Microsoft sues to take down another malware gang

Microsoft sues to take down another malware gang

Summary: [UPDATED] A US court has ordered a major dynamic DNS company, abused to distribute malware, to turn domain control over to Microsoft.

SHARE:
TOPICS: Security, Microsoft
16

Microsoft's Digital Crimes Unit has taken on another group of Internet criminals, this time by filing a civil lawsuit to end what they call an international malware conspiracy. The suit targets two named individuals, a US company and 500 John/Jane Does.

The company is Vitalwerks Internet Solutions, LLC, doing business as No-IP.com. No-IP is a dynamic DNS service, normally designed to allow users with dynamic IP addresses to use DNS to point to those addresses. Such systems are also useful for hiding systems used to distribute malware. Microsoft specifically names the Bladabindi (NJrat) and Jenxcus (NJw0rm) families of malware as the two most common exploiting No-IP domains, and states further that 93 percent of Bladabindi-Jenxcus infections that use dynamic DNS use No-IP.

The two named individuals are Mohamed Benabdellah and Naser Al Mutairi, Kuwaiti and Algerian nationals respectively and, according to Microsoft, the authors, owners and distributors of Bladabindi and Jenxcus. Microsoft has seen 7.4 million Bladabindi-Jenxcus detections in the last year by their own products (such as the Malicious Software Removal Tool and Security Essentials).

Microsoft accuses No-IP.com of failing to take appropriate measures in spite of knowing about the problems. Malware distribution abusing dynamic DNS and No-IP in particular is a well-known problem as this Cisco Security Blog from February describes. Consequently, on June 19 Microsoft filed for an order from the US Disrict Court for Nevada granting Microsoft authoritative DNS control for No-IP's domains, and on June 26 the order was issued. The plan is for Microsoft to use the control to gather intelligence of the attacks in order to sinkhole them and to inform ISPs of specific problems for them to address.

As a result of the suit, Microsoft now controls 22 of the most commonly used domains on No-IP.com, according to a blog entry by the company. The No-IP.com statement says that the takedown was a complete surprise to them, that Microsoft had not mentioned any problems before and that they "...have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us."

[UPDATE: On Tuesday David Finn, Executive Director and Associate General Counsel of Microsoft's Digital Crimes Unit issued the following statement: "Yesterday morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an Internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service.  As of 6 a.m. Pacific time today, all service was restored.  We regret any inconvenience these customers experienced."]

No-IP.com also states that customers are experiencing downtime even though Microsoft claims that they intend only to filter out hostnames through which malware is being delivered. "Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors."

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • whac

    whac, whac, whac that mole

    msft: go harden your software and quit playing Whac-a-Mole
    Mike~Acker
    • Sigh. Yet another one that doesn't understand.

      this is only good for everybody, but I guess that part was lost on you....
      William.Farrel
      • Great!... except for legitimate users

        Oh yeah, this is good for everyone - that is everyone except for those people that use No-IP for legitimate purposes and now have no access to their domain thanks to Microsoft's overzealous domain policing. Thanks to Microsoft, I have no access to my home, mobile and work PCs that utilize No-IP's dynamic DNS service.

        I'm with Mike, go fix your damn software, Microsoft!
        NetAdmin1178
    • Whack a mole is necessary too

      But I agree that it's not a substitute for hardening the system.

      Every single slowdown I've ever seen on Windows XP or 7 has been due to surreptitiously installed adware; no exceptions (just because I'm a UNIX specialist doesn't mean that I'm not sometimes called upon to fix Windows problems). Vista had performance problems of its own, but that has been the exception, not the rule.

      So yes, MS should be fighting malware.
      John L. Ries
  • whac

    whac, whac, whac that mole

    msft: go harden your software and quit playing Whac-a-Mole
    Mike~Acker
  • Finally Action!

    Hats off to MS, good move!
    earthling1
    • Actually, not really (my hat staying on)

      Even though Microsoft shut down millions of legitimate no-ip users, I for one am still getting malware, adware, crapware, etc on my Windows systems (also using Microsoft Security Essentials/Windows Defender).

      Malware exists because of Microsoft's design shortcomings.

      Microsoft's action is historically typical of them: Heavy-handed, draconian, disrupts the most users possible, aaand with little to no overall effect on the stated issue.

      It boggles the mind that Microsoft will go through all of this rather than putting the effort and resources into fixing their product(s) flaws.
      dunderchief
      • Your hat stays on, your eyes and ears stay covered

        I agree with earhling1.
        I can only assume those that complain about MS actions here are probably grousing because they lost their revenue stream. Companies (like No-IP is alleged here) that turn a blind eye to this need a wake up call, and I would put the ad-delivering companies in the same bucket.
        They say "It's not me", but their channels are delivering this malicious software to every operating system (not such MS, dunderhead).
        I wish Cisco, Apple, and others would do so much).
        batpox
      • Where have you been?

        Microsoft has been actively fixing and hardening their systems for quite some time. At this point most malware requires people to either download and install it or visit less than decent websites that'll install it automatically.
        grayknight
        • I've always wondered...

          ... about what people are doing with their computers. I've been using Window systems since Windows 98. I had XP. I had Vista, 7, and am now on 8.1.

          Now, in all fairness my Win98 machine was never on the internet, and my XP machine was only on the internet to play games... yet I've never had a malware infection, virus, or other problem. So I'm curious what kinds of activity you guys who are always complaining are engaged in. I have my theories.

          So here is a free pro-tip: If the file says "Game of Thrones - Every Episode Free!" - it's probably a virus.
          jsreilly
      • Couldn't agree more, Dunderchief...

        Windows 8x is supposedly a "hardened" version of this fine operating system, and yet two people at work - admittedly PC neophytes - have brought me their month-old laptops in despair, the machines riddled with malware. They know I'm a geek - nurses can be geeks, you know - and know my laptop is always up, always running, never an issue.
        They want that, too.
        They see me using Windows XP and wish they'd kept their old machine now, instead of spending money to get something only to end up with the same problems again.

        But when I tell them how I manage to run an expired OS version (in VBox, so XP never connects to the Internet, only use XP in a VM to run MS Office for work-related stuff), it all suddenly becomes "too hard". Can't expect folks to learn a new OS, now can we? even if that OS (Mint) never gives me a lick of trouble.

        Oh well.

        But yeah, Windows hardened? really?!? Why, then, is my Mint install completely malware free - I've been malware-free since I started using Linux seriously back in 2006 - and their brand-new laptops are already malware-ridden?

        I'm a nurse, not an IT person. If I were an IT person, I could probably clean up their Win8 machines and "harden" them, possibly. But Mint is "hardened by design. I can harden it further, sure. But my experience is already vastly better than theirs, surely.
        Robynsveil
      • Malware Exists Because

        I take exception to this statement: "Malware exists because of Microsoft's design shortcomings." Microsoft is certainly not the only entity designing operating systems and is not the only one affected by malware.

        A body of individuals and corporate entities make money being criminals; if there is money to be made, someone will find a way to do it illegally without any regard for civil or criminal law.
        OldGrayWolf
        • It's a large part of it

          UNIX/Linux users are not accustomed to running with elevated privileges; Windows and (to an extent) Mac users are.
          John L. Ries
  • Wholeheartedly disagree with this ruling

    I have used No-Ip.com (as a paying user) to connect remote physical therapy offices running on DSL lines (dynamic IP addresses). It is an affordable service that allows a small business build a semi reliable low budget WAN connected (using VPNs) on public infrastructure.
    The fact that some people are using No-IP.com for nefarious purposes is enough to hand over the service to Microsoft. I do not understand this, and it reeks of another method for FISA/NSA to backdoor their way into communications... obviously with the benefit to Microsoft to have less attacks on their software.
    I do not know the history of the complaint Microsoft has filed against No-IP.com, but wouldn't a cease and desist be more reasonable? Won't hackers/criminals simply move on to another method? Couldn't a better service signup method been implemented to verify identity?
    I don't know why I care that much... in fact, I guess I don't... nobody else does...
    duckdive@...
  • "had not mentioned any problems before"

    That's always the excuse when somebody doesn't act or act fast enough. I'm betting those emails got "lost" like Lois Lerner's did.
    Turismo
  • fixed for legit users? yeah, no.

    "Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6 a.m. Pacific time today, all service was restored. We regret any inconvenience these customers experienced." - Yeah, sure, service is restored to all customers not infected... hardly!
    NetAdmin1178