Microsoft's takedown of No-IP pushes innocents into the crossfire

On Monday, Microsoft said they were taking No-IP ( to task, "as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware."

The case is Microsoft's latest effort to slow the spread of malware online, but this time innocents are caught in the crossfire. In their move to block malicious traffic, Microsoft has also stopped legitimate traffic on a network used by millions of people.

No-IP lost control over 23 of their domains, the core of their free dynamic DNS offering, after a court in Nevada allowed Microsoft to redirect traffic on them in order to stop the NJrat and Jenxcus botnets. The criminals responsible for the malware families were using No-IP as a means to ensure that infected hosts could always reach the Internet.

"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains," wrote Richard Domingues Boscovich, Assistant General Counsel for Microsoft Digital Crimes Unit.

"Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn't account for detections by other anti-virus providers. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online."

Microsoft cites reports from OpenDNS, Cisco, FireEye, General Dynamics, and Symantec in their complaint against No-IP, noting that the firms have consistently reported that the dynamic DNS provider has been a haven for criminal activity when it comes to malware.

Microsoft also says that No-IP has failed to take sufficient steps to correct or prevent the abuse to its services, and to keep its domains free of illegal activity.

As such, they requested control over the 23 primary domains that support the free DNS services from No-IP, so that the company could sinkhole the 18,472 malicious domains being used by the criminals.

However, while Redmond said they would filter out the bad traffic and allow normal access to the domains for good traffic (enabling proper DNS resolution), that isn't what's happened.

In a statement, No-IP said that Microsoft's "draconian actions have affected millions of innocent Internet users."

"They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors."

Furthermore, No-IP maintains that Microsoft made no effort to contact them prior to Monday's takeover, denying the company a chance to resolve the issue without causing downtime or performance impacts. Another problem is that while 18,472 domains were flagged by Microsoft, No-IP says that only 2,000 of them were active on Monday morning.

The company's statement goes on to say that while their abuse team works to keep the No-IP system free of spam and other malicious activity, they are aware that their DNS offerings can be abused, despite daily network scans and sophisticated filtering.

"But this heavy-handed action by Microsoft benefits no one," the statement from No-IP concluded.

Salted Hash has reached out to No-IP for additional comments and information.

Citing ongoing legal action against Vitalwerks (the company that operates No-IP), Microsoft wasn't able to comment on the allegations made by No-IP.

Join the CSO newsletter!

Error: Please check your email address.

Tags disaster recoveryapplicationsMicrosoftsecuritybotnet takedownNo-IPsoftwareBusiness ContinuityDynamic DNSmalware

More about CiscoCounselFireEyeGeneral DynamicsMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place