In an effort to crackdown on cyber crimes, Microsoft has taken a legal action against a malware network what it thought is responsible for more than 7.4 million infections of Windows PCs across the globe.
Millions of legitimate servers that rely on Dynamic Domain Name Service (DDNS) from No-IP.com, owned by Vitalwerks Internet Solutions were blacked out on Monday after Microsoft seized their 23 domain names that were being used by malware developed in the Middle East and Africa.
No-IP FOR MALWARE OPERATORS
The Dynamic Domain Name Service (DDNS) from No-IP.com works by mapping users' dynamic IP addresses to a customized No-IP sub-domain like yourhost.no-ip.org or yourhost.no-ip.biz. This mechanism allows users to connect to a system with dynamic IP address using a static No-IP sub-domain.
No doubt its a useful service, but Nevada-based No-IP Dynamic DNS (DDNS) service subdomains have been abused by creators of malware for infecting millions of computers with malicious software at large scale.
FAMOUS MALWARE FAMILIES USING No-IP SERVICE
Microsoft security research team began this operation under an order granted by a federal court in Nevada, and targeted traffic involving two malware families that abused No-IP services. The Windows malwares, which went by the names Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm), use No-IP accounts to communicate with their creators in 93 percent of detected infections, which are the most prevalent among the 245 other pieces of malware currently exploiting No-IP domains.
In a blog post, Richard Domingues Boscovich, assistant general counsel at Microsoft's Digital Crimes Unit, said Microsoft pursued the seizure for No-IP's role "in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large." He claimed.
LARGE SCALE MALWARE INFECTION AND ACCUSED AUTHORS
Over the past year, Microsoft security team has detected more than 7 million infections that makes use of Bladabindi and Jenxcus malware, in order to take control of users' computers, steal passwords, and turn on webcams and microphones.
Microsoft accused Kuwaiti national Naser Al Mutairi and Algerian national Mohamed Benabdellah of writing and distributing the Bladabindi and Jenxcus malware, respectively. Microsoft claims the developers have sold over 500 copies of the malicious software to crooks and cyber criminals, and promoted No-IP service to use with malware to help them covering their tracks.
In a civil case filed on June 19, Microsoft named two individuals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions of violating "federal and state law by distributing malicious software through more than 18,000 sub-domains belonging to No-IP, causing the unlawful intrusion into, infection of, and further illegal conduct involving, the personal computers of innocent persons, thereby causing harm to those persons, Microsoft, and the public at large."
Microsoft attorneys said No-IP is "functioning as a major hub for 245 different types of malware circulating on the Internet."
The court in Nevada has granted a temporary controlling order against No-IP and now the DNS traffic for the hostnames associated with malicious activity being funneled through Microsoft's servers:
- ns7.microsoftinternetsafety.net
- ns8.microsoftinternetsafety.net
MICROSOFT vs No-IP SERVICE
Microsoft claimed, "Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.".
In an official statement, Vitalwerks counter-accused Microsoft for allegedly affecting millions of innocent users, who are currently experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors.
In an official statement, Vitalwerks counter-accused Microsoft for allegedly affecting millions of innocent users, who are currently experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors.
"Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives." No-IP Marketing Manager, Natalie Goguen said.
"Vitalwerks and No-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity." Natalie Goguen said. "Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one."
OTHER POPULAR No-IP LIKE SERVICES
There are dozens of No-IP like Free Dynamic Domain Name Services (DDNS) available the Internet, those are actively being used by malware authors/operators to distribute malwares. Example:
- https://www.dnsdynamic.org/
- https://www.changeip.com/
- https://freedns.afraid.org/
- https://www.dyndns.com/
- and many more…
Microsoft advised all of them to follow the Industry best security practices, in order to make it more difficult for cybercriminals to operate anonymously and harder to victimize people online.
Boscovich went on to say, "As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cyber crime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online."
However, No-IP has not created the malware, but the service has not taken strict steps to keep its domains safe from malicious activity. Microsoft said the case and operation is ongoing. Stay Tuned for more updates.