Millions are hit by MS' No-IP takedown

News by Tim Ring

Microsoft accused of acting "excessively" - US court order used to take down servers exploited by threat actors also hits servers being used by millions of innocent internet users.

Microsoft has been accused of acting “excessively” after it used a US court order to take down servers being exploited by threat actors from Algeria and Kuwait to infect millions of computers with malware - but in the process floored the servers being used by millions more innocent internet users.

On Monday, Microsoft used a restraining order from the US Nevada District Court to take over 22 to 23 internet domain names that had allegedly been misused by Mohamed Benabdellah and Naser Al Mutairi to infect millions of victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) remote access Trojan (RAT) malware families.

In a 30 June blog, Microsoft assistant general counsel Richard Domingues Boscovich said the pair had used names provided by US free dynamic domain name service (DNS) provider No-IP - whom he accused of being “the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims”.

Lambasting No-IP, Microsoft said: “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.”

Microsoft called the case potentially the biggest malware clean-up it has ever been involved in, saying: “Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn't account for detections by other anti-virus providers.”

Microsoft insisted its action had enabled it to “identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats”.

But No-IP has hit back strongly, saying Microsoft never contacted it before seizing the domain names, and failed in its attempt to filter out only the known bad host names in each seized domain, while allowing the good host names to continue.

Also in a 30 June blog, No-IP marketing manager Natalie Goguen said that instead: “Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors.”

The case has caused concern among industry observers, who have called Microsoft's actions “excessive” and “insensitive”.

Leading security consultant and blogger Brian Honan told “It's worrying that No-IP claim there was no prior contact from Microsoft to deal with these accusations or these people abusing their network. If that is the case, it's worrying to me that a large international company with a strong legal team can go into a US court and get a court order to support them impacting a business server of another company and subsequently causing problems for legitimate users and businesses using the services of that company.”

He added: “With No-IP, yes there has been malicious abuse of their services - but that is the same as any large provider in the industry. There is always a certain element of their servers that will be used either intentionally or unintentionally for abuse. The way to deal with that is through the abuse channels in those organisations.

“Taking a first-strike with no warning seems to be quite excessive and could undermine a lot of trust in the industry.”

Honan added: “Microsoft has done a lot of good for security in the industry and I can see it will want to take action to protect its customers. But in the internet, it is not a one-to-one relationship, it's a one-to-many relationship and any action you can take can have consequences, unintended or otherwise, that can impact legitimate people and businesses. Therefore you have to engage and work with other groups and not just by yourself to try and deal with these issues.”

“My understanding is that No-IP are known to respond to issues.”

Another industry expert, Professor John Walker, director of cyber security services firm ISX, told SC via email: “It is of course important that we are able to secure the internet against the wrongdoings of the criminal fraternity, and of course we need to acknowledge the action that has been taken by Microsoft as a positive step in the right direction.

“However we must also be sensitive to the collateral damage, inconvenience and potential loss of revenue that may be served up to those legitimate users and business in close logical-proximity who are reliant on the availability of the internet to conduct their business.”

Walker added: “The bottom line is that we must to take such actions, but the courts and law enforcement must understand the true consequences and indirect collateral impact, and be clear that when they remove six bad eggs from the box, they do not intend to break the remaining half-dozen.”

Natalie Goguen at No-IP added: “Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users.

“No-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers and malware distributors. But this heavy-handed action by Microsoft benefits no-one.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews