MS No-IP takedown hits 25% of APT attackers

After facing a barrage of criticism for taking down the No-IP DNS server, Microsoft is now getting praise from some quarters for its impact on malware distribution - though critics remain.

MS No-IP takedown hits 25% of APT attackers
MS No-IP takedown hits 25% of APT attackers

Microsoft has said sorry for inadvertently disrupting millions of innocent internet users when it took down the US-based No-IP internet service earlier this week to stop cyber criminals from Kuwait and Algeria using it to infect millions of computers worldwide with malware.

But after facing heavy criticism on forums and Twitter, Kaspersky has now weighed in on Microsoft's side, revealing that the takedown has been hugely successful – not just stopping cyber criminals Mohamed Benabdellah and Naser Al Mutairi exploiting the Bladabindi and Jenxcus RAT malware families, but also hitting at least 25 percent of the advanced threat (APT) groups that Kaspersky is currently tracking.

In a 1 July blog, Kaspersky Lab expert Costin Raiu revealed that as well as the two criminals directly targeted, Bladabindi and Jenxcus are also used by the Syrian Electronic Army. And Raiu said Microsoft's action has disrupted a whole rogue's gallery of other APT attacks, including Flame/Miniflame, Turla/Snake/Uroburos, Epic, Cycldek, Shiqiang, HackingTeam RCS customers, Banechant and Ladyoffice.

He said: “We think yesterday's events have dealt a major blow to many cybercriminal and APT operations around the world. Based on our statistics, the shutdown has affected in some form at least 25 percent of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyber espionage operations are now pointing to what appears to be a Microsoft sinkhole.”

The news is timely for Microsoft which has faced heavy industry criticism for the ‘collateral damage' it inflicted on innocent users of the NO-IP service, as reported yesterday by SCMagazineUK.com.

Apologising for the impact on ordinary users, David Finn, associate general counsel in Microsoft's Digital Crimes Unit, said in a statement given to SC: “On Monday morning, Microsoft took steps to disrupt a cyber attack that surreptitiously installed malware on millions of devices without their owners' knowledge through the abuse of No-IP, an internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6.00am Pacific time today (Tuesday), all service was restored. We regret any inconvenience these customers experienced.”

But No-IP, which has more than 18 million users, flatly contradicted part of the statement saying on its website on Wednesday: “Our domains are still experiencing outages due to the Microsoft takedown.”

Kaspersky's Raiu explained that No-IP's free DNS service offering is popular with cyber criminals because it enables them to register easy-to-update website host names to control their malware implants.

But No-IP intends to maintain its service for ‘innocent' internet users, telling customers on its website that several of its domains are free and working and advising them how to create new host names.

The company added: “We apologise for this outage. At this point it is completely out of our hands, but please understand that we are fighting for you.”

Meanwhile, Microsoft has given details of the Bladabindi and Jenxcus families, saying they have infected more than seven million computers worldwide.

In a 30 June blog, Tanmay Ganacharya and Francis Tan Seng confirmed that: “During the past year, Microsoft detected more than 7,486,833 instances of computers operating Microsoft Windows with some version of Bladabindi or Jenxcus.”

The malware installs Trojans and can even take over the victim's webcam to secretly take snapshots and record videos.

Microsoft explained: These families can install backdoor Trojans on your computer, which allow criminals to steal your information, such as your passwords, and use your computer to collect other sensitive information. For example, Bladabindi can take snapshots and record videos without your permission. It can also control your system remotely.

“These backdoor Trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS service such as NO-IP because this makes them more difficult to trace.”

Meanwhile, Microsoft's action and its deliberate and unintended consequences continue to sharply divide opinion in the security community.

Speaking to SCMagazineUK.com, Bob Tarzey, director of research firm Quocirca, said: “Microsoft hasn't done anything deliberately to inconvenience users, it's just tried to make sure that a threat to them is addressed. What do people expect Microsoft to do? Microsoft is damned if it does and dammed if it doesn't.

“Microsoft is still the most targeted environment by hackers so it has to take proactive controls to protect its users and I think we must condone Microsoft for being proactive and give it the benefit of the doubt. Sometimes you have to accept a bit of collateral damage to achieve the goals.”

But Tim Holman, president of the ISSA-UK security professionals user group, told us: "I believe Microsoft's actions have undermined a number of law enforcement operations, where authorities have been close to catching offenders and gather critical evidence. Now the game is up, criminals will up ship and start again elsewhere, meaning agencies will have to start all over again in identifying and prosecuting offenders.”

Holman added: “Maybe legislation needs to change so that private companies or individuals cannot take down other people's websites on a whim? Surely this is better off in the hands of national cyber command centres so a holistic and joined-up approach to defeating crime can be taken?”

Kaspersky's Raiu added: “In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their Command and Control infrastructure.”

Sign up to our newsletters