randall d. haimovici ( pro hac vice pendingnoticeoflawsuit.com/docs/complaint.pdf · randall d....
TRANSCRIPT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
Randall D. Haimovici (Pro Hac Vice Pending) [email protected] Rachael M. Smith (Pro Hac Vice Pending) [email protected] SHOOK, HARDY & BACON L.L.P. One Montgomery, Suite 2700 San Francisco, California 94104-4505 Telephone: 415.544.1900 Facsimile: 415.391.0281 Tony M. Diab (Nevada State Bar No. 12954) [email protected] SHOOK, HARDY & BACON L.L.P. 5 Park Plaza, Suite 1600 Irvine, California 92614-2546 Telephone: 949.475.1500 Facsimile: 949.475.0016 Robert J.B. Flummerfelt (Nevada State Bar No. 11122) [email protected] Rami Hernandez (Nevada State Bar No. 13146) [email protected] CANON LAW SERVICES, LLC 7251 W. Lake Mead Blvd., Suite 300 Las Vegas, Nevada 89128 Telephone: 702.562.4144 Facsimile: 702.866.9868 Attorneys for Plaintiff MICROSOFT CORPORATION
UNITED STATES DISTRICT COURT
DISTRICT OF NEVADA
MICROSOFT CORPORATION,
Plaintiff,
vs. NASER AL MUTAIRI, an individual; MOHAMED BENABDELLAH, an individual; VITALWERKS INTERNET SOLUTIONS, LLC, d/b/a NO-IP.com; and DOES 1-500,
Defendants.
) ) ) ) ) ) ) ) ) ) ) ) )
Case No. FILED UNDER SEAL COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
Plaintiff Microsoft Corporation (“Microsoft”) complains and alleges as follows against
Defendants Naser Al Mutairi, an individual; Mohamed Benabdellah, an individual; Vitalwerks
Internet Solutions, LLC, d/b/a No-IP.com (“Vitalwerks” or “No-IP”), a Nevada company; and Does
1-500; who author, control, and/or distribute malicious software through approximately 18,472 sub-
domains of Internet domains registered, owned, and controlled by No-IP (“Malware Domains”), set
forth in Exhibit A to this Complaint, as follows:
NATURE OF ACTION
1. This is an action based upon: (1) The Computer Fraud and Abuse Act, 18 U.S.C. §
1030; (2) The Anti-Cybersquatting Consumer Protection Act, 15 U.S.C. § 1125; (3) Nevada’s
Unlawful Acts Regarding Computers and Information Services, N.R.S. § 205.4765; (4) Trespass to
Chattel; (5) Conversion; and (6) Negligence. Microsoft seeks injunctive and other equitable relief
and damages against the cybercriminals who created, distributed, and infected computers with
Bladabindi and Jenxcus malware, and against the registered owner of the Internet domains that have
been used to facilitate the malware infection that has and will continue to cause irreparable harm to
Microsoft, its customers, and the public.
THE PARTIES
2. Plaintiff Microsoft is a corporation organized under the laws of the State of
Washington, having its headquarters and principle place of business in Redmond, Washington.
3. Defendant Naser Al Mutairi, an individual who on information and belief resides in
Kuwait City, Kuwait, is the author, owner, and distributor of the Bladabindi (also known as njRAT)
malware. Defendant Mutairi uses several online aliases or user names including “njq8,” “xnjq8x,”
“njq8x,” and variations of “njrat.”
4. Defendant Mohamed Benabdellah, an individual who on information and belief
resides in or around Mila, Algeria, is the author, owner, and distributor of Jenxcus (also known as H-
worm), a malware that is closely related to Bladabindi. Defendant Benabdellah uses several online
aliases or user names including “Houdini,” “houdinisc,” and “houdini-fx.”
5. Defendant Vitalwerks Internet Solutions, LLC, d/b/a No-IP.com is a company that is
located at 5905 South Virginia Street, Suite 200, Reno, Nevada 89502. Vitalwerks is the registrar
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 2 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
2
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
and registrant-owner of several Internet domains affiliated with malware distribution. On
information and belief, Vitalwerks enables the infrastructure used to infect innocent victims
worldwide.
6. Defendants Mutairi and Benabdellah provide free and open access to Bladabindi and
Jenxcus as well as tools that can be used by other cybercriminals to create custom variations of this
malware. On information and belief, Doe Defendants 1-500 have downloaded Bladabindi/Jenxcus
and infected consumers’ computers with the malware, or variations thereof, either alone or
injunction with others, and have thereby caused harm to Microsoft and consumers worldwide. These
Defendants use the malware for illicit purposes, including but not limited to, recruiting victims’
computers for botnets. Microsoft is unaware of the true names and capacities of Doe Defendants 1-
500, and therefore sues these Doe Defendants under fictitious names. Microsoft will amend this
Complaint to allege the Doe Defendants’ true names and capacities when ascertained. Microsoft
will exercise due diligence to determine Doe Defendants’ true names, capacities, and contact
information, and to effect service upon those Doe Defendants.
7. The actions and omissions alleged in this Complaint were undertaken by each
Defendant individually, were actions and omissions that each Defendant authorized, controlled,
directed, or had the ability to authorize, control or direct, and/or were actions and omissions for
which each Defendant is liable. Each Defendant aided and abetted the actions of the Defendants as
set forth below, in that each Defendant had knowledge of those actions and omissions, provided
assistance, and benefited from those actions and omissions, in whole or in part. Each of the
Defendants was the agent of each of the remaining Defendants, and in doing the things alleged in
this Complaint, was acting within the course and scope of such agency and with the permission and
consent of other Defendants.
JURISDICTION AND VENUE
8. This action arises out of Defendants’ violation of the Computer Fraud and Abuse Act
(18 U.S.C. § 1030) and the Anti-Cybersquatting Consumer Protection Act (15 U.S.C. § 1125).
Therefore, the Court has subject matter jurisdiction of this action pursuant to 28 U.SC. § 1331. This
is also an action for Unlawful Acts Regarding Computers and Information Services (N.R.S. §
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 3 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
3
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
205.4765), trespass to chattel, conversion, and negligence, of which this Court has supplemental
jurisdiction pursuant to 28 U.S.C. § 1367.
9. Defendants Mutairi, Benabdellah, and Does 1-500 (“Malware Defendants”) have
directed actions at Nevada, including the division of Las Vegas, by directing malicious computer
code at the computers of individual users located there, and infecting those user computers with the
malicious code, which is used to injure Microsoft, its customers and the general public. Microsoft is
aware of over 1200 computers in Las Vegas alone that have encountered the Defendants’ malware.
With this malware, Defendants are able to steal login credentials, such as user names and passwords,
from victims’ computers, and set up networks of computers that are under their control. The
following is a map showing the concentration of these computers in Nevada, which shows the
predominant area of infections occurring in Las Vegas.
10. Defendant Vitalwerks is a limited liability company registered in and operating under
the laws of Nevada. This Defendant conducts business in the state by offering Dynamic Domain
Name System and other domain hosting services through its website, www.no-ip.com, where
consumers located in Nevada and elsewhere can sign up for free and paid services. Defendant’s
services are used to facilitate the Malware Defendants’ computer hacking activities.
11. Additionally, Defendant Vitalwerks is on notice that its services are being used to
support criminal and malicious activities directed at hundreds of thousands of computers across the
Fig. 1
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 4 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
4
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
United States, including those located in the state of Nevada and the city of Las Vegas. Defendant
has a contractual obligation to take reasonable and prompt steps to investigate and respond to reports
of Internet or computer abuse, and the company has also made representations to the public that it
has an “abuse team” to police and take action against such malicious activity. Yet Defendant has
failed to take sufficient action to stop, prevent, or effectively control this malicious conduct in
breach of its contractual obligations and best practices of the industry, causing further harm to
Nevada and Las Vegas residents.
12. All Defendants have undertaken the foregoing acts with knowledge that such acts
would cause harm through user computers located in Nevada, thereby injuring Microsoft, its
customers, and others in Nevada and elsewhere in the United States. Therefore, this Court has
personal jurisdiction over them.
13. Pursuant to 28 US.C. § 1391(b), venue is proper in this judicial district. A substantial
part of the events or omissions giving rise to Microsoft’s claims occurred in this judicial district, and
a substantial portion of the property and individuals harmed through such acts are located in this
district. A substantial number of computers infected with malware are located in the state of Nevada
and specifically the city of Las Vegas. Venue is also proper in this judicial district under 28 U.S.C.
§ 1391(c) because the Defendants are subject to personal jurisdiction in this judicial district.
FACTUAL BACKGROUND
Overview of No-IP and Dynamic DNS
14. According to Defendant Vitalwerks Terms of Service located on the No-IP.com
website, “No-IP.com is an Internet-based Web site that offers DNS Hosting, dynamic DNS, URL
Redirection, email hosting, domain name registration, server monitoring, and software utilities.”
No-IP provides free Dynamic DNS services to individuals who would like to host a website on their
computers or servers that have dynamic Internet Protocol (“IP”) addresses.
15. The Domain Name System, or DNS, is the system by which computers connected to
the Internet locate and communicate with other computers. A domain is simply a network location.
Although domains are often associated with websites, they can also be connection points for
computers with no website interface. When a computer user types an Internet address into his web
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 5 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
5
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
browser such as www.microsoft.com, the user’s computer must resolve the domain name
(microsoft.com) into an IP address (12.10.38.33). Once the IP address is known, the computer will
be able to connect to the computer or server that hosts the microsoft.com website.
16. A computer will not have IP addresses for every computer on the Internet stored in its
memory. Instead, this information is stored on many DNS or name servers. Collectively, these
servers constitute an IP address database that serves as an address book for the Internet. If a person
wants to connect to a particular domain, that person’s computer will need to request the IP address
from the DNS server, which will ultimately submit the request to the name server for that domain.
17. When a user enters www.microsoft.com into a web browser, his computer will reach
out to a local DNS server requesting the site’s IP address. The local DNS server will forward this
request to an upstream DNS server, and it will reply to the local DNS server with the IP address of
the authoritative name server for microsoft.com. The local DNS server will then contact the
authoritative name server and request the IP address for microsoft.com, and the authoritative name
server will respond with 12.10.38.33. The user’s computer can then connect with the computer that
hosts the microsoft.com website.
18. Computers can have either static or dynamic IP addresses. When a computer has a
static or permanent IP address assigned to it, that address will be stored in the DNS database. When
a request is made for the IP address for that computer’s domain, the requesting computer will be
directed to the authoritative name server that will have the correct IP address. However, not all
computers have static IP addresses. Internet Service Providers typically provide their customers
with dynamic, or changing, IP addresses because this is a more cost-effective way to do business.
Instead of having an IP address for every customer subscribing to its Internet service, the ISP will
have a smaller number of IP addresses, and it will lease an IP address to its customers’ computers for
a defined period of time. When the lease is up, the computer is assigned a different IP address.
Some providers will assign a new IP address to a computer every time it connects to the Internet. So
if a computer has a dynamic IP address, the computer’s domain name will not always point back to
the same IP address. This makes it difficult for other computers to resolve the dynamic IP address
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 6 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
6
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
computer because it may not be possible to locate a DNS server that has the domain’s current IP
address.
19. No-IP offers a free service that will constantly update IP address changes with DNS
servers so that a computer user with a dynamic IP address can have a domain name that will always
point back to his computer. If a user would like to subscribe to No-IP’s free Dynamic DNS service,
he can do so through No-IP’s website. After creating a user name and password and giving an e-
mail address, the subscriber will receive up to three domain names, which will expire in 30 days
unless the subscriber renews his free service. The subscriber installs No-IP’s Dynamic Update
Client to his computer, and this program will update the computer’s changing IP address to No-IP’s
name servers so that the subscriber’s domain name will always point to the current IP address.
No-IP Leases Its Sub-domains to Its Free Subscribers
20. No-IP is the owner and registered name holder of domains that it uses for its free
Dynamic DNS Service (“No-IP domains”). As part of its free service, No-IP does not register a new
domain name to its subscriber. Instead, No-IP allows the subscriber to use a “sub-domain” of one of
the company’s registered domain names subject to No-IP’s Terms of Service. A sub-domain is
essentially a sub-address of another domain. For example, Defendant Vitalwerks owns the domain
“no-ip.biz,” but it leases the sub-domain “thebest007.no-ip.biz” to a free Dynamic DNS subscriber
subject to the Terms of Service set forth on No-IP’s website. The free subscriber must select which
No-IP domain he would like to use (e.g., no-ip.biz), but he can create his own sub-domain name
(e.g., thebest007).
21. By leasing to subscribers a sub-domain of one of its registered domains, many of the
reporting and accountability requirements imposed by authorities who regulate DNS are not
followed.
22. Each Top Level Domain (this is the part of the domain name after the period such as
“.com,” “.net,” or “.edu”) is controlled by a registry operator. For example, the “.com” TLD is
operated and controlled by Verisign, Inc. If a person wishes to register a domain name ending in
“.com,” he must find a registrar that is authorized by Verisign to register .com domain names.
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 7 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
7
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
23. A registry operator oversees the administration, regulation, and security of the TLD
by setting forth rules and regulations that must be followed by registrars, or entities that are
authorized to register domain names for that TLD. For an entity to become a registrar, it must agree
to be bound by the registry operator’s rules and regulations (usually by entering into a Registry-
Registrar Agreement) as well as become an accredited registrar with Internet Corporation for
Assigned Names and Numbers, or ICANN. ICANN is the organization that oversees the Domain
Name System, and it sets forth regulations that must be followed by registrars and registered name
holders.
24. Defendant Vitalwerks is a registrar authorized by the relevant registry operators to
register domain names ending in .biz, .com, .info, .name, .net, .org, .pro, and .tel. Pursuant to the
agreements with ICANN and the registry operators, Defendant is required to make certain
information publically available for each new domain name it registers, which includes the
registered domain name, the registered domain holder’s name and address, and the name, address, e-
mail address, telephone number, and fax number for the domain name’s technical and administrative
contacts.
25. Defendant Vitalwerks is the registrar and registrant of the No-IP domains. However,
because Defendant leases sub-domains of its registered domains to its free subscribers, Defendant is
not expressly required to make the identities and contact information of its sub-domain subscribers
publically available. And in fact, Defendant does not collect, store, or make public this information
about its sub-domain users. This causes its service to be favored among cybercriminals.
Investigation into Malware Threats Uncovered Abuse of No-IP
26. Dynamic DNS is a vital part of the Internet because it allows anyone to have a
domain name even though they have a changing IP address. However, if not properly managed, a
Dynamic DNS service can be susceptible to abuse.
27. In early 2014, Microsoft began investigating the top malware threats impacting its
customers. To do this, Microsoft began to monitor data it was receiving from anti-malware utilities
running on its consumers’ computers. When malware is detected and cleaned, it sends data back to
Microsoft, and from this data, Microsoft can determine which malware was removed and whether
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 8 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
8
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
the malware was trying to communicate with other computers. What Microsoft determined from
this initial investigation was that in a significant number of cases, the malware was programmed to
reach out and communicate with a No-IP sub-domain, owned and leased by Defendant Vitalwerks as
part of its free Dynamic DNS service.
28. Further investigation revealed that No-IP is functioning as a major hub for 245
different types of malware circulating on the Internet. The figure below shows the diversity of
malware that No-IP supports, each a threat to Microsoft and its consumers.
29. Through No-IP sub-domains, a very large number of small, transient web addresses
are provided a continuous Internet presence. For example, malware on a person’s infected computer
might be programmed to contact “hacker-0005.no-ip.biz.” The person’s computer would first
contact no-ip.biz to get the address of the virus sub-domain, which has a dynamic IP address and is
frequently changing. The name server for no-ip.biz, however, would have the current IP address due
to the Dynamic Update Client constantly updating No-IP’s servers, and the name server would be
able to direct the person’s computer onward. Thus, the Dynamic DNS system provides computers
that move from IP address to IP address a stable domain name for malware infected computers to
contact. In the example above, the hacker-0005.no-ip.biz sub-domain can operate from a changing
set of IP addresses. As long as that sub-domain updates no-ip.biz as to its current IP address,
Fig. 2
Diversity of Malware
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 9 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
9
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
malware infected machines attempting to reach it will always be able to do so.
30. Dynamic DNS can be exploited to support and monetize cybercrime activities. This
fact is evident from the massive number of malware supported by No-IP domains. By studying
thousands of samples of malware, Microsoft has been able to identify approximately 18,472 sub-
domains of No-IP that are used by cybercriminals, and there are likely many more. Other
researchers have observed the same. In April 2013, one researcher identified No-IP as the most used
Dynamic DNS service for malicious purposes. Less than a year later, another security researcher
concluded the same. For example, sub-domains of “zapto.org” (a No-IP domain) were found to be
blocked 100% of the time by web browsers based on the domain’s reputation for being associated
with malicious activity. Moreover, of the top Dynamic DNS domains most abused by malicious
actors, No-IP domains had the highest number of malware samples than any other Dynamic DNS
domain. The great variety and quantity of malware using No-IP sub-domains as infrastructure is
testament to the utility of this kind of system for those engaged in illegal Internet activities. The top
six types of malware currently using No-IP domains are described in the table below.
Malware Purpose
Bladabindi/Jenxcus A family of Remote Access Trojan malware with several components including key logger and backdoor.
Fynloski A family of Remote Access Trojan malware whose different variants include Trojan Droppers, backdoor Trojans, and unauthorized access and control of an affected computer.
Sisron A group of Trojans that perform a variety of common malware behaviors.
Rebhip A family of worm malware that steals sensitive information from the victim’s computer.
Bifrose A backdoor Trojan that connects to remote IP addresses and allows attacker to access the victim’s computer and perform various actions.
Comrerop Downloads additional threats onto the victim’s computer.
31. These categories are explained in the following table.
Malware Type Purpose
Backdoor Allows an attacker to perform at least the same activity as the user that is compromised. This includes turning on web camera and eaves dropping via microphone, taking screenshots, copying/moving/deleting files on the user’s system, and keystroke logging.
Trojan Packaged as legitimate software, this malware contains code to compromise a
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 10 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
10
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
victim’s computer by installing one of the other listed types of additional malware.
Trojan Dropper An application whose sole purpose is to download and execute software on a victim’s computer. Also used to denote an application that is downloaded and executed on a victim's computer.
Trojan Downloader
An application whose sole purpose is to download files onto a victim’s computer. Also used to denote an application that is copied to a victim's computer.
Keylogger Password Stealer. This type of malware logs user keystrokes or retrieves text typed by the user with the sole purpose of obtain user credentials.
Remote Access An application that allows remote connections to a victim’s computer. This program, once run on a computer, allows visual/keyboard/mouse/audio control over victim’s computer.
Defendant Vitalwerks Is on Notice of the Dynamic DNS Abuse and
Has Failed to Take Corrective Action
32. The Internet security community has noticed the abuse occurring on No-IP’s sub-
domains. In April 2013, OpenDNS published an article online detailing its investigation into
Dynamic DNS abuse, and it identified No-IP sub-domains as the most used for malicious intent of
any other provider. No-IP published the following response, representing that the company had a
strict abuse policy and had an abuse team to combat computer fraud and crimes:
At No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep our domains free of spam and malicious activity. Even with such precautions, our services do fall prey to cyberscammers and spammers. We highly encourage our users and others to let us know if they come across a hostname that isn’t abiding by our Terms of Service. We dislike spammers and scammers just as much as everyone else. To report a violation of our TOS or any other abuses of our services, please email [email protected].
33. Despite its representation of having a “very strict abuse policy,” the abuse on No-IP
sub-domains continued. Another Internet security group, Cisco, published an article on February 11,
2014 that again outlined the extensive abuse occurring on No-IP domains, including the distribution
of malware. No-IP published a similar response and even provided that the company “work[s] with
law enforcement daily to ensure that we are doing our part to keep the internet safe.”
34. OpenDNS Security Labs and Cisco are not the only security firms that have reported
on the No-IP abuse. Other firms such as FireEye, Symantec, and General Dynamics have published
reports detailing this abuse. The report Symantec published in March 2013 specifically identifies a
group of Bladabindi malware distributors that is using No-IP sub-domains.
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 11 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
11
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
35. Defendant Vitalwerks directs visitors to its website to email the company at
[email protected] to report violations of its Terms of Service. Pursuant to No-IP’s Terms of
Service, attached as Exhibit B, subscribers are prohibited from engaging in the activities that Internet
security firms have noticed are occurring through the No-IP domains. These prohibitions include
abusing or fraudulently using the No-IP service, interfering or tampering with another subscriber’s
use of the service, or any use that violates local, state, or federal law or otherwise violates Internet
regulations, policies, or procedures. No-IP expressly prohibits particular types of abuse as well, such
as sending unsolicited e-mail, Denial of Service attacks, and causing or attempting to cause harm to
another computer or network.
36. Although Defendant Vitalwerks is on notice and should be aware that its services are
heavily abused, it has failed to take sufficient steps to correct, remedy, or prevent the abuse and to
keep its domains free from malicious activity. In its report, Cisco recommended that No-IP could
implement a security measure, called DNS Response Policy Zone, that could be used to block
malicious traffic. Additionally, other security measures exist that would curtail the malicious abuse
of the No-IP domains, such as the use of a web reputation service. However, on information and
belief, Defendant Vitalwerks has failed to employ the best practices available to stop the abuse.
After the February 2014 Cisco report was published, Microsoft continues to see 2,000-3,000 new
unique malware samples per month that are supported by No-IP.
The Majority of Malware Using No-IP is Bladabindi/Jenxcus
37. By far, the majority of malware using No-IP domains is Bladabindi and a related
malware called Jenxcus. Microsoft’s investigation thus focused on this family of malware.
38. Defendant Mutairi created the Bladabindi malware and Jenxcus malware that is
closely related in function to Bladabindi. He promotes its use to other cybercriminals by making the
malware publicly available for download, publishing updates to the malware online, and providing
instructions and tutorials on how to use and customize the malware. The following is a screen shot
of a publicly-available YouTube tutorial that specifically instructs the viewer to obtain a No-IP
account:
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 12 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
12
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
39. Defendant Benabdellah created a popular variant of the Jenxcus malware. Bladabindi
and Jenxcus share a common code base, and on information and belief, Defendant Benabdellah used
the code for Bladabindi to create his Jenxcus malware.
40. Bladabindi/Jenxcus malware can be downloaded by other cybercriminals who then
can use the malware’s “dashboard” to customize the malware to suit their needs. The dashboard is a
user interface that allows the user to customize the malware and control the infected computers. The
dashboard can display a list of all infected computers’ IP addresses and locations, and it can even
display real time screen shots of the infected computers’ desktop. Below is a screenshot of a
dashboard for Bladabindi, also known as the njRAT dashboard, showing what information is
available to the Malware Defendant once he has control over an infected computer.
Fig. 3
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 13 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
13
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
41. Malware Defendants have distributed and infected user computers with
Bladabindi/Jenxcus. Microsoft has detected over 7,486,833 instances of Windows computers that
have encountered one or more versions of Bladabindi or Jenxcus malware in the past year. This
likely represents only a small subset of the number of computers because Microsoft is only able to
monitor machines running its anti-malware software. Based on market share data, the total number
of detections over the past year may easily be two to three times this amount.
Bladabindi/Jenxcus Infected Computers Become Part of a Botnet
42. When a computer is infected with Bladabindi or Jenxcus, it becomes part of a
“botnet.” A botnet is a collection of individual computers, each running malware that allows
communications between the infected computers to one or more other computers controlled by the
distributor of the malware, typically referred to as the “command and control,” as shown in the
figure below.
bot
herder command & control server
(Dashboard)
Infected victim computers (“bots”)
Fig. 4
Fig. 5
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 14 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
14
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
43. Through the command-and-control computer or computers, cybercriminals or “bot
herders” are able to control the infected computer, steal information from the infected computer, and
provide instructions or additional malware modules to the infected personal computers and upload
data from them. Cybercriminals often use botnets because of their ability to support a wide range of
illegal conduct, their resilience against attempt to disable them, and their ability to conceal the
identities of the malefactors controlling them.
44. Botnets provide a very efficient means of controlling large numbers of computers and
targeting any action internally against the contents of those computers or externally against other
computers on the Internet. The third parties running the botnet can use the network of infected
personal computers for various nefarious and criminal activities including spam, denial of service
attacks on other computers connected to the Internet, theft of financial and banking data,
eavesdropping, stalking, and other schemes. Access to the compromised personal computers can
also be sold, leased, or swapped by one criminal group to another.
45. Microsoft has carefully studied the Bladanindi and Jenxcus botnet architecture,
design, and functions. A Bladabindi/Jenxcus botnet consists of two tiers: the infection tier and the
command-and-control tier. The infection tier is comprised of infected personal computers owned by
innocent and unsuspecting people. These might be office or home desktop computers, laptop
computers, computers in public libraries, and so forth. Computers can become infected in one of
several ways. A person may use an infected thumb-drive borrowed from a friend or colleague that
contains the malware; access a malicious link or hacked website on which the malware downloader
is staged; or download other malware containing instructions to download Bladabindi or Jenxcus. In
fact, Jenxcus is particularly infectious when spread through thumb-drives because the infection
happens automatically when a user inserts a thumb-drive into the infected computer instead of
requiring the botnet operator to enable this function through the dashboard.
46. Once Bladabdindi/Jenxcus has been downloaded, in some instances, the user still
needs to access the malicious file for the malware to become active. Here, some forms of the
malware trick consumers into opening and running the file by disguising itself as a legitimate file.
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 15 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
15
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
The malware uses deceptive file names and icons that are familiar to the user, such as
““MyPictures.exe,” or that entice the user to open the file like “StartupFaster.exe” or
“NewDocument.exe.” Some Jenxcus variations create a shortcut file containing the malware that
has the same name and icon of a file present on the user’s thumb-drive. This method of mimicking
the user’s actual files is designed to ensure that the user will click on the file and activate the
malware.
47. When the malware is run, it will copy itself to a location on the user’s computer that
ensures that the malware will run every time the computer is started. The malware avoids detection
because it disguises itself as a critical process running on the user’s machine. The spread of the
malware in this way is not related to any vulnerability in Microsoft’s systems, but is instead
achieved by misleading people into taking steps that result in the infection of their computers.
48. Once a computer is infected with the malware and the malware has been activated,
the malware will instruct the computer to contact the botnet controller’s command-and-control
computer. The command-and-control is the second tier of the botnet. Typically, botnets have many
command-and-control computers in this tier, which are in turn controlled by a bot herder. In
contrast, a Bladabindi/Jenxcus botnet consists of one command-and-control computer through which
a single hacker (a Malware Defendant) communicates and controls the infected computers through
the malware’s dashboard. However, there can be many Bladabindi/Jenxcus botnets at any given
time, each one controlled by a different Malware Defendant, creating a syndicate of botnets.
49. The infected computer will contact the command-and-control computer to let it know
that the malware has been activated and that the computer is ready to receive instructions from a
Malware Defendant. When a Malware Defendant creates his version of Bladabindi/Jenxcus, he
programs the malware to let the infected computer know to reach out to a specific domain, which
will resolve to the IP address for Malware Defendant’s command-and-control computer, as depicted
in the diagram below. Once the infected computer is directed to the command and control, the
Malware Defendant can then directly communicate with the infected computer.
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 16 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
16
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
936, 7%
11612, 93%
Bladabindi/Jenxcus Malware Domains
OTHERS NOIP
50. No-IP domains are a significant part of the botnet infrastructure. Without No-IP
domains, the infected computers would not be able to locate the Malware Defendants’ command-
and-control computers, which have dynamic IP addresses. Through No-IP’s Dynamic DNS service,
an infected computer is able to locate the command-and-control through the No-IP sub-domain. No-
IP domains are the necessary means by which the first point of contact occurs between the infection
tier and the command-and-control tier.
51. No-IP is the predominant Dynamic DNS service used by the Malware Defendants for
Bladabindi/Jenxcus botnet communication. As shown in the figure below, out of all Dynamic DNS
providers, No-IP domains are used 93% of the time to support Bladabindi/Jenxcus infections.
Fig. 6
Fig. 7
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 17 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
17
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
Bladabindi/Jenxcus Gives Malware Defendants Control Over Consumer Computers
52. Once the computer is infected with Bladabindi or Jenxcus, the Malware Defendants
gain control over the consumers’ computers, and they can conduct a variety of illegal and harmful
activities, including accessing the user’s files, turning on the computer’s video camera or
microphone to record victims (which includes minors), recording keystrokes to obtain sensitive
information like passwords and credit card numbers, taking snapshots of the user’s desktop, and
sending commands to download additional malware.
53. Malware Defendants control user computers through the malware dashboard, which
has a variety of commands that can be executed. The following is an example of a dashboard with
the different commands that are available to the hacker.
Fig. 8
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 18 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
18
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
54. One of the malware’s primary functions is to steal information, such as passwords
and account credentials. The information stealer can be found on a file included with the dashboard
called “pw.dll.” This feature of the dashabord is coded to steal login credentials for No-IP accounts,
which is easy to do because of a vulnerability in the Dynamic Update Client installed on No-IP’s
subscribers’ computers. The Dynamic Update Client stores the subscriber’s user name and password
without using any encryption in the registry of the subscriber’s computer which easily accessible to
other programs on the computer. This is contrary to best practices used in the industry. An Internet
security firm, FireEye, identified this vulnerability in a 2013 article, but on information and belief,
Defendant Vitalwerks has not remedied the problem.
Defendants Cause Irreparable Harm to Microsoft and Its Customers
55. Microsoft is the provider of the Window operating system and a variety of other
software and services. Microsoft has invested substantial resources in developing high-quality
products and services. Due to the high quality and effectiveness of Microsoft’s products and
services and the expenditure of significant resources by Microsoft to market those products and
services, Microsoft has generated substantial goodwill with its customers, has established a strong
brand, has developed the Microsoft name and the names of its products and services into strong and
famous world-wide symbols that are well-recognized within its channels of trade. Microsoft has
registered trademarks representing the quality of its products and services and its brand, including
the Windows marks.
56. Defendants’ actions, including but not limited to the distribution of malware, injure
Microsoft and its reputation, brand, and goodwill because users subject to the negative effects of
these malicious applications incorrectly believe that Microsoft or Windows is the source of their
computer problems. The Malware Defendants further this belief by using sub-domains, owned and
leased by Defendant Vitalwerks, for their malicious activities that contain the phrases “Microsoft”
and “Windows.” Additionally, Microsoft devotes significant computing and human resources to
combating the distribution of Bladabindi, Jenxcus, and other malware infections and helping
customers determine whether or not their computers are infected, and if so, cleaning them.
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 19 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
19
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
Customers’ frustration with having to deal with malware infection on their computers diminishes
their regard for Windows and Microsoft, and tarnishes Microsoft’s reputation and goodwill.
57. Microsoft’s customers may incorrectly attribute the negative impact of the malware
supported by No-IP to Microsoft. Additionally, there is a serious risk that customers may move
from Microsoft’s products and services because of such activities. And, there may be significant
challenges to having such customers return, given the cost they bear to switch to new products and
perceived risks.
58. Microsoft and its customers are injured when the malware is maliciously introduced
onto people’s computers without their knowledge or consent. The installation of malware by
deceiving consumers and without Microsoft’s authorization is an intrusion into the Microsoft
Windows operating system (which is licensed to Microsoft’s customers), without Microsoft’s
authorization.
59. The malware supported by No-IP installs and runs without the customers’ or
Microsoft’s knowledge or consent. The malware specifically targets the Windows operating system.
For example, it mimics particular files that are specific to the Windows operating system, without
the consent of Microsoft or its customers. Once infected, Defendants have control over the users’
computers and can commit further malicious activities like stealing passwords and account
credentials.
60. Once customers’ computers are infected with malware supported by No-IP sub-
domains, they may be unaware of that fact and may not have the technical resources to solve the
problem, allowing their computers to be infected and misused indefinitely. This is particularly true
for Bladabindi and Jenxcus malware given their ability to conceal and protect itself from detection
and removal. The Malware Defendants can see through the dashboard whether a user is running an
anti-virus program and send a command to the computer to stop the program from running, which
will prevent detection. Additionally, if a user notices that the Bladabindi malware is running on his
machine and tries to stop it, the malware will cause the user’s computer to crash. In such
circumstances, technical attempts to remedy the problem may be insufficient and the injury caused
to customers will continue. The injury caused by this malware and No-IP subdomains extends far
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 20 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
20
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
beyond Microsoft to other consumers and providers, into internet infrastructure and ultimately to the
majority of computer users worldwide, placing each at an increased risk.
61. The Malware Defendants cause Microsoft’s consumers untold harm. With the
malware dashboard, they are able to execute many commands on users’ computers that can steal
sensitive information and invade the users’ privacy. For example, they can steal users’ banking
credentials, such as online user names, passwords, and account numbers. When a user conducts
transactions online, the Defendant can monitor the user’s keystrokes and capture home addresses,
work addresses, telephone numbers, credit card information, and social security numbers. The
Malware Defendants can see in real time users’ computer displays and can also remotely turn on the
users’ video cameras or microphones without their knowledge, which is violative of many states’
privacy and wiretapping laws. The information Defendants collect can be sold or traded to other
wrongdoers and can even be used for blackmail. Consumers suffer not only economic harm as a
result of Malware Defendants’ actions but non-economic losses as well, such as emotional distress,
from identity theft and intrusions upon privacy.
FIRST CLAIM FOR RELIEF
(Violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 – Against the Malware
Defendants)
62. Microsoft realleges and incorporates by reference the allegations contained in
paragraphs 1 through 61 above.
63. Defendants: (a) knowingly and intentionally accessed Microsoft customers’ protected
computers and Microsoft’s protected computers without authorization or in excess of any
authorization and thereby obtained information from the protected computers in a transaction
involving an interstate or foreign communication (18 U.S.C. § 1030(a)(2)(C)), (b) knowingly and
with an intent to defraud accessed the protected computers without authorization or in excess of any
authorization and obtained information from the computers, which Defendants used to further the
fraud and obtain something of value (18 U.S.C. § 1030(a)(4)); (c) knowingly caused the
transmission of a program, information, code and commands, and as a result of such conduct
intentionally caused damage without authorization to the protected computers (18 U.S.C. §
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 21 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
21
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
1030(a)(5)(A)); and/or (d) intentionally accessed the protected computers without authorization, and
as a result of such conduct caused damage and loss (18 U.S.C. § 1030(a)(5)(C)).
64. Defendants’ conduct has caused a loss to Microsoft during a one-year period
aggregating at least $5,000.
65. Microsoft has suffered damages resulting from Defendants’ conduct.
66. Microsoft seeks compensatory and punitive damages under 18 U.S.C. § 1030(g) in an
amount to be proven at trial.
67. As a direct result of Defendants’ actions, Microsoft has suffered and continues to
suffer irreparable harm for which Microsoft has no adequate remedy at law, and which will continue
unless Defendants’ actions are enjoined.
SECOND CLAIM FOR RELIEF
(Violation of the Anti-Cybersquatting Consumer Protection Act, 15 U.S.C. § 1125 – Against
All Defendants)
68. Microsoft realleges and incorporates by reference each and every allegation set forth
in paragraphs 1 through 67 above.
69. Defendants have registered, trafficked in, and/or used domain names containing the
terms “Microsoft” and “Windows,” which are protected marks owned by Microsoft. Attached as
Exhibit D to this Complaint is a list of all No-IP sub-domains containing these protected marks as
part of the domain name.
70. The sub-domains containing the term “Microsoft” or “Windows” are identical and/or
confusingly similar to Microsoft’s marks. Defendants’ infringing use is likely to cause confusion or
deceive Microsoft’s consumers as to the affiliation of the malicious No-IP sub-domains.
71. Defendants acted with bad faith intent to profit from Microsoft’s marks.
72. Microsoft has suffered damages resulting from Defendants’ conduct.
73. Microsoft seeks compensatory damages under 15 U.S.C. § 1117(a) in an amount to be
proven at trial, or it may elect to pursue statutory damages pursuant to 15 U.S.C. § 1117(d) for up to
$100,000 per infringing domain name.
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 22 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
22
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
74. Microsoft seeks forfeiture and cancellation of the infringing domain names or transfer
of the domain names to Microsoft.
75. As a result of Defendants’ actions, Microsoft has suffered and continues to suffer
irreparable harm for which Microsoft has no adequate remedy at law, and which will continue unless
Defendants’ actions are enjoined.
THIRD CLAIM FOR RELIEF
(Violation of Unlawful Acts Regarding Computers and Information Services Statute, N.R.S. §
205.473 et seq. – Against the Malware Defendants)
76. Microsoft realleges and incorporates by reference each and every allegation set forth
in paragraphs 1 through 75 above.
77. Defendants: (a) knowingly, willfully and without authorization modified, damaged,
destroyed, disclosed, used, transferred, concealed, took, retained possession of, copied, obtained or
attempted to obtain access to, permitted access to or caused to be accessed, and/or entered data,
programs, and/or supporting documents existing inside or outside user computers (N.R.S. §
205.4765(1)); (b) knowingly, wilfully and without authorization modified, destroyed, used, took,
damaged, transferred, concealed, copied, retained possession of, obtained or attempted to obtain
access to, and/or permitted access to or caused to be accessed equipment or supplies that are used or
intended to be used in a computer, system, or network (N.R.S. § 205.4765(2)); (c) knowingly,
willfully and without authorization destroyed, damaged, took, altered, transferred, disclosed,
concealed, copied, used, retained possession of, obtained or attempted to obtain access to, permitted
access to or caused to be accessed a computer, system, or network (N.R.S. § 205.4765(3)); and/or (d)
knowingly, willfully and without authorization obtained and disclosed, published, transferred, or
used a device used to access a computer, network, or data (N.R.S. § 205.4765(4)).
78. Defendants knowingly, willfully, maliciously, and without authorization: (1)
interfered with the use of and access to a computer, system, or network to a person who had the right
and duty to use it (N.R.S. § 205.477(1)); and (2) used, caused the use of, accessed, attempted to gain
access to, or caused access to be gained to a computer, system, or network (N.R.S. § 205.477(2)).
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 23 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
23
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
79. Microsoft has suffered damages resulting from Defendants’ conduct.
80. Microsoft seeks compensatory, punitive damages, and attorneys’ fees and costs under
N.R.S. § 205.511 in an amount to be proven at trial.
81. As a direct result of Defendants’ actions, Microsoft has suffered and continues to
suffer irreparable harm for which Microsoft has no adequate remedy at law, and which will continue
unless Defendants’ actions are enjoined.
FOURTH CLAIM FOR RELIEF
(Trespass to Chattels – Against the Malware Defendants)
82. Microsoft realleges and incorporates by reference each and every allegation set forth
in paragraphs 1 through 81 above.
83. Defendants’ actions in the distribution of malware result in unauthorized access to the
computers of Microsoft and its customers and result in harm to those computers.
84. Defendants intentionally caused this unauthorized conduct.
85. Defendants’ actions have caused injury to Microsoft and its customers and imposed
costs on Microsoft and its customers, including time, money and a burden on the computers of
Microsoft and its customers, as well as injury to Microsoft’s business goodwill and diminished the
value of Microsoft’s possessory interest in its computers and software.
86. As a result of Defendants’ unauthorized and intentional conduct, Microsoft has been
damaged in an amount to be proven at trial.
87. As a direct result of Defendants’ actions, Microsoft has suffered and continues to
suffer irreparable harm for which Microsoft has no adequate remedy at law, and which will continue
unless Defendants’ action are enjoined.
FIFTH CLAIM FOR RELIEF
(Conversion – Against the Malware Defendants)
88. Microsoft realleges and incorporates by reference each and every allegation set forth
in paragraphs 1 through 87 above.
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 24 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
24
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
89. Defendants have interfered with and converted Microsoft’s personal property that was
in denial of and inconsistent with Microsoft’s title and right to the possession and use of its property.
90. Defendants’ actions deprived Microsoft of possession and use of its property.
91. As a result of Defendants’ actions, Microsoft has been damaged in an amount to be
proven at trial.
92. As a direct result of Defendants’ actions, Microsoft has suffered and continues to
suffer irreparable harm for which Microsoft has no adequate remedy at law, and which will continue
unless Defendants’ action are enjoined.
SIXTH CLAIM FOR RELIEF
(Negligence – Against All Defendants)
93. Microsoft realleges and incorporates by this reference each and every allegation set
forth in paragraphs 1 through 92 above.
94. Defendants’ Mutairi, Benabdellah, and Does 1-500 were and are subject to a duty to
exercise care to prevent their use of No-IP domains to propagate malware, to create botnet
syndicates, and to engage in and further the malicious conduct alleged in this Complaint. The source
of this duty of care includes, but is not limited to, Defendants’ contractual obligations not to use or
allow use of the domains for the purposes and acts alleged herein as set forth in No-IP’s Terms of
Service. By registering for a No-IP account, Defendants agreed to be bound by these contractual
obligations.
95. Similarly, Defendant Vitalwerks was and is subject to a duty to exercise care to
detect, prevent, report, and/or remedy any third party’s use of No-IP domains to support malware
infections or to otherwise further the malicious conduct alleged in this Complaint. The source of this
duty of care includes, but is not limited to, the best practices of the industry, Defendant’s
representations to the public that it would assume such a duty, and Defendant’s contractual
obligations not to use or allow use of the domains for the purposes and acts alleged herein, as set
forth in its agreements with the registry operators and ICANN, attached as Exhibits D through H to
this Complaint.
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 25 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
25
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
96. Defendants breached their respective duties of care by registering sub-domains that
are used to support or facilitate malware schemes, and by using or allowing their licensee customers
or other third parties to use the No-IP sub-domains to propagate malware infections, create botnet
syndicates, and to engage in the malicious conduct set forth herein.
97. Defendants’ breaches of their duties of care as set forth above have actually and
proximately caused Microsoft to suffer and to continue to suffer irreparable harm for which
Microsoft has no adequate remedy at law, and which will continue unless Defendants’ actions are
enjoined.
98. As an actual and proximate result of the Defendants’ breach of their duty of care,
Microsoft is entitled to damages in an amount to be proven at trial.
PRAYER FOR RELIEF
WHEREFORE, Plaintiff Microsoft prays for the following relief:
A. Judgment in favor of Microsoft and against Defendants;
B. Declare that Defendants conduct has been willful and that Defendants have acted with
fraud, malice and oppression;
C. Enter a preliminary and permanent injunction enjoining Defendants and their officers,
directors, principals, agents, servants, employees, successors, and assigns, and all persons and
entities in active concert or participation with them, from engaging in any of the activity complained
of herein or from causing any of the injury complained of herein and from assisting, aiding or
abetting any other person or business entity in engaging in or performing any of the activity
complained of herein or from causing any of the injury complained of herein;
D. Enter judgment awarding Microsoft actual and/or statutory damages from Defendants
adequate to compensate Microsoft for Defendants’ activity complained of herein and for any injury
complained of herein, including but not limited to interest and costs, in an amount to be proven at
trial;
E. Enter judgment awarding enhanced, exemplary and special damages, in an amount to
be proved at trial;
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 26 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
26
COMPLAINT FOR DAMAGES AND INJUNCTIVE RELIEF
F. Enter judgment awarding attorneys’ fees and costs; and
G. Order such other relief that the Court deems just and reasonable.
Dated: June 19, 2014 Respectfully submitted,
SHOOK, HARDY & BACON, L.L.P.
_______________________________
TONY M. DIAB Attorneys for Plaintiff Microsoft Corporation
/s/ Tony M. Diab
Case 2:14-cv-00987-GMN-GWF Document 2 Filed 06/19/14 Page 27 of 27