Microsoft's Digital Crimes Unit has taken on another group of Internet criminals, this time by filing a civil lawsuit to end what they call an international malware conspiracy. The suit targets two named individuals, a US company and 500 John/Jane Does.
The company is Vitalwerks Internet Solutions, LLC, doing business as No-IP.com. No-IP is a dynamic DNS service, normally designed to allow users with dynamic IP addresses to use DNS to point to those addresses. Such systems are also useful for hiding systems used to distribute malware. Microsoft specifically names the Bladabindi (NJrat) and Jenxcus (NJw0rm) families of malware as the two most common exploiting No-IP domains, and states further that 93 percent of Bladabindi-Jenxcus infections that use dynamic DNS use No-IP.
The two named individuals are Mohamed Benabdellah and Naser Al Mutairi, Kuwaiti and Algerian nationals respectively and, according to Microsoft, the authors, owners and distributors of Bladabindi and Jenxcus. Microsoft has seen 7.4 million Bladabindi-Jenxcus detections in the last year by their own products (such as the Malicious Software Removal Tool and Security Essentials).
Microsoft accuses No-IP.com of failing to take appropriate measures in spite of knowing about the problems. Malware distribution abusing dynamic DNS and No-IP in particular is a well-known problem as this Cisco Security Blog from February describes. Consequently, on June 19 Microsoft filed for an order from the US Disrict Court for Nevada granting Microsoft authoritative DNS control for No-IP's domains, and on June 26 the order was issued. The plan is for Microsoft to use the control to gather intelligence of the attacks in order to sinkhole them and to inform ISPs of specific problems for them to address.
As a result of the suit, Microsoft now controls 22 of the most commonly used domains on No-IP.com, according to a blog entry by the company. The No-IP.com statement says that the takedown was a complete surprise to them, that Microsoft had not mentioned any problems before and that they "...have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us."
[UPDATE: On Tuesday David Finn, Executive Director and Associate General Counsel of Microsoft's Digital Crimes Unit issued the following statement: "Yesterday morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an Internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6 a.m. Pacific time today, all service was restored. We regret any inconvenience these customers experienced."]
No-IP.com also states that customers are experiencing downtime even though Microsoft claims that they intend only to filter out hostnames through which malware is being delivered. "Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors."