• United States



Senior Staff Writer

Microsoft’s takedown of No-IP pushes innocents into the crossfire

Jul 01, 20144 mins
Access ControlBotnetsBusiness Continuity

Four million domains have been shutdown, despite the fact that Microsoft only wants 18,472 of them

Note: Microsoft has issued a new statement on this story. Their comments are at the end of this article.

Update: Additional information has surfaced, including details on the impact this takedown has had on businesses that use No-IP services. In all, some 1.8 million customers are still offline, which translates to more than 4 million domains.

Original Article:

On Monday, Microsoft said they were taking No-IP ( to task, “as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.”

The case is Microsoft’s latest effort to slow the spread of malware online, but this time innocents are caught in the crossfire. In their move to block malicious traffic, Microsoft has also stopped legitimate traffic on a network used by millions of people.

No-IP lost control over 23 of their domains, the core of their free dynamic DNS offering, after a court in Nevada allowed Microsoft to redirect traffic on them in order to stop the NJrat and Jenxcus botnets. The criminals responsible for the malware families were using No-IP as a means to ensure that infected hosts could always reach the Internet.

“Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains,” wrote Richard Domingues Boscovich, Assistant General Counsel for Microsoft Digital Crimes Unit.

“Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online.”

Microsoft cites reports from OpenDNS, Cisco, FireEye, General Dynamics, and Symantec in their complaint against No-IP, noting that the firms have consistently reported that the dynamic DNS provider has been a haven for criminal activity when it comes to malware.

Microsoft also says that No-IP has failed to take sufficient steps to correct or prevent the abuse to its services, and to keep its domains free of illegal activity.

As such, they requested control over the 23 primary domains that support the free DNS services from No-IP, so that the company could sinkhole the 18,472 malicious domains being used by the criminals.

However, while Redmond said they would filter out the bad traffic and allow normal access to the domains for good traffic (enabling proper DNS resolution), that isn’t what’s happened.

In a statement, No-IP said that Microsoft’s “draconian actions have affected millions of innocent Internet users.”

“They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.”

Furthermore, No-IP maintains that Microsoft made no effort to contact them prior to Monday’s takeover, denying the company a chance to resolve the issue without causing downtime or performance impacts. Another problem is that while 18,472 domains were flagged by Microsoft, No-IP says that only 2,000 of them were active on Monday morning.

The company’s statement goes on to say that while their abuse team works to keep the No-IP system free of spam and other malicious activity, they are aware that their DNS offerings can be abused, despite daily network scans and sophisticated filtering.

“But this heavy-handed action by Microsoft benefits no one,” the statement from No-IP concluded.

Salted Hash has reached out to No-IP for additional comments and information.

Citing ongoing legal action against Vitalwerks (the company that operates No-IP), Microsoft wasn’t able to comment on the allegations made by No-IP.


Microsoft has issued a statement on this matter, calling the loss of service a technical error.

“Yesterday morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an Internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6 a.m. Pacific time today, all service was restored. We regret any inconvenience these customers experienced.”

-David Finn, Executive Director and Associate General Counsel, Digital Crimes Unit