• United States



Microsoft hammers No-IP, collateral damage includes Hacking Team’s legal malware

Jul 02, 20144 mins
Data and Information SecurityMicrosoftSecurity

Microsoft's takedown of No-IP accounts disrupted cybercrime gangs, but also legitimate sites as well as government-sponsored "lawful intercept" spyware, aka the Hacking Team's legal malware.

Microsoft brought the hammer down on No-IP and seized 22 of their domains. They also filed a civil case against “Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as, for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.”

Microsoft Digital Crimes Unit reported, “On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.” All of the legal documents are posted here.

Richard Domingues Boscovich, assistant general counsel for Microsoft Digital Crimes Unit, wrote:

Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers.

Microsoft Malware Protection Center explained:

These families can install backdoor trojans on your computer, which allow criminals to steal your information, such as your passwords, and use your computer to collect other sensitive information. For example, Bladabindi can take snapshots and record videos without your permission. It can also control your system remotely.

These backdoor trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS service such as NO-IP because this makes them more difficult to trace.

“We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.” Microsoft pointed back at a Cisco post from February that shows No IP as some of the top DDNS base domain offenders, adding, “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.”

According to No-IP, the takedown came as a total surprise. “Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users.” The solution, if your site went down, “is for you to create a new hostname on a domain that has not been seized by Microsoft.”

Microsoft isn’t buying into No-IP’s “total surprise” claim. In fact, Microsoft’s Digital Crimes Unit added, “As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online.”

Some folks in the security community are furious, saying Microsoft went too far and darkened too many legitimate sites that had nothing to do with distributing malware, (check out comment section on Krebs on Security). CSO’s Steve Ragan pointed out, “Four million domains have been shutdown, despite the fact that Microsoft only wants 18,472 of them.” Microsoft called that “temporary loss of service” to legitimate sites a “technical error” that has since been corrected.

Not all collateral damage was bad. For example, Kaspersky noted the shutdown “affected in some form at least 25% of the APT groups” as well as darkening some of the Hacking Team’s “lawful intercept” malware deployed by governments and law enforcement to take complete remote control of PCs and smartphones. Whether that also was a “technical error” now fixed is unknown. It’s probably too much to hope that Microsoft would take a stance like Kaspersky did to protect consumers and block the “legal” spyware.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.