Millions of dynamic DNS users suffer after Microsoft seizes No-IP domains

Microsoft security research team began this operation under an order granted by a federal court in Nevada, and targeted traffic involving two malware families that abused No-IP services. The Windows malwares, which went by the names Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm), use No-IP accounts to communicate with their creators in 93 percent of detected infections, which are the most prevalent among the 245 other pieces of malware currently exploiting No-IP domains.

In a blog post, Richard Domingues Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, said Microsoft pursued the seizure for No-IP’s role “in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.” He claimed.

Over the past year, Microsoft security team has detected more than 7 million infections that makes use of Bladabindi and Jenxcus malware, in order to take control of users’ computers, steal passwords, and turn on webcams and microphones.

Microsoft accused Kuwaiti national Naser Al Mutairi and Algerian national Mohamed Benabdellah of writing and distributing the Bladabindi and Jenxcus malware, respectively. Microsoft claims the developers have sold over 500 copies of the malicious software to crooks and cyber criminals, and promoted No-IP service to use with malware to help them covering their tracks.

In a civil case filed on June 19, Microsoft named two individuals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions of violating “federal and state law by distributing malicious software through more than 18,000 sub-domains belonging to No-IP, causing the unlawful intrusion into, infection of, and further illegal conduct involving, the personal computers of innocent persons, thereby causing harm to those persons, Microsoft, and the public at large.”

Microsoft attorneys said No-IP is “functioning as a major hub for 245 different types of malware circulating on the Internet.“

The court

 in Nevada has granted a temporary controlling order against No-IP and now the DNS traffic for the hostnames associated with malicious activity being funneled through Microsoft’s servers:

• ns7.microsoftinternetsafety.net
• ns8.microsoftinternetsafety.net

Microsoft claimed, “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.”.In an official statement, Vitalwerks counter-accused Microsoft for allegedly affecting millions of innocent users, who are currently experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.

“Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.” No-IP Marketing Manager, Natalie Goguen said.

“Vitalwerks and No­-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-­IP system domains free of spam and malicious activity.” Natalie Goguen said. “Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one.”