[HN Gopher] Microsoft Uses Trademark Law to Disrupt Trickbot Botnet ___________________________________________________________________ Microsoft Uses Trademark Law to Disrupt Trickbot Botnet Author : todsacerdoti Score : 125 points Date : 2020-10-12 13:09 UTC (9 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | skywhopper wrote: | I can't tell what actually happened from this article. Were | physical servers seized? I'm not sure I understand how trademark | law would enable that versus just criminal prosecution. | unnouinceput wrote: | My understating is that Microsoft only attacked and seized | their domains. I don't think they actually have remote control | over the servers, end even if they have the owners could simply | just wipe and reinstall. And since these servers are physically | located in countries like Russia or China I doubt Microsoft has | the capability to do a physical sizing even if they wanted to. | | That being said and given the power corporations are gaining | year by year it will not be long before Microsoft will file to | have their own SWAT team to physically size or destroy | computers and/or crackers. | gowld wrote: | Only the DNS root operators can seize domains. They did do | pursuant to a US court order. | ryanlol wrote: | DNS root operators can only seize TLDs, not regular domain | names. | kalium-xyz wrote: | DNS root, TLD operators, and registers. | tialaramex wrote: | Registries and registrars. | | The registry is a single entity that decides which names | exist under a particular domain hierarchy, providing this | capability might be contracted out to somebody else to do | on behalf of the "real" owners of that domain for example | the COM domain registry is operated by Verisign under | contract. | | One or more Registrars provide (mostly sell) the service | of managing entries in that registry. For all the popular | commercial TLDs there are multiple commercial registrars. | The registrars have to abide by rules set by the registry | (since if they did not the registry can just stop them | providing any services) even if they are not under the | same legal jurisdiction as the registry. | | For the gTLDs the rules for this playing field are set by | ICANN. It would like these rules to apply everywhere, but | the ccTLDs are assigned to sovereign entities, and like a | two year old, sovereign entities do not take kindly to | being told what to do. | bluesign wrote: | I think not servers but IPs are seized (basically blocked). | cptskippy wrote: | > A court in Virginia granted Microsoft control over many | Internet servers Trickbot uses to plunder infected systems, | based on novel claims that the crime machine abused the | software giant's trademarks. | | > "Users subject to the negative effects of these malicious | applications incorrectly believe that Microsoft and Windows are | the source of their computing device problems. There is great | risk that users may attribute this problem to Microsoft and | associate these problems with Microsoft's Windows products, | thereby diluting and tarnishing the value of the Microsoft and | Windows trademarks and brands." | | > Microsoft said it will leverage the seized Trickbot servers | to identify and assist Windows users impacted by the Trickbot | malware in cleaning the malware off of their systems. | | > But so far it's not clear whether Microsoft succeeded in | commandeering all of Trickbot's control servers, or when | exactly the coordinated seizure of those servers occurred. | skywhopper wrote: | Yes, I read the article. Your quotes do not answer my | question. | cptskippy wrote: | The article says it's not clear if it's happened or how. | | Just because a court rules in one party's favor doesn't | necessarily mean it applies outside of the jurisdiction of | the court. | | That being said if they were working in coordination with | law enforcement then the servers could have at least been | secured in a relatively short period of time. | SoSoRoCoCo wrote: | "A court in Virginia granted Microsoft control over many | Internet servers " | | I'm waiting to hear the answer too. This sentence seems to be | missing context in the rest of the article. | Nextgrid wrote: | This could set a potentially dangerous legal precedent. Microsoft | are arguing that the malware operation damages Microsoft's brand, | instead of putting the fault onto themselves for making | vulnerable software. | | The malware operation should absolutely be shut down, but other | laws (that we have - the CFAA would apply) should be used to do | so. | | Otherwise any other manufacturer of defective products can argue | that someone else (potentially unintentionally) is damaging their | brand by triggering a flaw in the product instead of fixing their | product. Imagine a car manufacturer whose cars fall apart due to | minor irregularities in the road suing the city for not making | the roads smooth enough instead of producing better cars that are | immune to this problem. | muststopmyths wrote: | Even more interesting (to me anyway), wouldn't the same | reasoning also apply to jailbreaking and reverse-engineering | devices ? | | In those cases as well the behavior of the system is being | altered while retaining the original branding. | cptskippy wrote: | > This could set a potentially dangerous legal precedent. | Microsoft are arguing that the malware operation damages | Microsoft's brand, instead of putting the fault onto themselves | for making vulnerable software. | | I don't think this sets an precedent. Think about it in terms | of physical security, a thief's ability to circumvent poor or | no security doesn't preclude them from liability for their | crimes. | | The court has seized their assets and given them to Microsoft | so that Microsoft can repair the damage they've done both to | Microsoft and to it's customers. | ffhhj wrote: | Then Microsoft will use a fraction of those assets to pay bug | bounties. | acomjean wrote: | Well let the operators of the botnet complain to the courts | about Microsofts actions in court. | | The defendants aren't going to show, so its an easy win for | microsoft. | rlpb wrote: | > This could set a potentially dangerous legal precedent. | Microsoft are arguing that the malware operation damages | Microsoft's brand, instead of putting the fault onto themselves | for making vulnerable software. | | I think both can be true. Even if you think Microsoft should be | held legally culpable for making vulnerable software, I don't | think that should be a "get out of jail free" card for someone | exploiting it. | | I therefore don't see how agreeing that Microsoft is being | harmed by malware authors could possibly result in a legal | precedent exonerating them from legal liability over vulnerable | software. Courts consider what is presented to them and their | rulings tend to be narrow. | Nextgrid wrote: | To be clear, I am absolutely not arguing that malware authors | should get impunity - we have other laws such as the CFAA | that should be used to punish this activity. | | I am also not saying that software developers should | automatically be liable for bugs or security vulnerabilities | in their products. | | My concern is that such a precedent would then allow software | developers to sue on brand damage grounds even in non- | malicious cases such as merely documenting an exploit or | publishing a proof of concept (designed to test the | vulnerability on your own infrastructure), in which case even | "mens rea" would not apply since technically | documentation/PoC code is _intended_ to let others know about | the vulnerability (so they can protect themselves, but that | does technically damage the brand, although rightfully in | this case). | kenjackson wrote: | I'd expect this to be narrowly interpreted. I don't think | any precedent would extend the ways you suggest. | kube-system wrote: | This is not a new precedent, it is exactly what trademark law | was intended to do. Trademark law is ultimately a consumer | protection, designed to protect the public from fraudulent | misrepresentation. | brlewis wrote: | Trademark law says you can't mislead consumers into thinking | your thing is the trademark owner's thing. Malware fits this | perfectly. There's no new precedent here, dangerous or | otherwise. | | The car manufacturer / road irregularity analogy does not fit. | elmo2you wrote: | > Trademark law says you can't mislead consumers into | thinking your thing is the trademark owner's thing. | | So, where did you get that these infected machines became a | "your thing" and no longer are just Windows (albeit | infected/altered)? I don't see the (legal) basis for calling | these infected systems no longer Windows systems. If they're | still Windows systems, this whole Trademark trick goes pretty | much straight out of the window (no pun intended) for that | reason alone. | | > There's no new precedent here | | Unless I'm reading it wrong, Microsoft essentially got itself | a verdict that says that something that harms the reputation | of their OS actually violates the trademark of that OS. As if | their OS getting infected (rather easily) in the first place, | isn't enough of a valid reason for a bad reputation. | | Just forget for now, about how this also totally ignores that | Microsoft probably deserved to have been sued out of | existence a long time ago, for (deliberate!) not doing what | it could to keep their OS more safe/secure. | | Instead, now they pretty much can claim that basically | anything that (in their perception) harms their good name and | reputation, can be banned from running on their OS (or at | least being seized and put under their control). That's the | same (il)legal lunacy as currently exists with Apple | dictating what can run on their iPhones. I would definitely | call that a precedent (I've never heard of such a bonkers | trademark case/verdict), and one with an extremely tricky | potential for abuse by Microsoft. | | It's a good thing that Microsoft has never been caught | abusing anything, right. | brlewis wrote: | > Unless I'm reading it wrong | | The quote in the article from the civil complaint makes it | sound like the malware itself used MSFT trademarks. If | there's another "it" you're reading besides the article, | where said quote is shown to be taken out of context, | please link. | Nextgrid wrote: | Is there any evidence that this malware misrepresents itself | as Microsoft? The spam emails which seem to be the primary | infection vector do not appear to have any Microsoft-related | branding. | brlewis wrote: | Yes. Find "civil complaint" in the article. | SilasX wrote: | Yeah, TBH I'm more surprised that there hasn't been more | prosecution of adware that misrepresents itself with | Apple/MS/etc logos. | throw_m239339 wrote: | > This could set a potentially dangerous legal precedent. | Microsoft are arguing that the malware operation damages | Microsoft's brand, instead of putting the fault onto themselves | for making vulnerable software. | | I agree with you. | | Why on earth would opening a .doc document infect a freaking | computer? Imagine opening a freaking json file and getting | infected by a crypto virus... The real problem is with Words or | whatever software Microsoft has built that allows some code | execution VIA a .doc document. They must of have so much | technical debt nobody's willing to touch some old code anymore | or something... IMHO, this and the fact they ditched their own | browser engine in favour of Google's because it couldn't | compete says a lot about the state of engineering in some | Microsoft teams... | withinboredom wrote: | > Why on earth would opening a .doc document infect a | freaking computer? | | It's more like a friend sends you source code and your IDE | compiles it in the background only to discover that the act | of compiling it had it shove some executable in ~/bin. | | For over five years now, the default for Word is not to run | code/macros. Some corporate IT has that disabled or they | might still be running office 2012/07. | tsimionescu wrote: | This kind of problem is ubiquitous in native software. Any | program that takes user input and is not written in a memory | safe language is likely to be exploitable in this way. | | This is doubly true for programs that execute user scripts. | And it is inevitable for programs that support binary file | embedding and file manipulation through those scripts - a | feature some users of Word actually use. | gowld wrote: | That's fine, you can install Linux or TempleOS or whatever if | Windows is bad. | | The only thing you can reasonably demand of Microsoft is (a) | reasonably disclosure of the risk, and (b) not forcing their | product into a separate product like your Dell hardware | purchase. | | If you want insurance against imperfect security form MS, be | prepared to pay more than $179 per PC. | briandear wrote: | > Microsoft are arguing that the malware operation damages | Microsoft's brand, instead of putting the fault onto themselves | for making vulnerable software. | | Isn't that blaming the victim? If you leave your house unlocked | and someone steals stuff, it's still theft. | nonick wrote: | The dangerous precedent I see is Microsoft making justice for | itself (with authorization from a judge, but still, when did | Microsoft become law-enforcement?). Blaming Microsoft for | building "vulnerable software" because someone is targeting | their OS with their malware is like blaming Boeing because | their planes were used for the 9/11 attacks. | quickthrowman wrote: | This isn't a criminal matter, it's a civil matter. They filed | a lawsuit and convinced a judge their legal position was | right, they didn't do their own vigilante justice. | tremon wrote: | I disagree that's a valid comparison. If the terrorists were | able to remotely override Boeing's autopilot from the ground, | and use that to steer the planes into the towers, Boeing | would absolutely have been blamed, and rightly so. | [deleted] | rhino369 wrote: | Nobody blamed Boeing for not putting locks on their cockpit | doors. | | The public actually doesn't generally place much blame on | manufacturers of hardware for third party manipulation | unless the point of the device is security. Nobody expects | a car is invulnerable to sabotage. | nonick wrote: | You could blame Boeing for not taking control of the planes | from the ground and prevent the terrorists steering them | into the towers. | zamalek wrote: | The software is no more vulnerable than any other software | (unless automatic updates are disabled). The problem is that | Microsoft users are vulnerable, they will do anything that you | tell them to. | | Furthermore, Microsoft is legally obligated to protect its | trademarks, else it looses them, and there is real precedent | for that. | 1vuio0pswjnm7 wrote: | "Microsoft are arguing that the malware operation damages | Microsoft's brand, _instead of putting the fault onto | themselves for making vulnerable software_. " | | The entire "desktop" software industry championed by Bill Gates | has always relied on this belief. Namely, that Windows exploits | are the fault of the people who dare to point out the flaws | (before they are fixed, if ever), instead of the "engineers" | and management who dared to skip quality control and market | software that they knew could be exploited. | | The Complaint: | | http://noticeofpleadings.com/trickbot/files/Complaint%20and%... | | In para. 49 MS are also arguing that the botnet is causing | damage to MS because MS has to expend resources to investigate | and clean it up. | | Can we consider the courts' time being wasted because of MS | failure to perform quality control. Can we consider the losses | of the MS software users. Users are not the ones seeking a TRO | and damages, though surely they are sufferring more harm than | MS from the botnet. Does MS actually own the infected | computers. | | Anyway, MS arguments are not limited to trademark. They argue | the botnet operators' use of Windows function declarations is | copyright infringment (para. 59). They argue the botnet | operators violated the CFAA by accessing MS computers without | authorization and caused "a loss to MS" of greater than $5K in | the aggregate in one year (para. 67). They argue the botnet | operators violated the ECPA by interceting communications | between MS and financial institutions (para. 74). They argue | the botnet operators have committed trespass to chattels, i.e., | MS computers and networks (para. 99). They argue the botnet | operators have been unjustly enriched through the use of MS | software and online account infrastructure (para. 105). They | even argue conversion, as if the software still belongs to MS, | not its users (para 112). Not all of these claims are going to | stick, obviously. | | Software warranties still haven't changed much over the past | three decades in terms of product liability under US law. | Unless the software causes physical damage to property or | physical injury to persons, software companies can successfully | disclaim liability for defects. Sadly, Windows users, who | always accept MS's licensing terms, generally have no claims | against MS for the losses they suffer as a result of Windows' | vulnerabilities. | | Perhaps the only way to force quality controls into software | "engineeering" is to allocate more products liability risk to | those multi-billion dollar companies who produce mass market | software. If you hate the sound of that, don't worry. I doubt | it is ever going to happen. | | To me, the "Microsoft brand" is synonymous with vulnerablities, | botnets and malware. This is only because I know the full | history of the software. In the complaint MS argues users might | associate degradation of performance with Windows instead of | the botnet (para 48). In theory, MS could make this argument | against any author of third party software running on Windows | that hides itself from the user's awareness and, for whatever | reason, degrades performance. | | Today's MS Windows, with its "software subscription" model, IMO | is functionally tantamount to a so-called botnet, the only | differences being "authorisation" (driven by use of dark | patterns) and the definition of "malicious" (intent). Please | forgive the provocative nature of that statement. What I mean | is MS, like a "botnet", has centralised "command and control" | of users' computers through centralised or decentralised | communication to install software (updates), it can intercept | users' electronic communications through telemetry and it does | "exfiltrate" user data to MS. What makes the botnet "bad" and | MS "good" is not the means by which each operates (they each | excercise considerable remote control over Windows users) but | the ends they seek to achieve. Controlling users' computers | remotely, under a very thin veil of "authorisation", has become | accepted behaviour. | ummonk wrote: | What are you talking about? The malware poses as Microsoft / | Windows products, which is a clearcut trademark violation. | | In the car case, this would be analogous to a 3rd party selling | defective parts under the brand name of a car manufacturer. | walshemj wrote: | Which is a problem I recall a BBC program about fake brake | pads years ago. | okareaman wrote: | You're implying that makers and manufacturers could release | perfect products with zero defects if they wanted to. No | automobiles would ever need recall. No software would ever have | a security bug. You do realize that's an impossibly high | standard don't you? | hansvm wrote: | No, just that they need to be willing to accept the | consequences of their mistakes rather than blame third | parties. If software development is inherently risky then | that's still the responsibility of software developers. If | that makes some businesses unviable then the system is | working as intended because they were unviable anyway, just | profiting by passing costs to other people. | | There's a separate sentiment floating around (and that _was_ | the tone I caught from the parent comment, though I could be | mistaken) that portions of Microsoft produce software with | major design flaws that create a horde of other security and | performance problems and that they should do better, but | actually making better software isn't a necessary step in | holding software creators accountable. | moron4hire wrote: | It seems like, if Microsoft were trying to absolve | themselves of responsibility for defects in their products, | the thing to do would be to claim that malware is developed | by third parties outside of their control, against the | terms of the EULA. What Microsoft is actually doing seems a | lot more like taking responsibility. They're cleaning up | the mess and helping people when they don't really have a | legal requirement to do so. | Ericson2314 wrote: | A few things to counter here: | | 1. Considering the sloppy bullshit that is the root cause of | 95%+ security vulnerabilities today, I think talking about "0 | security" bugs is a distorting strawman. | | 2. No one said no recalls. The issue here is Microsoft is | going after the exploiter rather than the bug, taking the law | into their own hands over dubious pretenses. | That's somewhere in between taking the drivers licenses of | Corvair owners and recalling the Corvairs themselves. (We | could make a better anology if a black hat actor triggered | the car defect.) | | 3. This could easily be precedent for scenario: | 1. Security researcher finds bug and discloses it 2. | Big crop declines to pay up / doesn't fix in timely manner, | etc. 3. Security researcher goes public 4. | Malware is made with exploit 5. Big corp goes vigilante | on malware like this *and* sues security researcher, using | this trademark justification in *both* cases. | CrazyStat wrote: | In what sense is Microsoft "taking the law into their own | hands"? They filed a lawsuit and convinced the judge to | agree with their legal theory. That's how the legal system | works. | | There is no vigilantism here. | withinboredom wrote: | They mention in the article how it spreads via emails not | via exploits (in which it would be called a worm, not | malware). | saghm wrote: | Isn't a worm just a type of malware? Wikipedia describes | malware as "any software intentionally designed to cause | damage to a computer, server, client, or computer | network". | Talanes wrote: | Seconded, I've always understood malware to be a broad | categorization and not a specific type of attack. | withinboredom wrote: | I'd always assumed that malware was malicious software | disguised as something else; the layman term for trojan. | TIL that it's much more generic than that. | thechao wrote: | Every time, a few months before product release, downstream | teams start filing bugs on us that boil down to the | statement: "please continue to add features, but stop adding | bugs". | | Oh, sweet summer child: features _are_ bugs. | ardy42 wrote: | > Otherwise any other manufacturer of defective products can | argue that someone else (potentially unintentionally) is | damaging their brand by triggering a flaw in the product | instead of fixing their product. Imagine a car manufacturer | whose cars fall apart due to minor irregularities in the road | suing the city for not making the roads smooth enough instead | of producing better cars that are immune to this problem. | | I think you're hitting the dead end you get to when you only | conceive of the law as considering physical actions, but that's | not how it actually works. IANAL, but there's a legal concept | called _mens rea_ that 's very applicable here. Basically, | what's going on in someone's mind is legally relevant, so cases | where someone performed an identical physical action for | different reasons can be treated differently. So there'd be a | difference between: | | 1. Triggering a bug maliciously for personal gain. | | 2. Triggering a bug accidentally. | | 3. Triggering a bug benevolently as part of an effort to fix | it. | thaumasiotes wrote: | That distinction would only be relevant if the statute | specifically drew it. The ordinary _mens rea_ distinction is | between (1) triggering the bug, intending to trigger the bug; | and (2) triggering the bug, not intending to trigger the bug. | rlpb wrote: | Mens rea generally only applies to criminal law. Lack of mens | rea doesn't insulate you from civil liability, even if it | might affect it. | | See the first paragraph at | https://en.wikipedia.org/wiki/Mens_rea | adinisom wrote: | Trademark infringement seems to be a strict liability tort: | https://www.tilleke.com/resources/application-strict- | liabili... | fny wrote: | Can someone explain why this legal summersault is even needed to | seize botnet servers? | Ericson2314 wrote: | Because Microsoft is a vigilante looking for legal cover. | reaperducer wrote: | Don't vigilantes, by definition, work outside the law? | gowld wrote: | It's complicated. If I put up spikes to prevent people | entering my garage, is that vigilantism? | | Is it vigilantism to exterminate a beehive that a vandal | drops on my customer's property? | tialaramex wrote: | If the spikes somehow lock the garage closed, that's | security. If they're instead designed to impale people who | force it open that's going to be illegal in most places | even if trespassing is also a criminal offence there. Not | least because the law may authorise people to force that | garage open, and it doesn't want authorised people getting | hurt, regardless of how you feel about that. | xwdv wrote: | To cover their ass while they absolutely wreck Trickbots | network. | Bjartr wrote: | I _think_ this is allowing a civil case to be brought by | Microsoft, and therefore the ability for them to bring their | significant capital and legal counsel to bear, rather than just | waiting for the criminal justice system to get around to doing | something about it. | Ericson2314 wrote: | If Microsoft can make a civil suit and gain control of the | botnet infra, rather than just get damages, can I get | poisoned by a mine/factor and get equity in the factory? | | What's weird is that presumably the botnet party, the natural | counterparty, didn't show up in court, but MS appeals to a | third party (domain registry) to get control of their assets | rather than something more neutral for damages. | | I'm no lawyer but this seems awfully weird. | rlpb wrote: | The legal basis is that a court awards a _remedy_ [1] for | harm done (or being done). Often that's monetary damages, | but it doesn't have to be. The courts chooses what remedy | is appropriate. | | I'm not sure that's relevant though. This might just be a | preliminary injunction[2] rather than a final decision, | whereas your "get equity in the factory" seems to be | thinking about a final remedy rather than a preliminary | injunction sought to minimize ongoing damage. | | [1] https://en.wikipedia.org/wiki/Legal_remedy [2] https:// | en.wikipedia.org/wiki/Injunction#Preliminary_injunct... | Ericson2314 wrote: | I sure hope it's a preliminary injunction! That would be | like me taking temporary control of the factory smoke | stack or discharge pipe. Great precedent in that case. | MrStonedOne wrote: | > Users subject to the negative effects of these malicious | applications incorrectly believe that Microsoft and Windows are | the source of their computing device problems. There is great | risk that users may attribute this problem to Microsoft and | associate these problems with Microsoft's Windows products, | thereby diluting and tarnishing the value of the Microsoft and | Windows trademarks and brands. | | So does this mean that anybody who made software for windows 7 | can sue microsoft for the windows 10 forced "optional" upgrade if | it broke their software? | | Could they seize windows update servers as part of their | trademark suit? | Pick-A-Hill2019 wrote: | I've been waiting for this story to bubble up with a reasonable | amount of traction before commenting so I'm glad it did. I found | this quote somewhat Funny, somewhat Sad. | | .. "They are running normally and their ransomware operations are | pretty much back in full swing," Holden said. "The are not | slowing down because they still have a great deal of stolen | data." | | Holden added that since news of the disruption first broke a week | ago, the Russian-speaking cybercriminals behind Trickbot have | been discussing how to recoup their losses, and have been toying | with the idea of massively increasing the amount of money | demanded from future ransomware victims. | | "There is a conversation happening in the back channels," Holden | said. "Normally, they will ask for [a ransom amount] that is | something like 10 percent of the victim company's annual | revenues. Now, some of the guys involved are talking about | increasing that to 100 percent or 150 percent." | | [Edit to Ammend Source Link based on | https://news.ycombinator.com/item?id=24756681. Please refer to | https://krebsonsecurity.com/2020/10/report-u-s-cyber-command...] | | [Original Link] Report: U.S. Cyber Command Behind Trickbot Tricks | https://nmap.online/news/2020/report-us-cyber-command-behind... | jlgaddis wrote: | FWIW, your link is just blogspam. From a quick skim, it appears | to be a copy/paste of another Krebs article, | https://krebsonsecurity.com/2020/10/report-u-s-cyber- | command.... | Pick-A-Hill2019 wrote: | Ok wow, I missed that and thanks for reporting it. If the | edit window is still open I will ammend the url link to | reflect the source article. Oh & have an upvote :) | Stierlitz wrote: | "Trickbot, a global menace that has infected millions of | [microsoft windows] computers and is used to spread ransomware." | | There, corrected for accuracy. | bluesign wrote: | Blog post from Microsoft: https://blogs.microsoft.com/on-the- | issues/2020/10/12/trickbo... | afrcnc wrote: | The court docs: https://www.noticeofpleadings.com/trickbot/ ___________________________________________________________________ (page generated 2020-10-12 23:00 UTC)