Microsoft's No-IP seizure hit Syrian Electronic Army hard

Summary:Microsoft's legal action against a dynamic DNS provider could have made life very difficult for a number of online attack groups.

Microsoft has been accused of being heavy-handed in its domain seizure this week , but it's reportedly disrupted a quarter of major attack groups tracked by one security firm.

On Monday, Microsoft seized 22 domains under the control of No-IP.com, a dynamic DNS service provider. The company is now trying to its restore services following Redmond's action.

A US court granted Microsoft the authority to seize the domains after the company accused No-IP of failing to take action despite knowing that cybercriminals were using its domains to distribute malware. The malware in this case was Bladabindi (NJrat) and Jenxcus (NJw0rm), which together predominantly used No-IP to generate over seven million infections in the past year. The legal action was also aimed at a Kuwaiti national and an Algerian national that Microsoft says are behind the malware.

No-IP claims that it regularly works with companies when it hears of customers conducting malicious activity on its service. It said Microsoft had not contacted it at all before yesterday's seizure, leading to claims by some security experts that Microsoft had been heavy-handed.

Microsoft yesterday also confirmed that due to a technical issue, it accidentally impacted some No-IP customers outside the scope of its action.

However, Microsoft may have made a major dint in some of the most troublesome attack groups on the internet, such as the now-infamous Syrian Electronic Army (SEA), which has hacked eBay , the Washington Post , and Microsoft  multiple times, among others.

According to Kaspersky Lab research director Costin Raiu, the takedown impacted a quarter of the "advanced persistent threat" actors it's been tracking. Among them are the SEA, the controversial Italian lawful intercept vendor the Hacking Team, and Flame, a well-known piece of malware discovered in 2012.

SEA is likely to face the most significant difficulties going forward, while others will simply move their botnet command and control (C&C) infrastructure elsewhere.

"For some groups, such as Syrian Electronic Army, the effect is probably very serious, as it affects a large amount of their C&Cs. For others, it will be noticeable, at least annoying if not a problem. In the future, the bad guys will be more careful in using Dynamic DNS providers and will rely more often on other methods of control," Raiu told ZDNet.

Microsoft's botnet takedowns in the past have been criticised in the past for essentially snatching domains that other security researchers had 'sinkholed' and claimed them for itself. In this instance, Raiu said its research was also disrupted.

"Two hosts previously used in APT attacks that we were sinkholing were also taken away from us. We were using the logs from these, together with other data from our sinkhole to notify victims in many different countries," said Raiu.

Read more on security

Topics: Security, Microsoft

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.