Millions of legitimate servers that rely on dynamic domain name services from No-IP.com suffered outages on Monday after Microsoft seized 22 domain names it said were being abused in malware-related crimes against Windows users.
Microsoft enforced a federal court order making the company the domain IP resolver for the No-IP domains. Microsoft said the objective of the seizure was to identify and reroute traffic associated with two malware families that abused No-IP services. Almost immediately, end users, some of which were actively involved in Internet security, castigated the move as heavy handed, since there was no evidence No-IP officially sanctioned or actively facilitated the malware campaign, which went by the names Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm).
“By becoming the DNS authority for those free dynamic DNS domains, Microsoft is now effectively in a position of complete control and is now able to dictate their configuration,” Claudio Guarnieri, co-founder of Radically Open Security, wrote in an e-mail to Ars Technica. “Microsoft fundamentally swept away No-IP, which has seen parts of its own DNS infrastructure legally taken away.”
No-IP was no less critical of the move. In a statement that alleged damage to “millions of innocent users,” company officials wrote:
This morning, Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the subdomains have been abused by creators of malware. We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.
We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.
Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users.
Vitalwerks and No-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyberscammers, spammers, and malware distributors. But this heavy handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly.
In a blog post, Richard Domingues, assistant general counsel for the Microsoft digital crimes unit, said Microsoft pursued the seizure for No-IP’s role “in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.” He added: “We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladeabindi (NJrat) and Jenxcus (NJw0rm) family of malware.”
He went on to say: “As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online.”
Dynamic DNS providers are popular because they allow people to obtain a free subdomain—such as dangoodin.no-ip.org—that automatically maps to whatever IP address the user’s computer is using at the moment. The mapping changes each time the user’s IP address is updated. Such services are especially loved by online gamers and Linux user group members. The services can also be popular with criminals running command and control servers that manage large numbers of infected computers.
According to Domingues, No-IP domains were used 93 percent of the time by Bladabindi and Jenxcus. In the past year alone, the two malware families have been detected by Microsoft more than 7.4 million times, a figure that doesn’t include detections by competing anti-malware services. Microsoft has more about the malware here and here.
In a complaint Microsoft filed under seal on June 19, Microsoft attorneys said No-IP is “functioning as a major hub for 245 different types of malware circulating on the Internet.” The document said abuse of the service has been the subject of recent blog posts by both OpenDNS and Cisco Systems.
“Although Defendant Vitalwerks is on notice and should be aware that its services are heavily abused, it has failed to take sufficient steps to correct, remedy, or prevent the abuse and to keep its domains free from malicious activity,” the attorneys wrote. In addition to naming No-IP, the complaint also charged two men who allegedly used No-IP to work with Bladabindi and Jenxcus control servers. More documents filed in the case are available here.
Monday’s seizure was the tenth major malware disruption Microsoft has participated in. The actions typically combine surprise technical and legal procedures that eradicate or significantly disrupt major botnets. Generally, law-abiding Internet users benefit from the actions because they vastly reduce a form of crime that’s extremely difficult to combat. The latest action, however, underscores the darker side of these legal procedures, as millions of legitimate users get caught in the crossfire.