating system, without

the consent of Microsoft or its customers. Once infected, Defendants have control over the users’

computers and can commit further malicious activities like stealing passwords and account

credentials.

60. Once customers’ computers are infected with malware supported by No-IP sub-

domains, they may be unaware of that fact and may not have the technical resources to solve the

problem, allowing their computers to be infected and misused indefinitely. This is particularly true

for Bladabindi and Jenxcus malware given their ability to conceal and protect itself from detection

and removal. The Malware Defendants can see through the dashboard whether a user is running an

anti-virus program and send a command to the computer to stop the program from running, which

will prevent detection. Additionally, if a user notices that the Bladabindi malware is running on his

machine and tries to stop it, the malware will cause the user’s computer to crash. In such

circumstances, technical attempts to remedy the problem may be insufficient and the injury caused

to customers will continue. The injury caused by this malware and No-IP subdomains extends far


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

20


beyond Microsoft to other consumers and providers, into internet infrastructure and ultimately to the

majority of computer users worldwide, placing each at an increased risk.

61. The Malware Defendants cause Microsoft’s consumers untold harm. With the

malware dashboard, they are able to execute many commands on users’ computers that can steal

sensitive information and invade the users’ privacy. For example, they can steal users’ banking

credentials, such as online user names, passwords, and account numbers. When a user conducts

transactions online, the Defendant can monitor the user’s keystrokes and capture home addresses,

work addresses, telephone numbers, credit card information, and social security numbers. The

Malware Defendants can see in real time users’ computer displays and can also remotely turn on the

users’ video cameras or microphones without their knowledge, which is violative of many states’

privacy and wiretapping laws. The information Defendants collect can be sold or traded to other

wrongdoers and can even be used for blackmail. Consumers suffer not only economic harm as a

result of Malware Defendants’ actions but non-economic losses as well, such as emotional distress,

from identity theft and intrusions upon privacy.

FIRST CLAIM FOR RELIEF

(Violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 – Against the Malware

Defendants)

62. Microsoft realleges and incorporates by reference the allegations contained in

paragraphs 1 through 61 above.

63. Defendants: (a) knowingly and intentionally accessed Microsoft customers’ protected

computers and Microsoft’s protected computers without authorization or in excess of any

authorization and thereby obtained information from the protected computers in a transaction

involving an interstate or foreign communication (18 U.S.C. § 1030(a)(2)(C)), (b) knowingly and

with an intent to defraud accessed the protected computers without authorization or in excess of any

authorization and obtained information from the computers, which Defendants used to further the

fraud and obtain something of value (18 U.S.C. § 1030(a)(4)); (c) knowingly caused the

transmission of a program, information, code and commands, and as a result of such conduct

intentionally caused damage without authorization to the protected computers (18 U.S.C. §


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

21


1030(a)(5)(A)); and/or (d) intentionally accessed the protected computers without authorization, and

as a result of such conduct caused damage and loss (18 U.S.C. § 1030(a)(5)(C)).

64. Defendants’ conduct has caused a loss to Microsoft during a one-year period

aggregating at least $5,000.

65. Microsoft has suffered damages resulting from Defendants’ conduct.

66. Microsoft seeks compensatory and punitive damages under 18 U.S.C. § 1030(g) in an

amount to be proven at trial.

67. As a direct result of Defendants’ actions, Microsoft has suffered and continues to

suffer irreparable harm for which Microsoft has no adequate remedy at law, and which will continue

unless Defendants’ actions are enjoined.

SECOND CLAIM FOR RELIEF

(Violation of the Anti-Cybersquatting Consumer Protection Act, 15 U.S.C. § 1125 – Against

All Defendants)

68. Microsoft realleges and incorporates by reference each and every allegation set forth

in paragraphs 1 through 67 above.

69. Defendants have registered, trafficked in, and/or used domain names containing the

terms “Microsoft” and “Windows,” which are protected marks owned by Microsoft. Attached as

Exhibit D to this Complaint is a list of all No-IP sub-domains containing these protected marks as

part of the domain name.

70. The sub-domains containing the term “Microsoft” or “Windows” are identical and/or

confusingly similar to Microsoft’s marks. Defendants’ infringing use is likely to cause confusion or

deceive Microsoft’s consumers as to the affiliation of the malicious No-IP sub-domains.

71. Defendants acted with bad faith intent to profit from Microsoft’s marks.


73. Microsoft seeks compensatory damages under 15 U.S.C. § 1117(a) in an amount to be

proven at trial, or it may elect to pursue statutory damages pursuant to 15 U.S.C. § 1117(d) for up to

$100,000 per infringing domain name.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

22


74. Microsoft seeks forfeiture and cancellation of the infringing domain names or transfer

of the domain names to Microsoft.

75. As a result of Defendants’ actions, Microsoft has suffered and continues to suffer

irreparable harm for which Microsoft has no adequate remedy at law, and which will continue unless

Defendants’ actions are enjoined.

THIRD CLAIM FOR RELIEF

(Violation of Unlawful Acts Regarding Computers and Information Services Statute, N.R.S. §

205.473 et seq. – Against the Malware Defendants)



77. Defendants: (a) knowingly, willfully and without authorization modified, damaged,

destroyed, disclosed, used, transferred, concealed, took, retained possession of, copied, obtained or

attempted to obtain access to, permitted access to or caused to be accessed, and/or entered data,

programs, and/or supporting documents existing inside or outside user computers (N.R.S. §

205.4765(1)); (b) knowingly, wilfully and without authorization modified, destroyed, used, took,

damaged, transferred, concealed, copied, retained possession of, obtained or attempted to obtain

access to, and/or permitted access to or caused to be accessed equipment or supplies that are used or

intended to be used in a computer, system, or network (N.R.S. § 205.4765(2)); (c) knowingly,

willfully and without authorization destroyed, damaged, took, altered, transferred, disclosed,

concealed, copied, used, retained possession of, obtained or attempted to obtain access to, permitted

access to or caused to be accessed a computer, system, or network (N.R.S. § 205.4765(3)); and/or (d)

knowingly, willfully and without authorization obtained and disclosed, published, transferred, or

used a device used to access a computer, network, or data (N.R.S. § 205.4765(4)).

78. Defendants knowingly, willfully, maliciously, and without authorization: (1)

interfered with the use of and access to a computer, system, or network to a person who had the right

and duty to use it (N.R.S. § 205.477(1)); and (2) used, caused the use of, accessed, attempted to gain

access to, or caused access to be gained to a computer, system, or network (N.R.S. § 205.477(2)).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

23



80. Microsoft seeks compensatory, punitive damages, and attorneys’ fees and costs under

N.R.S. § 205.511 in an amount to be proven at trial.



unless Defendants’ actions are enjoined.

FOURTH CLAIM FOR RELIEF

(Trespass to Chattels – Against the Malware Defendants)



83. Defendants’ actions in the distribution of malware result in unauthorized access to the

computers of Microsoft and its customers and result in harm to those computers.

84. Defendants intentionally caused this unauthorized conduct.

85. Defendants’ actions have caused injury to Microsoft and its customers and imposed

costs on Microsoft and its customers, including time, money and a burden on the computers of

Microsoft and its customers, as well as injury to Microsoft’s business goodwill and diminished the

value of Microsoft’s possessory interest in its computers and software.

86. As a result of Defendants’ unauthorized and intentional conduct, Microsoft has been

damaged in an amount to be proven at trial.



unless Defendants’ action are enjoined.

FIFTH CLAIM FOR RELIEF

(Conversion – Against the Malware Defendants)




1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

24


89. Defendants have interfered with and converted Microsoft’s personal property that was

in denial of and inconsistent with Microsoft’s title and right to the possession and use of its property.

90. Defendants’ actions deprived Microsoft of possession and use of its property.

91. As a result of Defendants’ actions, Microsoft has been damaged in an amount to be

proven at trial.



unless Defendants’ action are enjoined.

SIXTH CLAIM FOR RELIEF

(Negligence – Against All Defendants)

93. Microsoft realleges and incorporates by this reference each and every allegation set

forth in paragraphs 1 through 92 above.

94. Defendants’ Mutairi, Benabdellah, and Does 1-500 were and are subject to a duty to

exercise care to prevent their use of No-IP domains to propagate malware, to create botnet

syndicates, and to engage in and further the malicious conduct alleged in this Complaint. The source

of this duty of care includes, but is not limited to, Defendants’ contractual obligations not to use or

allow use of the domains for the purposes and acts alleged herein as set forth in No-IP’s Terms of

Service. By registering for a No-IP account, Defendants agreed to be bound by these contractual

obligations.

95. Similarly, Defendant Vitalwerks was and is subject to a duty to exercise care to

detect, prevent, report, and/or remedy any third party’s use of No-IP domains to support malware

infections or to otherwise further the malicious conduct alleged in this Complaint. The source of this

duty of care includes, but is not limited to, the best practices of the industry, Defendant’s

representations to the public that it would assume such a duty, and Defendant’s contractual

obligations not to use or allow use of the domains for the purposes and acts alleged herein, as set

forth in its agreements with the registry operators and ICANN, attached as Exhibits D through H to

this Complaint.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

25


96. Defendants breached their respective duties of care by registering sub-domains that

are used to support or facilitate malware schemes, and by using or allowing their licensee customers

or other third parties to use the No-IP sub-domains to propagate malware infections, create botnet

syndicates, and to engage in the malicious conduct set forth herein.

97. Defendants’ breaches of their duties of care as set forth above have actually and

proximately caused Microsoft to suffer and to continue to suffer irreparable harm for which

Microsoft has no adequate remedy at law, and which will continue unless Defendants’ actions are

enjoined.

98. As an actual and proximate result of the Defendants’ breach of their duty of care,

Microsoft is entitled to damages in an amount to be proven at trial.

PRAYER FOR RELIEF

WHEREFORE, Plaintiff Microsoft prays for the following relief:

A. Judgment in favor of Microsoft and against Defendants;

B. Declare that Defendants conduct has been willful and that Defendants have acted with

fraud, malice and oppression;

C. Enter a preliminary and permanent injunction enjoining Defendants and their officers,

directors, principals, agents, servants, employees, successors, and assigns, and all persons and

entities in active concert or participation with them, from engaging in any of the activity complained

of herein or from causing any of the injury complained of herein and from assisting, aiding or

abetting any other person or business entity in engaging in or performing any of the activity

complained of herein or from causing any of the injury complained of herein;

D. Enter judgment awarding Microsoft actual and/or statutory damages from Defendants

adequate to compensate Microsoft for Defendants’ activity complained of herein and for any injury

complained of herein, including but not limited to interest and costs, in an amount to be proven at

trial;

E. Enter judgment awarding enhanced, exemplary and special damages, in an amount to

be proved at trial;


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

26


F. Enter judgment awarding attorneys’ fees and costs; and

G. Order such other relief that the Court deems just and reasonable.

Dated: June 19, 2014 Respectfully submitted,

SHOOK, HARDY & BACON, L.L.P.

_______________________________

TONY M. DIAB Attorneys for Plaintiff Microsoft Corporation

/s/ Tony M. Diab


Randall D. Haimovici ( Pro Hac Vice Pendingnoticeoflawsuit.com/docs/Complaint.pdf · Randall D. Haimovici (Pro Hac Vice Pending) [email protected] Rachael M. Smith (Pro Hac Vice

Documents