Microsoft's Digital Crimes Unit started its latest botnet take down with a bang by taking over 21 high-level domains, but it ended with a whimper as Microsoft dropped its case against the dynamic Domain Name System (DNS) Internet provider No-IP.
Microsoft convinced the US District Court in Nevada in June that Vitalwerks Internet Solutions, under the tradename No-IP.com, had made it possible for web servers using its services to distribute malware. Specifically, Microsoft claimed that No-IP had allowed sites to spread the Bladabindi and Jenxcus families of malware.
Microsoft then got the court to issue an ex parte order that gave it control of all of No-IP Internet addresses. No-IP was not given a chance to respond to Microsoft's claim before the order was issued.
Microsoft's efforts did stop some malware activity, but it also knocked out many of No-IP's innocent users.
David Finn, Executive Director and Associate General Counsel of Microsoft's Digital Crimes Unit, said: "Microsoft took steps to disrupt a cyberattack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an internet solutions service."
"Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service," he added.
No-IP was not amused.
In a statement immediately after the take-down, Natalie Goguen, No-IP's Marketing Manager, wrote, "We want to update all our loyal customers about the service outages that many of you are experiencing today.
It is not a technical issue. On Wednesday, Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the sub-domains have been abused by creators of malware. We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any sub-domains, even though we have an open line of communication with Microsoft corporate executives."
The users, several million of them by No-IP's count, were also not amused.
Still, according to security company Kaspersky Lab, Microsoft's domain seizures put a crimp into the operations of multiple botnets.
At the same time, as Claudio Guarnieri, an independent security researcher, told the respected security publication Threatpost: "The wild use of domain sink-holing has been a controversial discussion for a long time; the fact that we’re seeing corporations like Microsoft seizing assets belonging to legitimate companies made many peers in our community drop their jaws."
Microsoft started backing off from its heavy-handed efforts to control No-IP's service and domains in early July. On July 3, Microsoft returned the 23 seized domains to No-IP. And now today, July 9th, Microsoft admitted that, "Vitalwerks was not knowingly involved with the sub-domains used to support malware. Those spreading the malware abused Vitalwerks’ services."
Vitalwerks stated: "Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks sub-domains used to control the malware."
Microsoft said that "a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced."
The case itself is over.
The moral of the story? While seizing botnet-infected servers and domains has indeed proven to be a good way of stopping them, allowing companies such as Microsoft to act as the police without due process is clearly giving them too much power. Clearly, there needs to be a better way of reviewing legal action against purported botnet providers.