Vulnerabilities / Threats
09:50 AM
Connect Directly

Microsoft Sues To Seize Domains Responsible For Millions Of Infections

Free Dynamic DNS provider No-IP fingered as major culprit in spread of Jenxcus and Bladabindi.

After detecting more than 7.4 million infections among its customers by the Jenxcus and Bladabindi worms, Microsoft kicked off legal action yesterday to disrupt these pervasive malware threats. The action came in the form of civil suits lodged against US-based Dynamic DNS provider No-IP and two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, sanctioning the seizure of 23 of No-IP's most commonly used domains to shut down the command-and-control nerve center.

"We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims," wrote Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit. "Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains."

According to Microsoft, this is the tenth global malware disruption action it's taken and the third since opening its Cybercrime Center in November of last year. Boscovich says among those, this one holds the potential to be the largest in terms of infection cleanup.

"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains," he reported.

Known also as NJrat and NJw0rm, Bladabindi and Jenxcus offer attackers the ability to capture victims' key strokes, take screen captures, operate their web cams and microphones, and even take over full control of the system in some variants. Microsoft reported that Benabdellah and Al Mutairi were "social media savvy" and used social media to promote their wares and disseminate information on how to spread them.

Microsoft reported that No-IP had been warned previously by the security community that its domains were being abused, but did not take swift enough action to respond.

"Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity," Boscovich said, pointing to a Cisco cybercrime report from February that detailed use of No-IP domains among those serviced by several other Dynamic DNS services.

At that time, No-IP responded with an official statement claiming that Cisco did not contact its abuse team prior to the report.

"No-IP excels at handling abuse, verifying reported claims, and taking swift action," the company said at that time. "We would like to be on the record to state that at No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We work to achieve this by using filters that block certain words and we scan our network daily for signs of malicious activity."

This time around, No-IP's leadership expressed surprise that Microsoft took its action, claiming that Microsoft never contacted the firm or asked it to block any of its subdomains and reiterating its claim that it uses "sophisticated filters" and scans daily for signs of malicious activity.

"Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors," No-IP stated. "But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly."

For its part, Microsoft holds the stance that free providers need to do better than platitudes to ensure they're not playing an active part in spreading malware.

"As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure," Boscovich said. "If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
7/3/2014 | 4:45:56 AM
From what I hear....
trojans like zeus use a DGA in the org, net and com domains.
Perhaps MS should seize those as well, and let only the "good" traffic though?
Sara Peters
Sara Peters,
User Rank: Author
7/2/2014 | 3:54:50 PM
Re: When suing is a public service
@amueller651  I'm working on a follow-up story and would love to hear more about how you're managing. If you're willing to talk more, drop me a line at sara.peters AT
Dan Euritt
Dan Euritt,
User Rank: Apprentice
7/2/2014 | 2:01:34 PM
Re: When suing is a public service
Well done, Microsoft!
User Rank: Apprentice
7/2/2014 | 11:24:22 AM
Re: When suing is a public service
I am creating new DDNS names, there is a whole lot more than just changing a name though. Every client that logs into that server must be setup too with the new info. This will take days at least, clients do not care how it works they just want to click and be there
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2014 | 10:57:30 AM
Re: When suing is a public service
@amueller651 What are you doing in the meantime? Is this hurting business for you?
User Rank: Apprentice
7/2/2014 | 10:15:53 AM
Re: When suing is a public service
As a user of No-IP that is a paying and legit customer and is STILL down. This is just wrong. They took millions of ip's down to close about 2000 bad accounts. This is like shooting everyone to kill one guilty person
Charlie Babcock
Charlie Babcock,
User Rank: Moderator
7/1/2014 | 3:56:57 PM
When suing is a public service
This may be necessary for Microsoft's business, I don't know, but I'm viewing it as a public service move.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/ in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.