Microsoft Wields Its IP For Good, Cripples Botnet Via Trademark Litigation
from the ends-justifies-the-means? dept
Microsoft developed a bit of a reputation as a trademark bully during the early 00s, going after an Australian pillow manufacturer (for its polyester fiber "Microsoft" quilt) and a 17-year-old Canadian named Mike Rowe (for his MikeRoweSoft website business). It seems to have settled down on the bullying but it still wields its trademarks with considerable heft. Krebs on Security reports Microsoft recently leveraged its trademarks to severely cripple a botnet.
Microsoft Corp. has executed a coordinated legal sneak attack in a bid to disrupt the malware-as-a-service botnet Trickbot, a global menace that has infected millions of computers and is used to spread ransomware. A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant’s trademarks. However, it appears the operation has not completely disabled the botnet.
Microsoft's request for a restraining order (which I haven't been able to locate yet) pointed out Trickbot infects and alters Microsoft products, which could cause users to believe Microsoft itself has zombiefied their device. This misattribution of source cause has the potential to cause harm to Microsoft's reputation and brands.
However, it doesn't appear Trickbot ever co-opts Microsoft's trademarks to present computer users with seemingly legitimate applications. Instead, it infects Windows systems, causing problems while hiding itself from victims. Microsoft's trademark argument is novel: there's no appropriation, just a lot of potential damage to its reputation from people unwittingly operating infected systems.
The order was granted and Microsoft now has control of some of the servers used by the malicious hackers. Others remain online but work has been done to mitigate future damage.
Microsoft’s action comes just days after the U.S. military’s Cyber Command carried out its own attack that sent all infected Trickbot systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control them. The roughly 10-day operation by Cyber Command also stuffed millions of bogus records about new victims into the Trickbot database in a bid to confuse the botnet’s operators.
Microsoft's unusual trademark litigation isn't its only use of IP to battle a botnet. In a post about this operation/litigation, the company is also wielding its copyright in a more questionable manner.
This action also represents a new legal approach that our DCU [Digital Crimes Unit] is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code.
Microsoft probably knows something the rest of us don't, but using the information available, it's difficult to see how attacking a system with a malicious script "uses" Microsoft's software code. If this legal theory is granted credence by a judge, it will make it easier for companies (like… I don't know… Apple) to shut down hobbyists and enthusiasts who modify devices or programs containing copyrighted code to do things companies don't approve of. While it's great Microsoft is stepping up to shut down a botnet, it's not as great to see it willing to abuse IP law to get it done.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: botnet, trademark, trickbot
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Bruce Schneier commented on it today.
Bruce Schneier commented on it today.
https://www.schneier.com/blog/archives/2020/10/us-cyber-command-and-microsoft-are-both-disrupting-t rickbot.html
[ link to this | view in chronology ]
That's also a way of putting it.
"Microsoft developed a bit of a reputation as a trademark bully during the early 00s" 😨
In much the same manner that Caligula was an eccentric and Hitler a misunderstood artisté?
Honestly this is a bit like seeing a reformed thug with a history of violent disproportional assault suddenly take a swing at someone you don't really like. Sure, you didn't like the guy and it's a good thing someone stopped him...
...and yet you just feel nervous at the sight of that former terror of the sandbox once again swinging his fists.
[ link to this | view in chronology ]
Re: That's also a way of putting it.
Or how Trump may have a bit of an Ego problem.
[ link to this | view in chronology ]
Re: That's also a way of putting it.
Microsoft have undoubtedly gone through a major internal culture change in the last decade or so, and while it's still good to be wary of them, it would be wrong not to acknowledge its many improvements. The company that tried backing SCO in order to destroy the fundamentals of FOSS and the company that ships Linux and Chromium components in its OS are not necessarily the same beast.
[ link to this | view in chronology ]
Re: Re: That's also a way of putting it.
You're right. They are evil and completely full of shit in totally different ways now.
[ link to this | view in chronology ]
Re: Re: That's also a way of putting it.
"...and while it's still good to be wary of them, it would be wrong not to acknowledge its many improvements..."
Well, that's the thing about trust, alas. You can easily prove that your trust was misplaced. But it just isn't possible to prove that someone is trustworthy once more.
MS has been forced to adapt, not by choice, but simply in order to survive a marketplace which was becoming increasingly reliant on Open Source rather than on MS products. So, having failed to ram "Open source is cancer" through every court of the land they instead opted to retool their business model.
That, to me, is as convincing as Dahmer running a butcher shop after rehab. You will keep viewing what he sells with trepidation because you know, for a fact, that he had a deplorable tendency to rape, murder, and eat people in his younger days.
[ link to this | view in chronology ]
So, it's not a shoddy code that can easily be exploited?
[ link to this | view in chronology ]
Cyberlaw podcast opined on this as well
... saying that it likely would not stand up to a court challenge.
However, first there needs to be a court challenge. That is, someone claiming ownership of the systems being seized.
Next on bot-wars: command and control systems being themselves bots...
[ link to this | view in chronology ]
I wish they'd do something about Windows Tech Support. Those guys keep cold-calling me and telling me I have a virus.
[ link to this | view in chronology ]
Re:
I hear Hydroxychloroquine will help with that.
[ link to this | view in chronology ]
This is fine since they're disrupting a botnet but the same logic could be used to take down ANY site or any software used by a Windows user. Which I think is a bad precedence. I can only hope that whatever judge allows something like this is very, very careful otherwise we'll end up relying on the beneficence of a corporation for who they attack.
[ link to this | view in chronology ]
Re:
This worries me too. I like the use of this to stop botnets, but I honestly don't see why the ONLY option was to (ab)use trademark by an OS manufacturer to stop this. If they know where the servers are, it is extremely bizarre to me why Microsoft needs to be involved at all. Something like this seems like it can clearly fall under the CFAA or similar and can be seized by law enforcement alone.
Maybe because I didn't click through the link to get more info, but I guess I just assumed that specific info on WHY Microsoft had to be involved would not be revealed at this step in the investigation (or at all).
[ link to this | view in chronology ]
Re:
At least it appears they went thru the justice system, I recall some in the past who thought that was not necessary.
[ link to this | view in chronology ]
Re: Re:
It still isn't. Microsoft could just as easily push out an update that says all applications running on Windows 10 must have a valid Microsoft signature from the Microsoft Store.
Then MS could enforce that requirement by mandating that Secure Boot, with MS' key installed as a trusted signer, be enabled to receive all future Windows Updates including security patches. MS could also push manufacturers to issue firmware updates that disables removal of MS' key, force Secure Boot to be active at all times, and enforce firmware downgrade / upgrade protections with manufacturer signed updates only.
It's not like there isn't precedent for these requirements. MS enforces these requirements already with ARM devices. Apple enforces these requirements with iOS devices. Google enforces most of these requirements with Chrome OS devices, and some of them with Android devices. Let alone every modern game console.
All of this can be done without legal intervention. It's really just MS not wanting to upset the neckbeards too much that prevents MS from doing so. After all it's the neckbeards that keep MS' shit working for the general public, and if MS pisses them off too much they'll start installing other things to break MS' control or remove it entirely.
[ link to this | view in chronology ]
Re:
" I can only hope that whatever judge allows something like this is very, very careful otherwise we'll end up relying on the beneficence of a corporation for who they attack."
Fortunately, it's not the 90s any more. Microsoft have high quality, robust and well supported competitors in every business they operate it, and can be easily bypassed in all sectors if required.
[ link to this | view in chronology ]
They probably added a dll that Microsoft provides developers to use in their apps.
[ link to this | view in chronology ]
Gave up on M$ last year and no longer run it. I went to Linux instead and haven't looked back.
It may not be everyone's answer to the problem but it has turned out to be mine. Ever since I've been a happy camper. Don't think I'll be going back.
[ link to this | view in chronology ]