Microsoft Seizes No-IP Domains for Malware Hosting, Millions of Users Suffer Outage as Microsoft Forces Customers to their DNS

Microsoft, one of the largest tech giants on the internet has taken legal action against a malware network that is alleged to be responsible for more than 7.4 million infected Windows PCs across the globe.

Millions of legitimate servers that rely on Dynamic Domain Name Services (DDNS) from No-IP.com received a blackout on Monday morning after Microsoft seized 23 domains that were believed to be used for malware that was developed across the globe.

The Dynamic Domain Name Service (DDNS) served by No-IP works by mapping users dynamic IP address to custom No-IP subdomain, such as example.no-ip.org or example2.no-ip.biz. This allows users to connect to a system with a dynamic IP address while using a static No-IP subdomain.

Microsoft security researchers began the investigation after an order was granted by a federal court in Nevada, researchers were primed to target traffic for two specific pieces of malware known to abuse the No-IP network. Popular Windows malware dubbed, Bladabindi known as NJrat among many forums, and Jenxcus known as NJw0rm amongst forums, used No-IP services to communicate with their creators in 93 percent of studied infections, which were found most prevalent among 245 other pieces of malware utilizing No-IP domains.

Richard Domingues Boscovich, Assistant General Counsel at Microsoft Digital Crimes Unit said Microsoft took action against No-IP’s role “in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large,” he stated in a blog post.

Since 2013 Microsoft security researchers have detected more than seven million infections that utilized Bladabindi and Jenxcus malware. These malwares were and can be used to take over computers, steal passwords, turn on and off cameras, steal audio, take pictures, record keystrokes amongst other malicious activities.

Who is behind the popular NJ malware? Microsoft has accused two foreign nationals, Mohamed Benabdellah from Algeria, and Naser Al Mutairi from Kuwait, of writing and distributing the Bladabindi and Jenxcus malware. Microsoft claims the developers have sold over 500 copies of the software to various cyber-criminals worldwide and promote No-IP to the be used in combination with the malware.

In a civil case filed on June 19, Microsoft named two persons, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions LLC (No-IP.com) for violating “federal and state law by distributing malicious software through more than 18,000 sub-domains belonging to No-IP, causing the unlawful intrusion into, infection of, and further illegal conduct involving, the personal computers of innocent persons, thereby causing harm to those persons, Microsoft, and the public at large.”

A Nevada court has granted Microsoft temporary control order against No-IP and now the DNS traffic for hostnames believed to be associated with the 245 pieces of malware are being funneled into Microsoft’s servers,

• ns7.microsoftinternetsafety.net
• ns8.microsoftinternetsafety.net

“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” Microsoft said.

In an official press release by Vitalwerks, the company counter-accused Microsoft for affecting million of innocent No-IP customers who are currently experiencing outages because of Microsoft’s actions. “Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.” Natalie Goguen, No-IP Marketing Manager said in a blog post.

Vitalwerks and No­-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-­IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly.

According to researchers, there are a trove of popular DNS services that too are being utilized in malware campaigns. Microsoft advised all companies to follow industry standards and make it harder for cybercriminals to remain anonymous and wreak havoc. Boscovich continued “As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cyber crime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online.”

Though No-IP is not the creator, the service is still hosting the malware and is said to have not taken proper steps to fend off malicious activity. Microsoft has stated the case and operation are ongoing.