Microsoft No-IP takedown to strike malware draws protests

Jul 01, 2014 by Nancy Owano weblog
The hierarchical Domain Name System, organized into zones, each served by a name server. Credit: Public Domain

Microsoft on Monday staged a takedown of two malware families abusing no-IP services but, in the mission to take down the botnets, legitimate servers depending on dynamic domain name services from No-IP were, as Dan Goodin of Ars Technica put it, caught in the crossfire. A substantial number of legitimate servers that rely on dynamic domain name services from No-IP.com suffered outages.

Many end users castigated the move as heavy handed. The gist of angry emails coming in from people at various news sites who said they were legitimate users conveyed a similar messages: Hey, Microsoft, who made you the DNS authority? Who gave you the right to sweep away domains? Microsoft had seized 22 domain names the computer giant said were being abused in malware-related crimes against Windows users. In doing so, Microsoft had taken legal steps to do so. Richard Domingues Boscovich, assistant general counsel, Microsoft Digital Crimes Unit, said in a TechNet blog post on Monday, "On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company's 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats."

While were reporting on complaints by users of outages they were also careful to point out there was no evidence No-IP officially sanctioned or was in league with the malware operators named by Microsoft.

"Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet's address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains," said Boscovich. He stated that "We're taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware."

How bad was the threat? He said, "Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains." Microsoft, he said, has seen "more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn't account for detections by other anti-virus providers."

Free Dynamic DNS is an easy target for cybercriminals, but it also is well liked by the innocent. Goodin of Ars Technica explained the good and the bad: "Dynamic DNS providers are popular because they allow people to obtain a free subdomain—such as dangoodin.no-ip.org—that automatically maps to whatever IP address the user's computer is using at the moment." The mapping changes each time the user's IP address is updated; Goodin said online gamers and Linux user group members are among the many who enjoy the services. The "but" in all this is that the services, he added, are also useful for "criminals running command and control servers that manage large numbers of infected computers."

Nonetheless, no-IP, which describes itself as offering Dynamic and managed DNS solutions, issued a formal statement on Monday that conveyed how unhappy the team was over the Microsoft takedown. "Millions of innocent are experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors."

They said that "Microsoft never contacted us or asked us to block any subdomains" and that "Had Microsoft contacted us, we could and would have taken immediate action. The statement said that "this heavy-handed action by Microsoft benefits no one."

Meanwhile, Microsoft's Boscovich said in his blog posting that "This case and operation are ongoing, and we will continue to provide updates as they become available."

Explore further: China internet breakdown blamed on web address hijack tools

More information:blogs.technet.com/b/microsoft_… ware-disruption.aspx

arstechnica.com/security/2014/… eizes-no-ip-domains/

www.noip.com/blog/2014/06/30/i… -microsoft-takedown/ (NOTE: 5PM EST: the link is not accessible at present moment)

add to favorites email to friend print save as pdf

Related Stories

Internet doomsday virus appears to fizzle

Jul 09, 2012

The so-called Internet doomsday virus with the potential to black out tens of thousands of computers worldwide appeared to pose no major problems Monday after a temporary fix expired.

Downadup Worm Hits Over 3.5 Million Computers

Jan 16, 2009

(PhysOrg.com) -- Security firm F-Secure has advised that the Downadup worm has spread to more than 3.5 million computers by exploiting a vulnerability Microsoft patched last October. This is achieved by trying ...

Recommended for you

Digital dilemma: How will US respond to Sony hack?

Dec 18, 2014

The detective work blaming North Korea for the Sony hacker break-in appears so far to be largely circumstantial, The Associated Press has learned. The dramatic conclusion of a Korean role is based on subtle ...

UN General Assembly OKs digital privacy resolution

Dec 18, 2014

The U.N. General Assembly has approved a resolution demanding better digital privacy protections for people around the world, another response to Edward Snowden's revelations about U.S. government spying.

Online privacy to remain thorny issue: survey

Dec 18, 2014

Online privacy will remain a thorny issue over the next decade, without a widely accepted system that balances user rights and personal data collection, a survey of experts showed Thursday.

Spain: Google News vanishes amid 'Google Tax' spat

Dec 16, 2014

Google on Tuesday followed through with a pledge to shut down Google News in Spain in reaction to a Spanish law requiring news publishers to receive payment for content even if they are willing to give it away.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

Origin314
not rated yet Jul 01, 2014
I've used no-IP's dns services in the past without issues, obviously I have moved on to bigger and better since then but if I never had a chance to use their services I would be nowhere today, its like cutting down a apple tree because of a few bad apples....
alfie_null
not rated yet Jul 02, 2014
Widespread adoption of IPv6, deprecation of IPv4 would solve a lot of these problems. Pitch drop experiments are faster than adoption so far.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.