Vulnerabilities / Threats
7/1/2014
09:50 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Microsoft Sues To Seize Domains Responsible For Millions Of Infections

Free Dynamic DNS provider No-IP fingered as major culprit in spread of Jenxcus and Bladabindi.

After detecting more than 7.4 million infections among its customers by the Jenxcus and Bladabindi worms, Microsoft kicked off legal action yesterday to disrupt these pervasive malware threats. The action came in the form of civil suits lodged against US-based Dynamic DNS provider No-IP and two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, sanctioning the seizure of 23 of No-IP's most commonly used domains to shut down the command-and-control nerve center.

"We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims," wrote Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit. "Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains."

According to Microsoft, this is the tenth global malware disruption action it's taken and the third since opening its Cybercrime Center in November of last year. Boscovich says among those, this one holds the potential to be the largest in terms of infection cleanup.

"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains," he reported.

Known also as NJrat and NJw0rm, Bladabindi and Jenxcus offer attackers the ability to capture victims' key strokes, take screen captures, operate their web cams and microphones, and even take over full control of the system in some variants. Microsoft reported that Benabdellah and Al Mutairi were "social media savvy" and used social media to promote their wares and disseminate information on how to spread them.

Microsoft reported that No-IP had been warned previously by the security community that its domains were being abused, but did not take swift enough action to respond.

"Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity," Boscovich said, pointing to a Cisco cybercrime report from February that detailed use of No-IP domains among those serviced by several other Dynamic DNS services.

At that time, No-IP responded with an official statement claiming that Cisco did not contact its abuse team prior to the report.

"No-IP excels at handling abuse, verifying reported claims, and taking swift action," the company said at that time. "We would like to be on the record to state that at No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We work to achieve this by using filters that block certain words and we scan our network daily for signs of malicious activity."

This time around, No-IP's leadership expressed surprise that Microsoft took its action, claiming that Microsoft never contacted the firm or asked it to block any of its subdomains and reiterating its claim that it uses "sophisticated filters" and scans daily for signs of malicious activity.

"Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors," No-IP stated. "But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly."

For its part, Microsoft holds the stance that free providers need to do better than platitudes to ensure they're not playing an active part in spreading malware.

"As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure," Boscovich said. "If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
McDaveX
50%
50%
McDaveX,
User Rank: Strategist
7/3/2014 | 4:45:56 AM
From what I hear....
trojans like zeus use a DGA in the org, net and com domains.
Perhaps MS should seize those as well, and let only the "good" traffic though?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/2/2014 | 3:54:50 PM
Re: When suing is a public service
@amueller651  I'm working on a follow-up story and would love to hear more about how you're managing. If you're willing to talk more, drop me a line at sara.peters AT ubm.com.
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
7/2/2014 | 2:01:34 PM
Re: When suing is a public service
Well done, Microsoft!
amueller651
50%
50%
amueller651,
User Rank: Apprentice
7/2/2014 | 11:24:22 AM
Re: When suing is a public service
I am creating new DDNS names, there is a whole lot more than just changing a name though. Every client that logs into that server must be setup too with the new info. This will take days at least, clients do not care how it works they just want to click and be there
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2014 | 10:57:30 AM
Re: When suing is a public service
@amueller651 What are you doing in the meantime? Is this hurting business for you?
amueller651
50%
50%
amueller651,
User Rank: Apprentice
7/2/2014 | 10:15:53 AM
Re: When suing is a public service
As a user of No-IP that is a paying and legit customer and is STILL down. This is just wrong. They took millions of ip's down to close about 2000 bad accounts. This is like shooting everyone to kill one guilty person
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
7/1/2014 | 3:56:57 PM
When suing is a public service
This may be necessary for Microsoft's business, I don't know, but I'm viewing it as a public service move.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

CVE-2015-2922
Published: 2015-05-27
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.

Dark Reading Radio
Listen Now Incident Response War Gaming: Practicing the Post-Breach Panicking
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?