Microsoft Knocks Out 4 Million Websites in Malware Hunt
Microsoft took down two malware networks yesterday morning (June 30) by seizing control of almost two dozen domain names for websites from which the malware was being distributed and controlled. Sounds like good news, right? Well, Microsoft's sneak attack also took down more than 4 million legitimate websites that were using the same domain name system (DNS) service as the malware networks.
The downed websites, both malicious and legitimate, used a Reno, Nevada-based dynamic DNS service called No-IP. Although Microsoft's takedown was entirely legal and sanctioned by a Nevada court, neither No-IP nor its legitimate customers were happy about Microsoft's apparently heavy-handed security tactics.
DNS is often compared to a telephone directory for the Internet. The system is what translates human-friendly text-based URLs, such as TomsGuide.com, into the computer-friendly numerical Internet Protocol addresses of Web servers, such as 184.108.40.206.
No-IP offers its customers the advantage of a dynamic DNS, which means the DNS automatically updates itself when the IP of the host computer changes. Websites hosted using such services are far more reliable, because even if an IP address changes, the DNS reconnects the correct server with the correct Web URL.
Here's what happened: Hot on the heels of a cybercrime group responsible for propagating strains of malware known as NJrat and NJw0rm (both remote-access Trojans), Microsoft discovered that the group was using No-IP's dynamic DNS service to maintain connections between its malware-command-and-control servers and the infected computers.
Microsoft went to a Nevada court, claiming that it had identified more than 18,400 No-IP hostnames that were being used to spread and control these types of malware, and that the malware in question had infected more than 7.4 million Windows PCs worldwide.
Microsoft filed a complaint June 19 against two men it believed responsible for the malware: a Kuwaiti named Naser Al Mutairi and an Algerian named Mohamed Benabdellah. No-IP's parent company, Vitalwerks Internet Solutions, was also named in the complaint, as Microsoft accused it of allowing malware to proliferate on its service.
On June 26, the court gave Microsoft permission to seize control of the 22 No-IP domains that host No-IP's free dynamic DNS services.
"We're taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware," Microsoft wrote on its Technet blog.
In theory, Microsoft would only block the 18,400 malicious hostnames and let the millions of other legitimate accounts on the domains continue unimpeded.
In practice, it didn't work out so well -- at least from No-IP's point of view. Yesterday, around four million No-IP hostnames went offline, and at time of this posting, many are still not up and running. However, Microsoft apparently did succeed in shutting down the two malware campaigns, as well as a number of other cybercrime and cyberespionage groups worldwide.
The good, the bad, the inconvenient
No-IP's CEO allegedly didn't even know about the court order or the suspected malware activity on its service until yesterday when someone knocked on his front door and handed him the court order.
"We work with law enforcement all the time, and our abuse department responds to abuse requests within 24 hours ... It's pretty sad that Microsoft had to take such extreme measures to go about this," Natalie Goguen, No-IP's marketing manager, told independent security researcher Brian Krebs.
No-IP also claimed that, according to its own investigation, only 2,000 of its hostnames had been used in conjunction with the two malware families, not the 18,400 that Microsoft claimed. At this point, it's No-IP's word against Microsoft's, but well-known cybercrime expert Dmitri Alperovitch of security firm CrowdStrike weighed in on No-IP's side.
"They have always been very responsive to security researchers and law enforcement," Alperovitch told Krebs, adding that, "I do not consider them a bullet-proof or abuse-proof host,"referring to Web hosts that accept all clients, however shady, and guarantee that they will keep sites up despite law-enforcement efforts.
At the time of this posting, a warning that No-IP's "domains are still experiencing outages due to the Microsoft takedown" was still live on the company's website.
Despite the inconvenience to No-IP and its customers, Microsoft's attack appears to have worked. Costin Raiu of security firm Kaspersky Lab noted that the attack disrupted not only the NJrat and NJw0rm malware families, but also several other advanced-persistent-threat [APT] groups, or state-sponsored online spies and saboteurs, that also used No-IP's free service.
"The shutdown has affected in some form at least 25 percent of the APT groups we are tracking," Raiu wrote on the SecureList blog, concluding that, "We think yesterday’s events have dealt a major blow to many cybercriminal and APT operations around the world."