After detecting more than 7.4 million infections among its customers by the Jenxcus and Bladabindi worms, Microsoft kicked off legal action yesterday to disrupt these pervasive malware threats. The action came in the form of civil suits lodged against US-based Dynamic DNS provider No-IP and two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, sanctioning the seizure of 23 of No-IP's most commonly used domains to shut down the command-and-control nerve center.
"We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims," wrote Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit. "Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains."
According to Microsoft, this is the tenth global malware disruption action it's taken and the third since opening its Cybercrime Center in November of last year. Boscovich says among those, this one holds the potential to be the largest in terms of infection cleanup.
"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains," he reported.
Known also as NJrat and NJw0rm, Bladabindi and Jenxcus offer attackers the ability to capture victims' key strokes, take screen captures, operate their web cams and microphones, and even take over full control of the system in some variants. Microsoft reported that Benabdellah and Al Mutairi were "social media savvy" and used social media to promote their wares and disseminate information on how to spread them.
Microsoft reported that No-IP had been warned previously by the security community that its domains were being abused, but did not take swift enough action to respond.
"Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity," Boscovich said, pointing to a Cisco cybercrime report from February that detailed use of No-IP domains among those serviced by several other Dynamic DNS services.
At that time, No-IP responded with an official statement claiming that Cisco did not contact its abuse team prior to the report.
"No-IP excels at handling abuse, verifying reported claims, and taking swift action," the company said at that time. "We would like to be on the record to state that at No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We work to achieve this by using filters that block certain words and we scan our network daily for signs of malicious activity."
This time around, No-IP's leadership expressed surprise that Microsoft took its action, claiming that Microsoft never contacted the firm or asked it to block any of its subdomains and reiterating its claim that it uses "sophisticated filters" and scans daily for signs of malicious activity.
"Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors," No-IP stated. "But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly."
For its part, Microsoft holds the stance that free providers need to do better than platitudes to ensure they're not playing an active part in spreading malware.
"As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure," Boscovich said. "If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online."