Vulnerabilities / Threats
7/1/2014
09:50 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Microsoft Sues To Seize Domains Responsible For Millions Of Infections

Free Dynamic DNS provider No-IP fingered as major culprit in spread of Jenxcus and Bladabindi.

After detecting more than 7.4 million infections among its customers by the Jenxcus and Bladabindi worms, Microsoft kicked off legal action yesterday to disrupt these pervasive malware threats. The action came in the form of civil suits lodged against US-based Dynamic DNS provider No-IP and two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, sanctioning the seizure of 23 of No-IP's most commonly used domains to shut down the command-and-control nerve center.

"We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims," wrote Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit. "Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains."

According to Microsoft, this is the tenth global malware disruption action it's taken and the third since opening its Cybercrime Center in November of last year. Boscovich says among those, this one holds the potential to be the largest in terms of infection cleanup.

"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains," he reported.

Known also as NJrat and NJw0rm, Bladabindi and Jenxcus offer attackers the ability to capture victims' key strokes, take screen captures, operate their web cams and microphones, and even take over full control of the system in some variants. Microsoft reported that Benabdellah and Al Mutairi were "social media savvy" and used social media to promote their wares and disseminate information on how to spread them.

Microsoft reported that No-IP had been warned previously by the security community that its domains were being abused, but did not take swift enough action to respond.

"Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity," Boscovich said, pointing to a Cisco cybercrime report from February that detailed use of No-IP domains among those serviced by several other Dynamic DNS services.

At that time, No-IP responded with an official statement claiming that Cisco did not contact its abuse team prior to the report.

"No-IP excels at handling abuse, verifying reported claims, and taking swift action," the company said at that time. "We would like to be on the record to state that at No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We work to achieve this by using filters that block certain words and we scan our network daily for signs of malicious activity."

This time around, No-IP's leadership expressed surprise that Microsoft took its action, claiming that Microsoft never contacted the firm or asked it to block any of its subdomains and reiterating its claim that it uses "sophisticated filters" and scans daily for signs of malicious activity.

"Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors," No-IP stated. "But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly."

For its part, Microsoft holds the stance that free providers need to do better than platitudes to ensure they're not playing an active part in spreading malware.

"As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure," Boscovich said. "If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
McDaveX
50%
50%
McDaveX,
User Rank: Strategist
7/3/2014 | 4:45:56 AM
From what I hear....
trojans like zeus use a DGA in the org, net and com domains.
Perhaps MS should seize those as well, and let only the "good" traffic though?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/2/2014 | 3:54:50 PM
Re: When suing is a public service
@amueller651  I'm working on a follow-up story and would love to hear more about how you're managing. If you're willing to talk more, drop me a line at sara.peters AT ubm.com.
ANON1245344986528
50%
50%
ANON1245344986528,
User Rank: Apprentice
7/2/2014 | 2:01:34 PM
Re: When suing is a public service
Well done, Microsoft!
amueller651
50%
50%
amueller651,
User Rank: Apprentice
7/2/2014 | 11:24:22 AM
Re: When suing is a public service
I am creating new DDNS names, there is a whole lot more than just changing a name though. Every client that logs into that server must be setup too with the new info. This will take days at least, clients do not care how it works they just want to click and be there
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2014 | 10:57:30 AM
Re: When suing is a public service
@amueller651 What are you doing in the meantime? Is this hurting business for you?
amueller651
50%
50%
amueller651,
User Rank: Apprentice
7/2/2014 | 10:15:53 AM
Re: When suing is a public service
As a user of No-IP that is a paying and legit customer and is STILL down. This is just wrong. They took millions of ip's down to close about 2000 bad accounts. This is like shooting everyone to kill one guilty person
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
7/1/2014 | 3:56:57 PM
When suing is a public service
This may be necessary for Microsoft's business, I don't know, but I'm viewing it as a public service move.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5316
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.

CVE-2014-5320
Published: 2014-09-21
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.

CVE-2014-5321
Published: 2014-09-21
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319...

CVE-2014-5322
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.

CVE-2014-6602
Published: 2014-09-21
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.

Best of the Web
Dark Reading Radio