Vulnerabilities / Threats
7/1/2014
09:50 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Microsoft Sues To Seize Domains Responsible For Millions Of Infections

Free Dynamic DNS provider No-IP fingered as major culprit in spread of Jenxcus and Bladabindi.

After detecting more than 7.4 million infections among its customers by the Jenxcus and Bladabindi worms, Microsoft kicked off legal action yesterday to disrupt these pervasive malware threats. The action came in the form of civil suits lodged against US-based Dynamic DNS provider No-IP and two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, sanctioning the seizure of 23 of No-IP's most commonly used domains to shut down the command-and-control nerve center.

"We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims," wrote Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit. "Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains."

According to Microsoft, this is the tenth global malware disruption action it's taken and the third since opening its Cybercrime Center in November of last year. Boscovich says among those, this one holds the potential to be the largest in terms of infection cleanup.

"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains," he reported.

Known also as NJrat and NJw0rm, Bladabindi and Jenxcus offer attackers the ability to capture victims' key strokes, take screen captures, operate their web cams and microphones, and even take over full control of the system in some variants. Microsoft reported that Benabdellah and Al Mutairi were "social media savvy" and used social media to promote their wares and disseminate information on how to spread them.

Microsoft reported that No-IP had been warned previously by the security community that its domains were being abused, but did not take swift enough action to respond.

"Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity," Boscovich said, pointing to a Cisco cybercrime report from February that detailed use of No-IP domains among those serviced by several other Dynamic DNS services.

At that time, No-IP responded with an official statement claiming that Cisco did not contact its abuse team prior to the report.

"No-IP excels at handling abuse, verifying reported claims, and taking swift action," the company said at that time. "We would like to be on the record to state that at No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We work to achieve this by using filters that block certain words and we scan our network daily for signs of malicious activity."

This time around, No-IP's leadership expressed surprise that Microsoft took its action, claiming that Microsoft never contacted the firm or asked it to block any of its subdomains and reiterating its claim that it uses "sophisticated filters" and scans daily for signs of malicious activity.

"Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors," No-IP stated. "But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly."

For its part, Microsoft holds the stance that free providers need to do better than platitudes to ensure they're not playing an active part in spreading malware.

"As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure," Boscovich said. "If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
McDaveX
50%
50%
McDaveX,
User Rank: Strategist
7/3/2014 | 4:45:56 AM
From what I hear....
trojans like zeus use a DGA in the org, net and com domains.
Perhaps MS should seize those as well, and let only the "good" traffic though?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/2/2014 | 3:54:50 PM
Re: When suing is a public service
@amueller651  I'm working on a follow-up story and would love to hear more about how you're managing. If you're willing to talk more, drop me a line at sara.peters AT ubm.com.
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
7/2/2014 | 2:01:34 PM
Re: When suing is a public service
Well done, Microsoft!
amueller651
50%
50%
amueller651,
User Rank: Apprentice
7/2/2014 | 11:24:22 AM
Re: When suing is a public service
I am creating new DDNS names, there is a whole lot more than just changing a name though. Every client that logs into that server must be setup too with the new info. This will take days at least, clients do not care how it works they just want to click and be there
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2014 | 10:57:30 AM
Re: When suing is a public service
@amueller651 What are you doing in the meantime? Is this hurting business for you?
amueller651
50%
50%
amueller651,
User Rank: Apprentice
7/2/2014 | 10:15:53 AM
Re: When suing is a public service
As a user of No-IP that is a paying and legit customer and is STILL down. This is just wrong. They took millions of ip's down to close about 2000 bad accounts. This is like shooting everyone to kill one guilty person
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
7/1/2014 | 3:56:57 PM
When suing is a public service
This may be necessary for Microsoft's business, I don't know, but I'm viewing it as a public service move.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.