Connect with us

Hi, what are you looking for?



Lawful Dynamic DNS Users Affected in Microsoft’s Latest Botnet Takedown

Microsoft Takes Action Against Alleged Malware Creators, Distributors Through Seizure of No-IP.Com Domains

Microsoft Takes Action Against Alleged Malware Creators, Distributors Through Seizure of No-IP.Com Domains

The latest operation conducted by Microsoft’s Digital Crimes Unit has targeted two individuals and one company suspected of being responsible for creating, controlling and facilitating the distribution of Bladabindi (njRAT) and Jenxcus (NJw0rm) malware, Microsoft announced on Monday.

Microsoft said that on June 19, it filed a civil lawsuit against Algerian national Mohamed Benabdellah and Kuwaiti national Naser Al Mutairi, both believed to be responsible for creating and distributing Bladabindi and Jenxcus malware. US-based Dynamic Domain Name Service (DNS) provider Vitalwerks Internet Solutions, better known as, and 500 Does have also been named in the suit.

Microsoft says that it detected over 7.4 million Bladabindi and Jenxcus infections over the past year, a figure that doesn’t include detections by other security companies. Bladabindi, which has been around since at least July 2012, and Jenxcus, seen since as early as December 2012, enable cybercriminals to steal sensitive information from infected computers and control them remotely.

“Through our research we have observed that there is information available in public online forums and group discussions, including tutorials, which allow anyone to download a package and create their own versions of the malware,” Tanmay Ganacharya and Francis Tan Seng of the Microsoft Malware Protection Center wrote in a blog post. “This makes Bladabindi and Jenxcus a bit different from the previous botnets we have seen. A traditional botnet usually has one command-and-control (CNC) server to control all infected machines. In the case of Bladabinda and Jenxcus there can be a syndicate of botnets and thousands of botnet herders.”

The cybercriminal groups that use these pieces of malware have been leveraging to hide their tracks, Microsoft said.

“Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains,” noted Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit. “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.”

Advertisement. Scroll to continue reading.

As a result, Microsoft has seized a total of 23 No-IP domains, with their nameservers pointing to NS7.MICROSOFTINTERNETSAFETY.NET and NS8.MICROSOFTINTERNETSAFETY.NET, according to Conrad Longmore of Dynamoo’s Blog.

Bad traffic from the seized domains is routed to a sinkhole operated by Microsoft where the identified threats are classified. However, the company’s actions have also affected legitimate services.

“This seems to have had the effect of taking down any sites using these dynamic DNS services. This will probably impact a lot of things like webcams, home security systems, personal VPNs any anything else that uses these domains,” Longmore explained.

In an official statement published on Monday, No-IP representatives claimed Microsoft had not notified the company before seizing the domains to allow it to address the instances of abuse. No-IP also noted that Microsoft’s infrastructure is not capable of handling the billions of queries coming from its customers, making service unavailable for “millions of innocent users.”

However, Microsoft claims that it has built a robust infrastucture and has worked with A10 Networks to configure a “sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus.”

“Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users,” No-IP Marketing Manager Natalie Goguen stated.

“Vitalwerks and No­-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-­IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly.”

This is Microsoft’s 10th malware disruption operation and the 3rd since the opening of the company’s Cybercrime Center in November 2013.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...