Microsoft’s Digital Crimes Unit seized 23 free domain names in an effort to strike a fatal blow to malware delivery networks run by a Kuwaiti and an Algerian national.
“In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software — harming Microsoft, its customers and the public at large,” said Richard Boscovich, Assistant General Counsel with the unit.
“We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.
“These families can install backdoor Trojans on your computer, which allow criminals to steal your information, such as your passwords, and use your computer to collect other sensitive information. For example, Bladabindi can take snapshots and record videos without your permission. It can also control your system remotely,” Tanmay Ganacharya and Francis Tan Seng of the Microsoft Malware Protection Center said.
“These backdoor Trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS service such as No-IP because this makes them more difficult to trace.”
Those two malware families have infected nearly 7.5 million computers in the last 12 months and, according to Microsoft’s research, No-IP domains are in action 93 percent of the time for Bladabindi-Jenxcus infections. “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” Boscovich said.
So Microsoft decided to step in and has obtained permission to become the DNS authority for the company’s 23 free domains, known bad traffic to which ended up redirected to the Microsoft sinkhole.
“We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives,” said Natalie Goguen, No-IP’s marketing manager.
“Vitalwerks and No¬IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one.”
The company is also unsatisfied with the quality of Microsoft works when it comes to redirecting the good traffic through to users.
“Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.”