Security Experts:

Microsoft Returns Domain Names Seized From No-IP

All of the 23 domain names recently seized by Microsoft from No-IP as part of an operation against the Bladabindi (njRAT) and Jenxcus (NJw0rm) botnets have been returned.

When it announced the operation, Microsoft said No-IP domains were used 93% of time for Bladabindi and Jenxcus infections, and accused the Dynamic Domain Name Service (DNS) provider of failing to take steps to prevent abuse.

Microsoft routed bad traffic to a sinkhole in an effort to classify the threats, and worked with A10 Networks to configure a system to manage the high volume of connections generated by the Bladabindi-Jenxcus botnets. Legitimate traffic should not have been impacted, but something went wrong and millions of legitimate users experienced service outage.

No-IP representatives said Microsoft's actions were "heavy-handed" and lashed out at the company for not contacting them before seizing their domains.

"Vitalwerks and No­-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-­IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one. " No-IP stated shortly after its domains were seized.

Microsoft representatives apologized for the incident and claimed that legitimate No-IP users experienced a temporary loss of service "due to a technical error." The company said all services should have been restored on July 1 at 6AM Pacific time, but on Twitter, many No-IP customers reported downtimes long after that. During the debacle, a distributed denial-of-service (DDoS) attack was launched against No-IP, but the company insisted that the attack didn't have anything to do with the prolonged outage since it was aimed at its website, not its DNS infrastructure.

On Thursday, No-IP informed customers that all of the seized domains were back in the company's hands, but emphasized that it could take up to 24 hours for the DNS to fully propagate. The noip.me domain, which according to Conrad Longmore of Dynamoo's Blog was specifically excluded from the civil lawsuit filed by Microsoft in Nevada against No-IP and two alleged malware creators, was recovered last.

"We are pleased at the progress we’ve made in our discussions with No-IP. They have regained control of their domains, and we are reviewing the malicious subdomains to identify the victims of the malware," David Finn, executive director and associate general counsel at Microsoft's Digital Crimes Unit, told SecurityWeek in an emailed statement.

Kaspersky Lab revealed last week that in addition to the Bladabindi and Jenxcus malware families, Microsoft's operation also impacted several advanced persistent threat (APT) campaigns that use No-IP for their command and control (C&C) infrastructure. The list of affected APTs includes Flame, Cycldek, Uroburos (Snake), Banechant, Ladyoffice, Shiqiang, and customers of HackingTeam RCS.

"Based on our statistics, the shutdown has affected in some form at least 25% of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 204.95.99.59," Kaspersky's Costin Raiu noted in a blog post.

"We think yesterday’s events have dealt a major blow to many cybercriminal and APT operations around the world. In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure," Raiu added.

While Microsoft's operation has been successful in disrupting malicious operations, Kaspersky also confirmed that not just cybercriminals were affected. The list of 20,000 targeted No-IP domains also includes two that have been previously sinkholed by the security firm.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.