Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft hammers No-IP, collateral damage includes Hacking Team's legal malware

Ms. Smith | July 3, 2014
Microsoft's takedown of No-IP accounts disrupted cybercrime gangs, but also legitimate sites as well as government-sponsored "lawful intercept" spyware, aka the Hacking Team's legal malware.

Microsoft brought the hammer down on No-IP and seized 22 of their domains. They also filed a civil case against "Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software--harming Microsoft, its customers and the public at large."

Microsoft Digital Crimes Unit reported, "On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company's 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats." All of the legal documents are posted here.

Richard Domingues Boscovich, assistant general counsel for Microsoft Digital Crimes Unit, wrote:

Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet's address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we've been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn't account for detections by other anti-virus providers.

Microsoft Malware Protection Center explained:

These families can install backdoor trojans on your computer, which allow criminals to steal your information, such as your passwords, and use your computer to collect other sensitive information. For example, Bladabindi can take snapshots and record videos without your permission. It can also control your system remotely.

These backdoor trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS service such as NO-IP because this makes them more difficult to trace.

"We're taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware." Microsoft pointed back at a Cisco post from February that shows No IP as some of the top DDNS base domain offenders, adding, "Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.