Security

Microsoft Cybercrime Shutdown Hit Users Says DDNS Provider

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

In its efforts to knock out sub-domains it believes were used to control widespread, Microsoft infuriates a US-based DNS provider

Microsoft has gone on the offensive against a US company it believes provided services to Algerian and Kuwaiti nationals perpetrating a cybercrime campaign that hit millions. But the tech titan has apparently ruined the Internet for millions of other users in the process.

A complaint was filed against Mohamed Benabdellah and Naser Al Mutairi for the alleged creation and spread of two related strains of malware: Bladabindi (NJrat) and Jenxcus (NJw0rm), which spied on victims and nabbed their digital valuables. Microsoft alone recorded 7.4 million Bladabindi-Jenxcus detections over the past 12 months.

But Microsoft effectively closed down that operation by taking legal action against a service provider accused of supporting the malware campaign. A court allowed Microsoft to take over several domains run by No-IP.com, which were said to be the source of the trouble.

No-IP.com provides Dynamic DNS services which let domain owners change their IP address (e.g. 216.27.61.137) frequently without disconnecting from the associated URL (e.g. google.com). No-IP.com run by Vitalwerks Internet Solutions, was accused of providing the infrastructure for many illicit online operations and not doing enough to clean up its servers.

ENISA botnet report

Microsoft claimed the criminals had managed their malicious software, which they were marketing across the Internet, through more than 18,472 free sub-domains belonging to No-IP. A court order allowed it to seize 22 of the domains that carried those allegedly malicious sub-domains.

Unhappy No-IP

No-IP wasn’t happy, claiming Microsoft never contacted the firm, even though it had “an open line of communication with Microsoft corporate executives”.

“We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve,” No-IP said in a post on its website.

“However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.

“Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users… this heavy-handed action by Microsoft benefits no one.”

Microsoft fights cybercrime infrastructure

Microsoft managed to convince the US District Court for Nevada to effectively make it the DNS authority for those 22 No-IP domains, allowing it to set up a sinkhole and take on all the “bad traffic” coming from the free sub-domains.

It was alleged Mohamed Benabdellah and Naser Al Mutairi used those sub-domains as points of contact between their computers and infected machines. As their IP addresses used to speak with the malware were constantly changing, and No-IP does not publish nor store the names and addresses of sub-domain users, they were allowed a degree of anonymity, according to Microsoft.

Richard Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said dynamic DNS providers should “exercise care and follow industry best practices” to stop cybercriminals operating anonymously for their illicit campaigns.

“As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure,” he said.

Dynamic DNS services, whilst often used to support those running a website from home addresses that frequently have their IP address changed by ISPs, have become an increasingly attractive option for digital criminals.

In February, Cisco warned about their illicit use and named No-IP domains in a list of DNS providers whose systems were being used by malicious actors. No-IP again said it had not been contacted by Cisco and could have resolved the issue if it had.

In its complaint, Microsoft said No-IP was functioning as a major hub for 245 different types of malware circulating on the Internet. The tech giant named various other kinds of malware it said were controlled over No-IP systems, including the data thieving worm Rebhip and Fynloski Trojan.

Yet this isn’t the first time Microsoft has annoyed others during a cybercrime takedown. When it took on the Citadel botnet in June last year, it was accused of trampling on others’ research projects looking into the malware, by effectively nullifying their sinkhole servers that were monitoring malicious traffic.

How well do you know network security? Try our quiz and find out!