Security Experts:

Lawful Dynamic DNS Users Affected in Microsoft's Latest Botnet Takedown

Microsoft Takes Action Against Alleged Malware Creators, Distributors Through Seizure of No-IP.Com Domains

The latest operation conducted by Microsoft's Digital Crimes Unit has targeted two individuals and one company suspected of being responsible for creating, controlling and facilitating the distribution of Bladabindi (njRAT) and Jenxcus (NJw0rm) malware, Microsoft announced on Monday.

Microsoft said that on June 19, it filed a civil lawsuit against Algerian national Mohamed Benabdellah and Kuwaiti national Naser Al Mutairi, both believed to be responsible for creating and distributing Bladabindi and Jenxcus malware. US-based Dynamic Domain Name Service (DNS) provider Vitalwerks Internet Solutions, better known as No-IP.com, and 500 Does have also been named in the suit.

Microsoft says that it detected over 7.4 million Bladabindi and Jenxcus infections over the past year, a figure that doesn't include detections by other security companies. Bladabindi, which has been around since at least July 2012, and Jenxcus, seen since as early as December 2012, enable cybercriminals to steal sensitive information from infected computers and control them remotely.

"Through our research we have observed that there is information available in public online forums and group discussions, including tutorials, which allow anyone to download a package and create their own versions of the malware," Tanmay Ganacharya and Francis Tan Seng of the Microsoft Malware Protection Center wrote in a blog post. "This makes Bladabindi and Jenxcus a bit different from the previous botnets we have seen. A traditional botnet usually has one command-and-control (CNC) server to control all infected machines. In the case of Bladabinda and Jenxcus there can be a syndicate of botnets and thousands of botnet herders."

The cybercriminal groups that use these pieces of malware have been leveraging No-IP.com to hide their tracks, Microsoft said.

"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains," noted Richard Boscovich, assistant general counsel at Microsoft's Digital Crimes Unit. "Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity."

As a result, Microsoft has seized a total of 23 No-IP domains, with their nameservers pointing to NS7.MICROSOFTINTERNETSAFETY.NET and NS8.MICROSOFTINTERNETSAFETY.NET, according to Conrad Longmore of Dynamoo's Blog.

Bad traffic from the seized domains is routed to a sinkhole operated by Microsoft where the identified threats are classified. However, the company's actions have also affected legitimate services.

"This seems to have had the effect of taking down any sites using these dynamic DNS services. This will probably impact a lot of things like webcams, home security systems, personal VPNs any anything else that uses these domains," Longmore explained.

In an official statement published on Monday, No-IP representatives claimed Microsoft had not notified the company before seizing the domains to allow it to address the instances of abuse. No-IP also noted that Microsoft's infrastructure is not capable of handling the billions of queries coming from its customers, making service unavailable for "millions of innocent users."

However, Microsoft claims that it has built a robust infrastucture and has worked with A10 Networks to configure a "sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus."

"Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users," No-IP Marketing Manager Natalie Goguen stated.

"Vitalwerks and No­-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-­IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly."

This is Microsoft's 10th malware disruption operation and the 3rd since the opening of the company's Cybercrime Center in November 2013.

Subscribe to the SecurityWeek Email Briefing
view counter
view counter