CRTC battles forces of dorkness, takes action against notorious botnet

December 4, 2015

In the second such announcement in less than a week, the Canadian Radio-television and Telecommunications Commission (CRTC) has publicly announced an advanced investigative action -- this time against an unnamed organization suspected of involvement in the distribution the notorious and widely distributed Win32/Dorkbot malware.

The CRTC announced that, with the assistance of the Royal Canadian Mounted Police (RCMP), it had served its first-ever warrant under Canada's Anti-Spam Legislation (CASL) to “take down” a command-and-control server located in Toronto, Ontario as part of what the Commission has characterized as a coordinated international effort.

In a similar announcement last week, the Commission stated that it had executed an inspection warrant under the Telecommunications Act to enter and inspect an unidentified property in Brampton, Ontario, as part of an ongoing investigation into an illegal telemarketing operation.

In addition to relating to the first warrant issued under CASL, the most recent announcement is noteworthy because it was part of a global effort to disrupt distribution and operation of malware.   Software provider Microsoft issued a release indicating that it had aided law enforcement agencies around the world to help disrupt the four-year old botnet called Dorkbot.  Microsoft said that, in addition to the CRTC, it worked with security vendor ESET, the Computer Emergency Response Team Polska, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, Europol, the FBI, Interpol, and the RCMP.

Microsoft indicated that the Win32/Dorkbot malware family has infected more than one million PCs in over 190 countries, making it one of the most widely distributed malware families. The malware can be spread to the devices of unsuspecting users through USB flash drives, instant messaging programs, and social networks. Once installed, the Dorkbot malware steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.  It has also been reported that a system infected with Dorkbot may be used to send spam, or to participate in denial-of-service attacks. 

The CRTC has a range of investigative powers available under CASL, including the authority to issue preservation demands and notices to produce.  With judicial authorization, it may obtain injunctions against suspected offenders and execute search warrants to enter premises to investigate and verify compliance with the Act, as well as to seize anything found in the place and prohibiting or limiting access to all or part of the premises.

The announcement of the execution of a warrant against a malware distributor will be welcome news for Canadian businesses, as this most recent investigative and enforcement action by the CRTC is directly targeted at the most damaging and deceptive types of online threats, which were intended to be the core focus of CASL.  As noted in previous posts, concerns have been raised by many businesses in light of an apparent focus to date by the CRTC on enforcement against legitimate domestic companies for errors made in attempting to comply with the new law, rather than targeting intentional bad actors.

DISCLAIMER: This publication is intended to convey general information about legal issues and developments as of the indicated date. It does not constitute legal advice and must not be treated or relied on as such. Please read our full disclaimer at

Stay in Touch with Knowledge Hub