FEBRUARY 25, 2010, 11:51 P.M. ET
Microsoft Battles Cyber Criminals

Microsoft Corp. launched a novel legal assault to take down a global network
of PCs suspected of spreading spam and harmful computer code, adding what
the company believes could become a potent weapon in the battle against
cyber criminals.

But security experts say it isn't yet clear how effective Microsoft's
approach will be, while online rights groups warn that the activities of
innocent computer users could be inadvertently disrupted.

On Monday, a federal judge in Alexandria, Va., granted Microsoft's request
for an order to deactivate hundreds of Internet addresses that the company
linked to an army of tens of thousands of PCs around the globe, infected
with computer code that allows them to be harnessed to spread spam,
malicious virus programs and mount mass attacks to disable Web sites.

The court order was issued under seal-a rare move in civil cases of this
nature-to allow the company to secretly sever communications channels among
the computers before the network's operators could reestablish contact with
the machines.

Microsoft's move is the latest escalation in a continuing battle against
cyber crime, whose perpetrators have proved adept at using the Internet and
an array of technical tools to evade law enforcement. Electronic nuisances
like spam have become potent tools for profit by professional hackers,
tricking PC users into passing on harmful software and disclosing credit
card numbers, passwords and other value personal information.

In one high-profile incident, Google Inc. last month disclosed attacks
against the Internet giant and other major U.S. companies that it linked to
China. Chinese officials deny any involvement.

Microsoft's legal action this week also appears to have connections to
China. The software company, based in Redmond, Wash., on Monday filed a suit
against 27 unnamed "John Doe" defendants for violating federal laws against
computer crime. Microsoft says they operated a global network of infected
PCs-or "botnet," in computer- industry parlance-identified as Waledac.

More than 83% of unsolicited email originated from botnets at last year's
close, says security software firm Symantec Corp.

Microsoft doesn't yet know their identities, but it says the defendants were
linked to more than 270 Internet domain names from which Microsoft traced
electronic instructions bound for the hacker network. The company said it is
seeking to contact the defendants through registration information
associated with those addresses.

Nearly all of the records list contact information in China, though hackers
can easily misrepresent themselves when registering for Internet addresses.
None of the China-based registrants of the suspect addresses, which include, and, could be
reached for comment.

The restraining order compelled VeriSign Inc., which oversees the
registration of all domain names ending in ".com," to temporarily turn off
the suspect Internet addresses. A VeriSign spokesman declined to comment.

Microsoft says the suspect Internet addresses can be thought of as a set of
phone numbers that infected computers within the hacker network were
programmed to call for instructions-for example, where to send spam or which
Web site to overload with traffic.

By cutting off access to those addresses, Microsoft hopes to prevent the
masterminds behind the network from reprogramming the infected PCs with a
fresh batch of addresses to reach, blocking them from direct the network.

"We have a high degree of confidence this will be major blow to this
botnet," said Richard Boscovich, a senior attorney in Microsoft's digital
crimes unit and a former federal prosecutor.

Other security experts were less convinced, saying that the Internet
addresses Microsoft has brought down could be only a small percentage of the
ones used by hackers to control the network. "The botnet will survive this
in many cases," said Jose Nazario, a researcher at cyber-security company
Arbor Networks.

The Federal Bureau of Investigation and other law enforcement agencies
overseas have targeted similar networks. Marc Rotenberg, executive director
of the Electronic Privacy Information Center, says companies have
supplemented the efforts of law enforcement to fight cybercrimes by taking
private court actions. America Online Inc., for example, sued spammers in
the late 90s.

But Mr. Rotenberg also worries that actions like Microsoft's might become a
form of "vigilantism" that entangles innocent victims. Indeed, the single
U.S.-based registrant of a suspect Internet address in Microsoft's
complaint, Stephen Paluck of Beaverton, Ore., said he was doing nothing
wrong from his Internet address, "I want it back," Mr.
Paluck said. "I'm not doing anything illegal."

Microsoft says it carefully analyzed the Internet addresses to ensure
they're only being used for suspicious purposes and that Mr. Paluck's
Internet address could have been infiltrated by a hacker. A Microsoft
spokeswoman said the company is in discussions with Mr. Paluck.

Greg Garcia, a former assistant secretary in charge of cyber security at the
Department of Homeland Security, said Microsoft's legal sting could still be
worth it. "Law enforcement snags innocent bystanders every now and then,''
Mr. Garcia said.

Write to Nick Wingfield at and Ben Worthen at

Copyright 2009 Dow Jones & Company, Inc. All Rights Reserved