Microsoft's No-IP seizure hit Syrian Electronic Army hard

Microsoft's No-IP seizure hit Syrian Electronic Army hard

Summary: Microsoft's legal action against a dynamic DNS provider could have made life very difficult for a number of online attack groups.

TOPICS: Security, Microsoft

Microsoft has been accused of being heavy-handed in its domain seizure this week, but it's reportedly disrupted a quarter of major attack groups tracked by one security firm.

On Monday, Microsoft seized 22 domains under the control of, a dynamic DNS service provider. The company is now trying to its restore services following Redmond's action.

A US court granted Microsoft the authority to seize the domains after the company accused No-IP of failing to take action despite knowing that cybercriminals were using its domains to distribute malware. The malware in this case was Bladabindi (NJrat) and Jenxcus (NJw0rm), which together predominantly used No-IP to generate over seven million infections in the past year. The legal action was also aimed at a Kuwaiti national and an Algerian national that Microsoft says are behind the malware.

No-IP claims that it regularly works with companies when it hears of customers conducting malicious activity on its service. It said Microsoft had not contacted it at all before yesterday's seizure, leading to claims by some security experts that Microsoft had been heavy-handed.

Microsoft yesterday also confirmed that due to a technical issue, it accidentally impacted some No-IP customers outside the scope of its action.

However, Microsoft may have made a major dint in some of the most troublesome attack groups on the internet, such as the now-infamous Syrian Electronic Army (SEA), which has hacked eBay, the Washington Post, and Microsoft multiple times, among others.

According to Kaspersky Lab research director Costin Raiu, the takedown impacted a quarter of the "advanced persistent threat" actors it's been tracking. Among them are the SEA, the controversial Italian lawful intercept vendor the Hacking Team, and Flame, a well-known piece of malware discovered in 2012.

SEA is likely to face the most significant difficulties going forward, while others will simply move their botnet command and control (C&C) infrastructure elsewhere.

"For some groups, such as Syrian Electronic Army, the effect is probably very serious, as it affects a large amount of their C&Cs. For others, it will be noticeable, at least annoying if not a problem. In the future, the bad guys will be more careful in using Dynamic DNS providers and will rely more often on other methods of control," Raiu told ZDNet.

Microsoft's botnet takedowns in the past have been criticised in the past for essentially snatching domains that other security researchers had 'sinkholed' and claimed them for itself. In this instance, Raiu said its research was also disrupted.

"Two hosts previously used in APT attacks that we were sinkholing were also taken away from us. We were using the logs from these, together with other data from our sinkhole to notify victims in many different countries," said Raiu.

Read more on security

Topics: Security, Microsoft

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Good for Microsoft

    As far as the "researchers" complaining about collateral damage: tough.
    • collateral damage

      Bill4, evidently your none of your web resources were part of the collateral damage. Lots of completely unrelated sites were.
      • Then the complaint should be made to no-IP

        who should probably be taking greater care as to who or what can use its service.
        • Oh

          I don't think No-IP care3d. You think No-IP wasn't warned by others of the crap that their are involved with? I'm sure they received complaints and they probably ignored them. They were at least indirectly involved with a bunch of hacking groups including SEA!
      • Isn't this law enforcement's job?

        When did Microsoft become the police? What gives them the right to seize anything at all? Yes, yes the court granted it, but how and why was that justified legally? Or are the courts that easy to buy these days? ....Nevermind, the answer to that one is pretty obvious.

        I wonder if no-IP or its customers would have grounds to sue Microsoft. If I were affected, I'd look into it. I think if 10 or 20 thousand people took Microsoft to small claims court, it'd create a nightmare for them.
        • Right on!

          From convicted monopoly to internet cop, only the USA
      • Oh

        Boo hoo to those sites. They should of investigated the host service before using their services.
  • Microsoft taking action

    is far more valuable than sitting in a sinkhole observing the chaos. Good job Microsoft!
    • A temporary inconvenience

      to the malware distributors is hardly preferable to fixing the vulnerabilites the malware is exploiting, yet that is what is happening.
      • then fix the vulnerabilities

        using the public as a guinea pig (since sinkholes allowed the malicious activity to continue) is not appropriate.
  • If you use your web services to distribute malware

    Don't be surprised if someone acts to stop your illegal activity.
  • Hmmm

    So Microsoft takes out a major malware problem, and security experts are upset about their approach. Hmm that makes no sense, if you are a security expert, would you not want them gone, since that is what you do. Oh I see they did not want it gone so they could continue getting big pay cheques for helping companies protect from this threat.
    • Swatting a fly with a nuclear bomb...

      So, I work in security but this is the same a swatting a fly with a nuclear bomb. If No-IP is to be believed - and I see no reason now to doubt them - they weren't given a chance to swat the fly - and they have the fly-swatter. All MS had was the nuclear option. CSO’s Steve Ragan pointed out, “Four million domains have been shutdown, despite the fact that Microsoft only wants 18,472 of them.” That's a 1 in 250 domain names - NOT COOL.
    • Perhaps the complaints are about compromising ...

      something analogous to an undercover investigation, as in those police dramas in which a local cop arrests someone being kept under surveillance for a minor crime, scaring him/her away from leading the other cops to his/her bigger associates, and ruining a long term hunt for the big honcho.

      If my understanding is correct, this is what the collaterally damaged "sinkhole" projects were trying to do: either locate the worst bad actors (the actual coders of the malware), or analyze the malware to determine a repair procedure, or (as the FBI did a couple of years ago) substitute a benign site at the URL of the malware's server in order to notify victims of the need to apply a known remedy to their systems.

      But at least the short term security goal was achieved.
  • We need more of these types of actions

    Not the observing the sinkhole action, the lets shutdown malware spreading IPs action.
  • I'm all for sinkholing the comment spam...

    More junk in the Comments section. One useful thing that our Artificial Intelligence researchers could do that would get a lot of thanks, would be to find a way to filter out all the "work at home for gigantic sums" nonsense that keeps cropping up in so many forums.

    Spammers gonna spam - I get that. But it's just gotten ridiculous...
    • 13 Flags Right Now

      13 Flags and the spam is still the lead comment. So, yeppers, Den2010.
  • I was affected by this.

    And I'm a simple free-level user, using the service with a few friends. C'mon, MS, show some understanding and smarts. Don't be ignorant.
  • What a crock

    "Microsoft yesterday also confirmed that due to a technical issue, it accidentally impacted some No-IP customers outside the scope of its action."

    Basically, they are "free" subdomains, some of which have 100k+ entries. So MS, in order to swat say 5-10, took down the full 100k+ domains. Multiply that by the 20+ domains they took down, and you get an idea of the impact - some definition of "some".
    Harlon Katz
  • Microsoft Cybercrime Unit is a Necessary Evil

    It seems pretty clear that No-IP is not without culpability in this case. This take down affected 25% of the nefarious traffic. While No-IP may try to suggest otherwise, their domains have been called out for some time so this shouldn't come as a surprise. If you use their services, I would find a new DDNS provider ASAP.