Ronald L. Chichester*

30990-txb_44-1 Sheet No. 4 Side A 02/01/2012 14:53:16 as a Chair of the 10/27/2011 12:39 PM OTNETS B NACTS THE NACTS E OMBAT OMBAT ffice. ffice. Ron served EXAS C :T * www.digitaltransactions.info). Ron is admitted to r presentations of interest, visit his website at nt nt and Trademark O OURTROOM C PECIFICALLY TO TO PECIFICALLY S Ronald L. Chichester Ronald L. THE CAUSE OF ACTION ...... 8 8 ...... ACTION OF THE CAUSE CREATING THE BOTNET ...... 3 3 ...... THE BOTNET CREATING — — ESIGNED D ) OMBIES IN THE THE OMBIES IN SIONS ...... 10 ...... SIONS Z AW ELETE D L OT N O M K IRST LAYING LAYING C Y F S Ron Chichester is an attorney, a certified computer forensic examiner, and an Adjunct Professor at the University of of University the at Professor Adjunct an and examiner, forensic computer certified a attorney, an is Chichester Ron www.txcomputerlaw.com. The author gratefully acknowledges Dallas-based attorney, the and Ms. help Irene Kosturakis, and in-house counsel support for BMC of Software, getting Mr.for the first anti-botnettheir law enacted. help Joseph and support Jacobson, in a Computer Computer & Technology Section of the Texas Bar and is Business currently Chair of the Law E-Commerce Committee of Section. the For a copy of this and othe Houston Law Center, where he U.S. teachesthe District the and Nebraska, of Texas of District Southern the for Courts U.S. the Texas, of “DigitalState the in practice Transaction” ( Court of Appeals for the Federal Circuit, and the U.S. Pate

* IX. CONCLU X. 10 ...... A APPENDIX III. ZOMBIFICATION IV. 4 ...... STATUTES MISUSE COMPUTER CURRENT OTHER V. 6 ...... VI. STATUTE ANTI-BOTNET FIRST THE OF DESCRIPTION SHORT A 28 S.B. UTILIZING VII. 9 ...... THE EVIDENCE GATHERING 9 VIII...... THE PERPETRATOR(S) FINDING I. II. INTRODUCTION...... 2 ...... BOTNET? A IS WHAT 2 ZOMBIES (D 30990-txb_44-1 Sheet No. 4 Side A 02/01/2012 14:53:16 02/01/2012 A 4 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 4 Side B 02/01/2012 14:53:16 . 44:1 M K which are OL C Y Hacking the — (McGraw-Hill, (McGraw-Hill, without their By using the the using By 2 ENERATION . In order to obtain a G are standard personal Andy Greenberg, Greenberg, Andy ET see N [V , the power grid, the telephone, 3 AW L e.g. Thus, the Internet has achieved the the achieved has Internet the Thus, 1 ISE OF THE R HE USINESS y sending special SMS control messages :T B 130 (3rd ed. MIT Press 1996). 1996). 130Press MIT ed. (3rd ) 10/27/2011 12:39 PM IGITAL D ELETE P D U ICTIONARY —to —to the person’s device. The attack is enabled by a memory serious D OT N OURNAL OF OURNAL O J I. INTRODUCTION (D ACKER ROWING II. WHAT IS A BOTNET? BOTNET? A IS WHAT II. H DOCX EXAS EW N HE T term term used by computer programmers and security specialists is “cracked.” A cracker is .FINAL.10.26.11. , Dan Tapscott, G ST .1 also makes it easier for the tortfeasor to pin the blame for his activities on — ACRO M The The compromised computers, called “bots” or “zombies,” Botnets Botnets are created and/or utilized by people called “herders” At the July 29, 2009 Black Hat Conference, security researcher Charlie Miller demonstrated how an attacker See See generally , (August 4, 2009), http://www.forbes.com/2007/08/04/iphone-apple-mac-tech-cx_ag_0804miller.html. “Compromised” is a computer security term of art for a machine whose security has been pierced so that it will 3 1 2 T HICHESTER iPhone Incidentally, Apple has released demonstrates the a vulnerability patch of the to devices, remedy vulnerability. and the the steps vulnerability users will in have its to take iPhone in devices. order to mitigate Still, that this exploit

'hacker'”. Eric S. Raymond, Raymond, S. Eric 'hacker'”. obey obey the commands of an unauthorized person. The mainstream slang although the equivalent more to precise “compromised” is “hacked,” defined as “[o]ne who breaks security on a system. Coine by hackers in defense against journalistic misuse of 1997). 1997). owned owned by but the are tortfeasor, used by the for his tortfeasor gain. personal A botnet is a network of compromised Internet-connected computers that are not dollars of business being transacted on a daily basis. Indeed, children of high school age have never known a time without ready access to the The Internet. Internet has become indispensable for companies and individuals, billionswith of 2 C be copied or used in a prohibited in activity. or used be copied processing processing power and network bandwidth of others, the tortfeasor relieves himself of the need to purchase his own permission computer equipment. innocent people. Use of the victim’s Use computer may be only part of of the problem. Depending other’s upon the activity committed by the tortfeasor, the computers— user’s data present on the computer may also it should be no surprise that criminals and tortfeasors have found ways to exploit the Internet. today Internet is virulent thethe maladies of plaguing One more botnets. status of a basic utility. However, unlike previous utilities ( is Internet etc.), the still largely unregulated. Consequently, potential exists,the for misuse and could could take complete control of a victim’s iPhone than different SMS your everyday simply text message b corruption bug in the way the iPhone handles SMS messages and effectively allows an attacker to make calls, steal data, send text and messages, do more or less anything a person can do on their iPhone. Android-based phones and Mobile devices are Windows also to vulnerable the same exploit. more For details, botnet, botnet, the herder either must infect a set of Internet-connected devices take or over an existing botnet. While the preferred device is a personal computer (“PC”), in the future infectingbegin other Internet-capable devices, suchherders as iPhones. may computers, computers, typically running Microsoft’s Windows operating system with sufficient disk space and high-speed Internet access so that the bot can perform activities such as sending denial-of-service in distributed participating attacks, and committing identity theft.SPAM, 30990-txb_44-1 Sheet No. 4 Side B 02/01/2012 14:53:16 02/01/2012 B 4 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 5 Side A 02/01/2012 14:53:16 , 4 9 Top July 29, July ounts. ounts. In (Nov. 19, 19, (Nov. ORLD Joe Joe Stewart, W by download”. by - (Jan. 25, 2007), NFO I Although normally normally Although See, e.g., 8 EWS EWS 3 han 14 million computers Strategies to Protect Against Distributed , BBC N OURTROOM C HE T r to obtain passwords or other information that can be use Cisco Systems, formation so that he may make small transactions on those N I ) 10/27/2011 12:39 PM CREATING THE BOTNET http://safeweb.norton.com/dirtysites, where Symantec ranked One of the principal uses of botnets is to send send to is botnets of uses principal the of One 5 — ELETE D See, e.g., Other botnet-related maladies include extortion and and extortion include maladies botnet-related Other 6 OT OMBIES N Ilomo/Clampi botnet active in identity theft, steals bank website logins , O Z (April (April 8, 2008), http://www.secureworks.com/research/threats/topbotnets. (D (August 25, 2009), http://www.mxlogic.com/securitynews/viruses- victim's information technology (“IT”) department, asking the latter for money McAfee Q2 Threats Report Reveals Spam, Botnets at an All Time High Time ( All an at Botnets Spam, Reveals Report Threats Q2 McAfee DOCX ORKS ORKS See, e.g. How much does spam cost you? Google will calculate, EWS , http://www.cisco.com/application/pdf/paws/13634/newsflash.pdf. theft Identity is , http://www.cisco.com/application/pdf/paws/13634/newsflash.pdf. W N LAYING LAYING ECURE Criminals Criminals 'may overwhelm the web' ORMS ORMS , S .FINAL.10.26.11. /W ST III. ZOMBIFICATION .1 mail messages (“spam”). Robert Robert McMillan, 7 IRUSES ACRO V ssage Security calculator determines how many days and dollars your company loses in productivity to M According to the software security firm McAfee, “[m]ore t M K “Bot software” means a software application that enables the computer to connect to the command and control See, e.g., The Dirtiest Web Sites: Summer 2009, The extortion is accomplished through a “distributed denial of service” (“DDoS”) attack. A DDoS attack is Ally Zwahlen & Sean Brooks, Tim Weber, Even as for as sending early of the responsible majority 2008, botnets were spam. see, see, e.g., C Y 8 9 7 4 5 6 HICHESTER have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise.” other cases, the herder is simply after existing credit card in of because of the size detection. However, hopes to small, the herder evade cards. credit the transactions By keeping numberby the large provided of bots yield can information the using of transactions number the aggregate the botnet, substantial benefits for the herder. Denial of Service (DDoS) Attacks most often accomplished through the use of a “keylogger.” a of in orde user motions) mouse (and sometimes keystrokes A keylogger is a piece of software that acc bank existing access or accounts, card credit records can new open herder so the that identity victim's the to steal the 2009), http://newsroom.mcafee.com/article_display.cfm?article_id=3545. http://newsroom.mcafee.com/article_display.cfm?article_id=3545. 2009), done done in a random fashion, specific sets of computers can be singled out for compromise. For example, the herder may add downloads the a bot software simply by visiting the site; a process set called “drive of software instructions to a website so that a user unsolicited e- The tortfeasor would then be relying on the website’s content to a of content on attract then be group the users would who relying website’s The tortfeasor Not long ago, Vint Cerf estimated that up to one quarter Internet of were the part computers of connected one to of the many botnets. http://news.bbc.co.uk/2/hi/business/6298641.stm. http://news.bbc.co.uk/2/hi/business/6298641.stm. worms/ilomoclampi-botnet-active-in-identity-theft-steals-bank-website-logins482.cfm. MXLOGIC To create a zombie, the herder relies on one or more modus operandi through which which through operandi modus more or one on relies herder the zombie, a create To to transmit his bot software to the computer that is to be compromised. 2011] 2011] S C infrastructure infrastructure of the botnet and to “Storm.” and “Srizbi,” perform “Kraken,” “Conflicker,” the are: applications commands software bot famous more the of of Some applications. the herder. There are many different bot software malware. with infected are that sites web 100 top the up email up going email from the to herder the in order to preclude a resumption of the attack. launched by a herder of the botnet by instructing the bots of his botnet to simply use the victim'sthe bot, the by made server. request each For website. For victim's example, the of page home the for ask to bots the instruct can herder the victim's server can service one fewer legitimate customer. Through the use of large numbers overwhelm of bots, the the herder can victim's server with meaningless victim's service requestsoff the Internet. Typically, and the DDoS attack thereby will commence for a short deny period of time, that with a follow- service and effectively take the Spam Spam Botnets Exposed (“Collectively, the top botnets are capable of sending 100 billion spams per spam, day.”) For an estimate on the costs of identity identity theft. spam.). spam.). 2008), 2008), (Google Me http://www.infoworld.com/d/security-central/how-much-does-spam-cost-you-google-will-calculate-932. 30990-txb_44-1 Sheet No. 5 Side A 02/01/2012 14:53:16 02/01/2012 A 5 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 5 Side B 02/01/2012 14:53:16 , , , State State . 44:1 M K Once Once 10 OL C Y ICTIONARY available at D ICTIONARY OF IBM D Once contact is 12 OMPUTER C Susan W. Brenner, Brenner, W. Susan State Spyware Legislation The bot software then then software bot The ERMS ERMS 11 T [V See also, ECH AW T L -to-peer network. §1343 (2006) which was central to the issue in tions tions Primer (2009-06-04).pdf (last visited June , 7 Rich. J.L. & Tech. 28 (2001), Benjamin Benjamin Edelman, Botnet Botnet Communication Topologies USINESS see see B 127 (2002). “A keylogger is a program that records the ) 10/27/2011 12:39 PM , A. Hugh Scott, Computer and Property Intellectual Crime: ELETE D S.B. 28, focus on “access” and “authorization” of the SSENTIALS SSENTIALS OT E N OURNAL OF OURNAL O Solicited Pornography and Marketing (CAN-SPAM) Act of 2003, Pub. L. J See See generally However, a substantial number of the computer crime laws laws crime computer the of number substantial a However, (D 14 . at 749. 749. at . Id DOCX ESPONSE ESPONSE EXAS rime's Scope: Interpreting “Access” and “Authorization” in Computer Misuse R Cyberc propagating program that infects and may damage another program.” program.” damage and another that infects may program propagating NCIDENT , Gunter Ollmann, :I elf- .FINAL.10.26.11. In contrast, S.B. 28 focuses on the method of transmission, rather than the the than rather transmission, of method the on focuses 28 S.B. contrast, In ST While the access and authorization statutes and case law are applicable to the the to applicable are law case and statutes authorization and access the While 13 .1 15 ile having related subject matter, Senate Bill 28 (“S.B. 28”) is different from other IV. OTHER CURRENT COMPUTER MISUSE STATUTES http://www.techterms.com/definition/keylogger http://www.techterms.com/definition/keylogger (last updated Feb. 22, 2008). In some cases, the ORENSICS ACRO 737 (10th ed.1994). A worm is “a program that places copies of itself into systems connected and that F Orin S. Kerr, Kerr, S. Orin M 78 N.Y.U. L. Rev. 1596, 1615-16 (2003). (2003). 1615-16 1596, Rev. L. N.Y.U. 78 The Controlling the Assault of Non- Spyware is a form of malware that records and then transmits information gathered from the compromised See A virus is a “s A rootkit is a set of modified system libraries or executable programs that provide herders with hidden See, e.g. 13 14 15 10 11 12 OMPUTING OMPUTER T HICHESTER established, zombiethe is available the commands to perform issued by the herder. There are many laws against computer crime and spyware, most notably the federal federal the notably most spyware, and crime computer against laws many are content of the message. In this sense, S.B. 28 is content-neutral, and thus clause the CAN-SPAMin preemption should Act. escape the There Computer Fraud and Abuse Act. keystrokes keystrokes on a computer.” TechTerms.com definition for “keylogger,” Statutes, machine. machine. For a summary of state anti-spyware statutes, No. 108-187, 15 U.S.C.7701 et seq. (2003). backdoors backdoors that allow them future access to a PC that they have compromised. Warran G. Kruse II & Jay G. Heiser, C creation creation and, in some cases, the function of the zombie PC, S.B. 28 is distinguishable because it also encompasses the acts of the herder or the renter, apart from the act of access and C Wh computer security legislation. For instance, the CAN-SPAM Act focuses on the content of the spam message. 4 C attempts attempts to make itself known to the herder in a pre-defined “command manner, either and by control contacting server”a directly, or through a peer malicious software will disable the PC's anti-virus software, leaving the PC vulnerable to additional attacks. attacks. additional to vulnerable PC the leaving software, anti-virus PC's the disable will software malicious available available at infected, infected, the bot software is installed on the computer. The bot software itself can form be of in a the “rootkit,” “keylogger” or other malevolent softwaremanner that that “cloaks” evadesits presencedetection in a by the user and anti-virus software. may do damage or waste resources”. resources”. waste or damage do may conform conform to a particular demographic profile. viruses or worms onto the Internet that infect Another machines in seemingly random patterns. modus operandi involves releasing user’s device. covering covering the same subject matters as http://www.benedelman.org/spyware/legislation/ (last updated http://www.benedelman.org/spyware/legislation/ June 15, 2008). http://www.damballa.com/downloads/r_pubs/WP Botnet Communica http://www.damballa.com/downloads/r_pubs/WP 2009). 10, United States v. law). Seidlitz,Indiana an under of Indianapolis” 589 City the of computer] F.2d[a property the over 152 control “unauthorized of (4th convicted Cir. 1978); State v. McGraw, 480 N.E.2d 552 (Ind. 1985) (defendant Cybercrime Cybercrime Legislation in the United States of America: A Survey http://jolt.richmond.edu/v7i3/article2.html; Federal and State Law (2001). The Computer Fraud and Abuse Act, 18 the includes crime computer Wire U.S.C.18 legislation Fraud statute, U.S.C. 1030 et seq. (2006). Other federal 30990-txb_44-1 Sheet No. 5 Side B 02/01/2012 14:53:16 02/01/2012 B 5 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 6 Side A 02/01/2012 14:53:16 the botnet’s the botnet’s However, the ISPs ISPs the However, 16 5 OURTROOM C ndividual’s damages are limited; in many HE T N I ) 10/27/2011 12:39 PM ELETE D OT OMBIES N O Z (D , http://www.shadowserver.org/wiki/ (last visited Oct. 22, 2010). 2010). 22, Oct. visited (last http://www.shadowserver.org/wiki/ , DOCX LAYING LAYING HADOWSERVER .FINAL.10.26.11. S ST .1 See ACRO M M K Security professionals have formed non-profit organizations, such as ShadowServer, to report and monitor C Y 16 HICHESTER

Consequently, any meaningful policy to combat botnets requires the support and ISPs. the of cooperation providing incentives directly to ISPs in order to solicit their cooperation in combating botnets. By expressly including ISPs as one of the potential plaintiffs, the S.B. 28 was designed aggregate to avoid the harm shortcomings of previous caused computer misuse laws byby could could not recover damages under the previous computer customers misuse and statutes thus on had behalf of no their direct incentive states to preclude class action lawsuits combat of this kind. theNotice, however, that the ISPs botnets, are central to particularly when some the botnet equation because it is through their networks that the botnets operate. botnet activities. activities. botnet misuse statutes. As with the AGs, the ISPs would have to take it upon their themselvesnetworks for botnet to traffic; monitor although many of them do so anyway. ISPs also lacked the incentives necessary to combat botnets under previous computer computer previous under botnets combat to necessary incentives the lacked also within the ISP’s own network. contacted and Once their identified, machines would the need individual to evidence. be citizens All examined of in would that takes order need time to and to gather money, Consequently, the individual. AGsvarious little to combatdone tohave botnets. nothing be not the to requisite mention the disruption incurred by the ISPs according according to the unauthorized access computers or belonging unauthorized to use individuals. of However, the because networks, particular one must botnets monitor compromised the are network in creatures order to discern of the traffic computer making up activities and identify the individual zombies. Consequently, subpoena the Internet the service providers AGs (“ISPs”), because would the users’ first ISPs would be have in the best to position to monitor the traffic that could identify both the botnet and the individual zombies harmed, the priorities are such that the scarce resources afforded to are attorney most generals often (“AG”) directed toward Governments other activities also that lack yield direction the a of incentivesresources “better away bang to from anti-botnet for combat activities the botnets.is buck.” understandable. The Consider While what AGs their the would needcitizens to are do in order to combat a botnet crime under laws. the rubric The of the AGs previous would have computer to focus on the individual bots and work up their cases cases, the potential damages arethan costcases, the the less potential far litigation. of The limitations for an individual’s damages are even more acute in the case of cloaks botnets, where itself the bot or software otherwise makes itself compromised computer. Herders rely unknowable, on the individual’s lack of incentive to and find and remove unobtrusive, to the activities. the interrupt herder’s or otherwise bot software the owner of the Little has been done to combat botnets because of the character of the existing existing the of character the of because botnets combat to done been has Little computer crime laws that focus on the activities of individual machines. While the owner of a zombified computer may be afforded some relief under the Computer Fraud and Abuse Act or of any statenumber anti-spyware statutes, the individual victim little has incentive to seek such relief. Because of the nature of the intrusion, the i 2011] 2011] authorization on the compromised machine. The reason that S.B. 28 differs in this respect is because not other laws the the lack teethbecause but lack they incentive. S C 30990-txb_44-1 Sheet No. 6 Side A 02/01/2012 14:53:16 02/01/2012 A 6 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 6 Side B 02/01/2012 14:53:16 . § US .& US .B ODE . 44:1 M K EX .B .C OL C Y EX OM T § 324.055(h). § 324.055(h). . § 324.002(1-a) 324.002(1-a) § Id. .&C e computer's owner ODE US .C .B Texas Texas Legislature Online, OM EX T § 324.055(g). Subsection (h) see Id. .&C [V US could could be addressed by an ISP. .B AW A specific set of organizations organizations of set specific A EX L 18 T Section 324.055(a)(1) defines “Internet service may, for each violation: (1) seek injunctive relief to relief (1) injunctive may, for seek each violation: §311.005(Vernon 2005). 2005). §311.005(Vernon USINESS B ODE .C In order to encourage companies to combat the the combat to companies encourage to order In ) 10/27/2011 12:39 PM T ’ 19 OV § 324.055(i). ELETE .G D Id. EX OT N OURNAL OF OURNAL O J (D d d “a person who has incurred a loss or disruption of the conduct of the person's § 324.055(e)(2) 2009). (Vernon of of zombies on the ISPs network DOCX EXAS — ODE .C ex. 2009). For details about the progression of the bill, OM However, the list of plaintiffs was limited to victims who suffered a a suffered who victims to limited was plaintiffs of list the However, 20 .&C .FINAL.10.26.11. 21 US ST er statutory or common law.” .1 at § 324.055(e)(1), an at § 324.055(e)(1), .B §324.052(Vernon 2009); Tex. S.B. 28, Leg., 81st Sess. (Tex. 2009). The exempted organizations organizations exempted The 2009). (Tex. Sess. 81st Leg., 28, S.B. Tex. 2009); §324.052(Vernon if if not thousands EX id. § 324.002(9). ACRO T Vernon 2009). Subsection (g) allows the court to impose triple “damages if the court finds that the §324.055(a)(1-2) (Vernon 2009); T 2009); (Vernon §324.055(a)(1-2) A copy of S.B. 28 is provided in Appendix A.provided of Appendix S.B. 28 is in copy A — M ODE Id. 17 Under section 324.055(f), the person bringing the action “ Section 324.055(e) designates who may “bring a civil action against a person who violates this section:” Legislative Session 81(R). The bill was sponsored by Senator Zaffarini and Representative Deshotel. Tex. A botnet is defined as a “collection of two or more zombies.” Section 324.052 already had a list of exempted parties, and S.B. 28 merely added itself to that list. T ODE .C 20 21 17 18 19 .C OM V. A SHORT DESCRIPTION OF THE FIRST ANTI-BOTNET STATUTE STATUTE ANTI-BOTNET FIRST OF THE DESCRIPTION SHORT A V. lows lows a prevailing plaintiff to recover “reasonable attorney’s fees,” expert's fees, and court costs. OM T HICHESTER http://www.capitol.state.tx.us, (locate “bill number” search bar; then enter “SB 28”). “SB enter then bar; search number” “bill (locate http://www.capitol.state.tx.us, disruption disruption of their business activities and ISPs on whose networks the effects of the violations were transmitted. Code. Definitions were provided for “botnet” and “zombie.” S.B. 28 amended various portions of section 324 of the Texas Business & Commerce namely ISPs, ISPs, namely S.B. 28, Leg., 81st Sess. (T C restrain a violator from continuing the violation;…(2) the $100,000 greater for of each actual zombie used damages to arising commit the from violation;” the or violation; (3) both or of the above. botnet botnet problem, substantial penalties, including statutory damages of were $100,000 per also zombie, provided. session. went into effect and was passed by the Texas On Legislature September 1, 2009, during S.B. 28, the the first law tailored previous specifically to legislative combat botnets, 6 C 324.055(f) ( &C provider” broadly asto the provider” broadly “a connectivity person or providing another under area Internet wide section and network,” 324.055(a)(2), a “person” has the same meaning as section 311.005 of the Texas Government Code was excluded from application providers, and computer security companies. of S.B. 28, namely ISPs, legitimate computer software information information services or interactive computer services that monitor or have interaction with a subscriber's Internet or other network activity. illegal or use unauthorized of detection or management, system remote updating/maintenance, connection; or provider of services for network or computer security, diagnostics, include: include: telecommunications carriers, cable operators, computer hardware or software providers, providers of

S.B.delineates 28 a set prohibited of activities zombiefor the or botnet,the namely: violations have occurred with such a frequency as to constitute a pattern or practice.” al Subsection (i) states that these penalties are “not exclusive oth by for but provided [are] in addition to any other procedure or remedy (Vernon 2009). (Vernon zombie A is asdefined a that, and “computer without the consentknowledge of th or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator.” action necessary to combat botnets.action hundreds by to afforded S.B. The incentive the 28 damages ISP enough the provide legal to undertake business....” business....” 30990-txb_44-1 Sheet No. 6 Side B 02/01/2012 14:53:16 02/01/2012 B 6 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 7 Side A 02/01/2012 14:53:16 er er or § 321.001 § ODE .C . § 324.055(c)(5). Id OM 25 .&C US 7 .B or or EX 26 27 rized by the owner or operator of OURTROOM C 23 24 § 324.055(c)(4). HE ited ited commercial electronic mail message as defined by T ODE )(1) (Vernon 2009); T N C I ) 10/27/2011 12:39 PM .C OM ELETE D .&C OT §324.055( OMBIES N US O Z webster.com, (locate “Dictionary” tab; then search for “data”). The §324.055(c)(2)(Vernon 2009). 2009). §324.055(c)(2)(Vernon .B (D . § 324.055(d). 324.055(d). § . ODE EX Id ODE .C DOCX .C OM 22 OM LAYING LAYING § 324.055(c)(3). Data was not defined in the statute. The online Merriam-Webster .&C Id. .&C US .” US .B .B .FINAL.10.26.11. EX , http://www.merriam- ” which is broad enough to encompass not just bot software, but other malware such as viruses, EX ST T .1 T the computer.” the or botnet, another control of gain or rent person a may botnet. own of your access to or use sell or provide sending spam; in a denial attack;of service participating theft intellectual of committing property; sending zombiesomething one to from make more zombies; gathering information used to commit identity theft; “perform an act for another purpose not autho ACRO EBSTER M -W ection 324.055(c)(2), specifically, “send a signal to a computer system or network that causes a loss of M K Section 324.055(c)(4), specifically, “forward computer software designed to damage or disrupt anoth Section 324.055(c)(5), specifically, “collect personally identifiable information.” Section 324.055(d) states that a person may not “(1) purchase, rent, or otherwise gain control of a zombie or Section 324.055(c)(1), specifically, “send an unsolic S Section 324.055(c)(3), specifically, “send data from a computer without authorization by the owner C Y 25 26 27 22 23 24 There is a second set of prohibited activities. This set of prohibited activities involves acts acts involves activities prohibited of set This activities. prohibited of set second a is There ERRIAM eaning from the dictionary, then “data” would mean something likea file on acomputer system. HICHESTER “numerical form” of the information may m be the binary bits that represent the information. Assuming the latter This second set of prohibited activities was targeted specifically at herders who rent rent who herders at specifically targeted was activities prohibited of set second This their botnets to spammers. activities of a As botnet, and one of the mentioned most pernicious and expensive previously, problems plaguing Texas spamming is one of the primary performed directly performed by the herder or the person who rents the botnet from the herder (“renter”), namely: institution account number or any other financial information.” information.” financial other any or number account institution botnet created by another person; or (2) sell, lease, offer for sale or botnet.” or lease, a zombie of use or or to access otherwise provide to another person trojans, rootkits and, perhaps, adware. adware. T perhaps, and, rootkits trojans, identifiable Personally information is defined within elsewhere the Section as “an individual's first name or initial and last name in combination with any one or more of the following items: (A) date of birth; (B) social security number or other government-issued identification number; (C) mother's maiden name; (D) unique biometric data, including the individual's fingerprint, voice print, and retina or iris image; (E) unique electronic number, identification address or routing code; (F) telecommunications access device, including debit and credit card information; or (G) financial computer computer or system, section section 321.001.” users.” to service operator of the computer (Vernon 2009). discussion, discussion, or calculation” and “information in numerical form M that can be digitally transmitted or processed.” dictionary dictionary defines “data” as: “factual information (as measurements or statistics) used as a basis for reasoning, 2011] 2011] S C 30990-txb_44-1 Sheet No. 7 Side A 02/01/2012 14:53:16 02/01/2012 A 7 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 7 Side B 02/01/2012 14:53:16 , 30 ested ested ERVER . 44:1 M K S OL C Y HADOW Gibbons v. Ogden, v. Gibbons see , S a zombie; and a zombie; The Internet and the Dormant or [V § 17.042(2); 17.042(2); § 28 AW ODE See generally L Preemption Preemption of State Spam Laws By The .C EM .&R That is not the complete count of bots and botnets. USINESS RAC B .P THE CAUSE OF ACTION ”, it can be argued that the type of interstate commerce IV ) 10/27/2011 12:39 PM .C — ith respect to and jurisdiction the Clause “dormant” Commerce EX ELETE , Gordon v. Virtumundo, Inc., No. 07-35487 (9th. Cir., August 6, D Jack L. Goldsmith & Alan O. Sykes, OT N OURNAL OF OURNAL O J See, See, e.g. ALA ALA v. Pataki (D but but see, DOCX EXAS , 72 U. Chi. L. Rev. 355, 370-79 (2005). there is Fortunately, no federal equivalent of S.B. .FINAL.10.26.11. VI. UTILIZING S.B. 28 VI. UTILIZING ST , 110 Yale L.J. 785 (2001) (arguing that vigorous state regulation is permitted under the dormant .1 all PC’s in the U.S., and most botnets are composed (on average) of 20,000 All that need take place is for part of the botnet (i.e., some of zombies) the that some take of to is part All (i.e., place the botnet for need lie herder). 29 ACRO M 4. A perpetrator (such as the herder or the person who rents the botnet from the 1. (zombie); leastbot one At 2. the bot is a to part; botnet, which A 3. the One of prohibited activities performed by the botnet State v. Heckel, 24 P.3d 404 (Wash. 2001). Unfortunately, the notoriously weak CAN-SPAM Act has At the time of this writing, there were approximately 3550 botnets that were composed of 429,000 bots being S.B.28, 81st Leg., Sess. 2009).(Tex. Section 17.042(2) allows jurisdiction when the tort is committed in whole or in part in Texas. For examples 30 28 29 A cause of action under S.B. 28 requires four elements: four requires 28 S.B. under action of cause A T HICHESTER jurisdiction. Obtaining jurisdiction should not be a problem because Texas has long arm a positive one); American Library Assoc. v. Pataki, 969 F. Supp. 160 of a application (S.D.N.Y. New York Penal Code); 1997) (striking down the Internet 9 that Wheat. the1, Clause 231-32 (1824) of Commerce (recognizing the has Constitution a sweep as negative aswell

While While it is not likely that by a it statistics,” court is “jurisdiction will sugg accommodate that once the command and control server is matter to identify found, some of the hundreds it of bots within Texas. should be a technologically, simple tracked tracked by the online service ShadowServer.org. of the substantive limits of state power, particularly w (because botnets oftenaffect interstate commerce), T 8 C within Texas, or the harm to the victim be felt in Texas. Statistically speaking, since Texas about has 9% of zombies, at any given time the average botnet has 1,800 zombies within Texas borders. http://www.shadowserver.org/wiki/pmwiki.php/Stats/BotCounts. http://www.shadowserver.org/wiki/pmwiki.php/Stats/BotCounts. Rather, it was an estimate simply of the ones known and tracked. Botnets however, can vary contain markedly several thousand in bots/zombies. size. On the other Small end botnets, of the spectrum, large botnets command in excess of one million bots. businesses. See, See, e.g., many preempted state anti-spam statutes. 2009) (preempting Washington's anti-spam statute); Roger Allan Ford, Federal CAN-SPAM Act preemption. no is there writing, this of as so 28, conducted conducted by botnets is not in the public interest, and that the burdens imposed on interstate commerce are exceeded by the botnets. benefit local of combating is precedent There this the for view. advent Before of the CAN-SPAM Act (15 U.S.C.A. § 7707 et seq.), most states have upheld their anti-spam statutes against Commerce Clause challenges. Commerce Commerce Clause Commerce Clause). Moreover, unlike “ 30990-txb_44-1 Sheet No. 7 Side B 02/01/2012 14:53:16 02/01/2012 B 7 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 8 Side A 02/01/2012 14:53:16 , available available at The most most The available available at See generally, See generally, 33 9 http://www.winpcap.org/windump/. http://www.winpcap.org/windump/. iki/. OURTROOM available at C HE T N of service attack,an applicationcalled AWStats can be used I ) 10/27/2011 12:39 PM ELETE D Commercial software suitable for finding bots is also also is bots finding for suitable software Commercial OT OMBIES N 31 McAfee Threats Report: Second Quarter 2009 Quarter Second Report: Threats McAfee , O Z http://www.bothunter.net/. BotHunter is a passive network monitoring tool tool monitoring network passive a is BotHunter http://www.bothunter.net/. (D ABS , http://accessdata.com/silentrunner.html. http://accessdata.com/silentrunner.html. , L DOCX ATA D LAYING LAYING 34 VII. GATHERING THEEVIDENCE VERT available at, at, available (Sep. 18,2011), ,http://www.shadowserver.org/w CCESS A VIII.FINDING THEPERPETRATOR(S) , A ERVER .FINAL.10.26.11. S FEE http://awstats.sourceforge.net/. http://awstats.sourceforge.net/. ST A C .1 M This software can be used to gather log information (records of network network of (records information log gather to used be can software This Available at Available HADOW HADOW ACRO 32 M S , http://www.tcpdump.org/, , for http://www.tcpdump.org/, downloadable versions (although OS X and Linux normally ship with the M K One commercial application is called “Silent Runner” and is available from AccessData Corporation. In the See There are several open source software applications suited to gathering evidence of botnets. The most popular available at available See C Y 32 33 34 31 CPDUMP HICHESTER transactions) that can be proceedings. authenticated and used as evidence in trial and other court application pre-installed). The Windows version is called WinDump, WinDump, is called version Windows The pre-installed). application Europe. Europe. However, many herders are Moreover, the U.S. still leads in the world in spam production, with many spammers the choosing to U.S., and Texas its borders. within remain is likely to have its share. proven technique for uncovering botnet perpetrators is to “follow the money.” If the bot sends particular then and the then enables to trace the the spam, spam product finding purchasing you payment to the originator of the spam. In some cases, the perpetrator is in Russia or Eastern sore thumb.” thumb.” sore words words of Steven Mical, Director of Network Forensics at AccessData, with Silent Runner, a bot will “stick out like a is tcpdump. This program sniffs the network and presents the data in an understandable fashion. Using a power filter filter a power fashion. Using understandable in an data the and presents network the sniffs program This is tcpdump. language, tcpdump can be used to show network traffic only for hosts and events of particular interest. T

An online organization like ShadowServer can help track botnets by providing a a providing by botnets track help can ShadowServer like organization online An treasure trove of information, including the names and sizes of various botnets, and is a good place to start the commandfinding and control system used the by botnet’s herder. The cause of action requires the gathering of evidence of one of the prohibited prohibited the of one of evidence of gathering the requires action of cause The activities. While that may seem daunting, it is relatively easy if your client is the victim, or if one of the zombies resides on your network client’s traffic. network. Software Some is of available the available for for free recording softwaredownload and use. is released under an open source license, and is 2011] 2011] S C available. http://www.mcafee.com/us/local_content/reports/6623rpt_avert_threat_0709.pdf. http://www.mcafee.com/us/local_content/reports/6623rpt_avert_threat_0709.pdf. finding bots called BotHunter designed to recognize the communication patterns of denial distributed a endured has client the malware-infected when situations computers within a network. For those to the review server log files and create reports needed for the litigation. AWStats is under the GNU General Public License managed managed resources, such as servers, networks, and other complete inventory devices. of key systems, down to The the level of resulting resource components, environment including installed software model such provides as a bot/zombie software. A similar http://www.zenoss.com/download/links?creg=null. application is called Nagios, which is used to Copies monitor of networks and the key systems, such application as servers, which for can http://www.nagios.org/. There is detect a a free (but distributed not Linux, denial open source) software of application that is service designed specifically for Windows attack and OS X are A A second open source application is called Zenoss, which monitors the network and creates a database of discovered 30990-txb_44-1 Sheet No. 8 Side A 02/01/2012 14:53:16 02/01/2012 A 8 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 8 Side B 02/01/2012 14:53:16 . 44:1 M K OL C Y [V , http://www.sos.state.tx.us/. AW L o give access or control to a orprogram USINESS B ) 10/27/2011 12:39 PM ELETE D OT X. APPENDIX A N OURNAL OF OURNAL O J IX. CONCLUSIONSIX. (D Texas Secretaryof State Hope Andrade DOCX EXAS 35 site. itors itors or has interaction with a subscriber’s Internet or other network .FINAL.10.26.11. ST .1 ACRO ”Botnet” means a collection two orof zombies. more SECRETARY OF STATE, STATE, OF SECRETARY M ”Zombie” ”Zombie” means a computer that, without the knowledge and consent of the See (a) Section (a) Section 324.052, other than Subdivision (1) of that section, and Sections 324.053(4), SECTION 2. Subsection SECTION 2. Subsection (a), Section 324.003, Business & Commerce Code, as effective BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: OF STATE THE OF LEGISLATURE THE BY ENACTED IT BE SECTION Business 1. Section & 324.002, Commerce Code, as effective 1, April 2009, is (1-a) (9) S.B. No. 28 S.B. No. 28 AN ACT relating to the use of a computer for an unauthorized purpose; providing a civil (1) a network or computer security purpose; security or computer (1) a network technical (2) diagnostics, purpose;support, a repair or 35 T HICHESTER hardware or software provider, or service provider of that information mon service or interactive computer April 1, 2009, is amended to read as follows: 324.054, and 324.055 do not apply to a telecommunications carrier, cable operator, computer gathering sufficient evidence for a lawsuit should be relatively easy. The substantial remedies afforded by S.B. 28 give businesses the incentives needed to challenge known Internet botnets,malady. the greatest who who rent botnets. Since the statute has been in effect for a short time, no brought litigation utilizing has this been statute as of this writing. However, botnets Texas, create the a United States, and financial on drain commerce, while to international contributing in the security threats often targeting major corporations. Fortunately, the statute is written such that amended by adding Subdivisions (1-a) and (9) to read as follows: follows: as read to (9) and (1-a) Subdivisions adding by amended penalty.

connection or service or a protected computer for: computer or a protected or service connection computer’s owner or operator, has t or owner been compromised operator, computer’s or operator. owner computer’s the than other person The following is the engrossed version of S.B. 28. The final version was not not was version final The 28. S.B. of version engrossed the is following The available at the time of this writing. Normally, the final version is available Secretary State’s of web from the Texas S.B. 28 is the first legislation directed specifically against botnets, herders, and those 10 C 30990-txb_44-1 Sheet No. 8 Side B 02/01/2012 14:53:16 02/01/2012 B 8 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 9 Side A 02/01/2012 14:53:16 11 OURTROOM C HE T N I ) 10/27/2011 12:39 PM ELETE ns a person providing connectivity to the Internet or D OT OMBIES N O Z (D DOCX LAYING LAYING .FINAL.10.26.11. ST .1 ACRO M ”Internet ”Internet service provider” mea ”Person” has the meaning assigned by Section 311.005, Government Code. M K C Y (1) (2) (b) A person who is not the owner or operator of the computer may not knowingly cause (c) A person may not knowingly create, have created, use, or offer to use a zombie or Sec. 324.005. KNOWING VIOLATION. A person knowingly violates Section 324.051, (1) actual acts with knowledgefacts the thatof constitute the orviolation; those facts. actual of establish knowledge that would avoids information (2) consciously SECTION 4. Subchapter B, Chapter 324, Business & Commerce Code, as effective April UNAUTHORIZED Sec. 324.055. CREATION OF, ACCESS TO, OR USE OF (3) an authorized update of computer software or system computerfirmware; software or system of (3) update an authorized system (4)management; remote orauthorized (5) detection or prevention of unauthorized use of or fraudulent or other illegal activity in SECTION Business 3. Section & 324.005, Commerce Code, as effective 1, April 2009, is (2) send toa asignal computer that system or network causes a lossservice of to users; (3) send data from a computer without authorization by the owner or operator of the (4) forward computer software designed to damage or disrupt another computer or identifiable or(5) personally information; collect (1) send an unsolicited commercial electronic mail message, as defined by Section HICHESTER or offer to cause a computer to become a zombie or part of a botnet. a zombie or part of to to a computer cause become or offer ZOMBIES OR BOTNETS; PRIVATE ACTION. (a) In this section: area network. another wide 1, 2009, is amended by adding Section 324.055 to read as follows:as read to 324.055 Section adding by amended is 2009, 1, amended to read as follows: follows: as read to amended person: the if 324.055 or 324.053, 324.052, connection connection with a network, removing software proscribed thisunder chapter. service, or computer software, including scanning for and 2011] 2011] S C computer; system; botnet to: botnet 321.001; 30990-txb_44-1 Sheet No. 9 Side A 02/01/2012 14:53:16 02/01/2012 A 9 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 9 Side B 02/01/2012 14:53:16 . 44:1 M K OL C Y [V AW L USINESS B ) 10/27/2011 12:39 PM ELETE D OT N OURNAL OF OURNAL O J (D DOCX EXAS .FINAL.10.26.11. ST .1 ACRO M a person who a has incurred a person who loss or ofdisruption the conduct of the person’s business, (e)The following persons may bring a civil action against a person who violates this (6) perform (6) perform an act for another purpose not authorized by the owner or operator of the not: may person A (d) (1) purchase, rent, or otherwise gain control of a zombie or botnet created by another (2) sell, lease, offer for sale or lease, or otherwise provide to another person access to or (1) a person who is acting as an Internet service provider and whose network is used to (2) (h) A A (h) plaintiff who prevails in an action brought under this section is entitled to recover (i) A remedy authorized by this section is not exclusive but is in addition to any other (j) Nothing in this section may be construed to impose liability on the following persons provider; service (1) an Internet (2) subject to Subsection (g), recover damages in an amount of: damages (g), greater recover to the Subsection equal (2) subject to actual damages(A) arising the from orviolation; or the violation; commit to used zombie each for $100,000 (B) relief and damages. injunctive both (3) obtain The(g) court may increase an award of damages, statutory or otherwise, in an action (f) A person bringing an action under this section may, for each violation: for section may, this an action under bringing person A (f) the violation; continuing a violator from relief to restrain injunctive (1) seek T HICHESTER use of a zombie or botnet. person; or computer. 12 C commit a violation under this or this section; violation under a commit section: with respect to a violation of this section committed by another person: costs litigation. of law. or common statutory other by for provided remedy or procedure brought under this section to an amount not to exceed three times the applicable damages if the if damages applicable the times three exceed to not amount to an section this under brought court finds that the violations have occurred with such a frequency as to constitute a pattern or practice. court costs and reasonable attorney’s fees, reasonable fees of experts, and other reasonable including for-profit or not-for-profit activities, as a result of the violation. activities, as a result of or not-for-profit for-profit including 30990-txb_44-1 Sheet No. 9 Side B 02/01/2012 14:53:16 02/01/2012 B 9 Side No. Sheet 30990-txb_44-1 30990-txb_44-1 Sheet No. 10 Side A 02/01/2012 14:53:16 13 OURTROOM C HE T N I ) 10/27/2011 12:39 PM ELETE D OT OMBIES N O Z (D DOCX LAYING LAYING .FINAL.10.26.11. ST .1 ACRO M M K C Y SECTIONThe 6. changes in law made by this Act apply only to conduct that occurs on 1, 2009. takes effect September Act SECTIONThis 7. (a) Any (a) Any of the following persons, if adversely affected by the violation, may bring a civil software; computer of provider (1) a page or trademark; a of web (2) an owner carrier; (3) a telecommunications or operator; (4) a cable provider. service (5) an Internet (2) a provider of interactive computer service, Section by 51.002, as defined or Utilities Code; provider, (3) a telecommunications as defined by Section (4) a video service 230, provider or cable service provider, as defined by Section 66.002, SECTION 5. Subsection (a), Section 324.101, Business & Commerce Code, as effective HICHESTER is governed by the law in effect at the time the conduct occurred, and that law is continued in purpose. that for effect or after the effective date of this Act. Conduct that occurs before the effective date of this Act April 1, 2009, is amended to read as follows: 324.054:or 324.053, 324.052, 324.051, Section violates who person a against action Utilities Code. Communications Act of 1934(47 U.S.C. Section 230); 2011] 2011] S C 30990-txb_44-1 Sheet No. 10 Side A 02/01/2012 14:53:16 02/01/2012 A 10 Side No. Sheet 30990-txb_44-1