Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Microsoft Drops Cybercrime Case Against No-IP

Microsoft and Vitalwerks Internet Solutions, the parent firm of Dynamic DNS provider No-IP, have reached a settlement in the recent malware disruption

Microsoft and Vitalwerks Internet Solutions, the parent firm of Dynamic DNS provider No-IP, have reached a settlement in the recent malware disruption case, the companies announced on Wednesday.

Microsoft’s decision to drop the case comes after reviewing evidence provided by No-IP that demonstrated the company was not knowingly involved in the malware operations, and that the cybercriminals responsible for distributing Bladabindi (njRAT) and Jenxcus (NJw0rm) were actually abusing its services.

“Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware,” Microsoft and No-IP said in a joint statement.

The Redmond, Washington-based company started its crackdown on the Bladabindi and Jenxcus botnets on June 19, when it filed a civil lawsuit against two individuals suspected of creating and distributing malware, and against No-IP, which it accused of failing to take appropriate action to prevent cybercriminals from abusing its services. On June 26, Microsoft was allowed by a Nevada court to seize 23 No-IP domains involved in the distribution of malware.

Some steps were taken to make sure No-IP’s legitimate customers would not be affected by the operation, but millions of users suffered service disruptions due to what the company called a “technical error.”

“In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced,” Microsoft said on Wednesday.

No-IP insists that none of this would have happened if Microsoft had reached out to them before taking action.

Advertisement. Scroll to continue reading.

“By filing an ex parte temporary restraining order (TRO), No-IP was prevented from having any knowledge of the case or offering any support in stopping malicious activity. Had Microsoft submitted evidence of abuse at any time, No-IP would have taken swift action to validate the claims and ban any accounts that were proven to be malicious. Instead, Microsoft wasted many months while malicious activity continued,” No-IP Marketing Manager Natalie Goguen wrote in a blog post published on Thursday.

“To state this as emphatically as possible — this entire situation could have been avoided if only Microsoft had followed industry standards. A quick email or call to the No-IP abuse team would have removed the abusive hostnames from the No-IP network,” Goguen added. “Microsoft cited 22,000 hostnames that were abusive. Out of those 22,000 seized hostnames, the No-IP abuse department found only a fraction of the hostnames to still be active, which means that many had already been banned through our existing abuse procedures.”

Microsoft announced that it had seized the 23 domains on June 30, and returned most of them to No-IP on July 2, after being contacted by the company and its attorneys. While the DNS services provider says it’s pleased with the terms of the settlement, it’s still outraged by the tactics used by Microsoft in this case.

“We hope that Microsoft learned a lesson from this debacle and that in the future they will not seize other companies domains and will use appropriate channels to report abuse,” Goguen concluded.

While No-IP has every right to be upset with the disruption to its operations, the effects of the shutdown did negatively affect some cybercriminal operators.

Shortly after the domains were seized, Kaspersky Lab revealed that in addition to the Bladabindi and Jenxcus malware families, Microsoft’s operation also impacted several advanced persistent threat (APT) campaigns that use No-IP for their command and control (C&C) infrastructure. The list of affected APTs includes Flame, Cycldek, Uroburos (Snake), Banechant, Ladyoffice, Shiqiang, and customers of HackingTeam RCS.

“In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure,” Raiu added.

Kaspersky Lab also confirmed that not just cybercriminals were affected by the operation.

The terms of the settlement were not disclosed.

*Additional reporting by Mike Lennon

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...