So it looks like Microsoft has been a little heavy handed in this case, the case of dynamic DNS provider No-IP serving up malware. I would imagine most of us have utilised a dynamic DNS service at some point to map a dynamic IP address to a memorable domain.
It seems that malware folks have been using dynamic DNS services to mask their activities, it has been reported before by Cisco and No-IP appears to be one of the worst perpetrators (even though it’s through no real fault of their own).
This time though, Microsoft went straight into the legal system and took control of 23 domains owned by No-IP (Vitalwerks) – this has disrupted the services of approximately 4 million No-IP clients (according to them).
Microsoft has won a court order to gain control of 23 No-IP domains owned by dynamic DNS (DDNS) provider Vitalwerks Internet Solutions. The US software giant claimed the domains were being used by malware developed in the Middle East and Africa.
Vitalwerks operates its No-IP DDNS service from Nevada, and there is no suggestion it is in league with malware operators.
The service works by mapping users’ IP addresses, such as a home router’s public address, to a customized No-IP domain-name like myhouse.ddns.net. This allows you to connect to a system using a memorable sub-domain if you forget your IP address or your ISP changes it.
Microsoft’s security research team claimed it had identified two pieces of Windows malware, Bladabindi and Jenxcus, using No-IP sub-domains to communicate with their creators in 93 per cent of detected infections, and that 245 other pieces of malware also use No-IP.
“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” claimed Richard Boscovich, assistant general counsel of Microsoft Digital Crimes Unit.
The unfortunate part, is that the domains seized are pretty much all of the services popular domains, which I imagine renders the majority of their service down.
There’s an update from their CEO here – A Message From Our CEO – Dan Durrer
And an overwhelming support on Twitter – #FreeNoIP
Court papers filed in Nevada alleged that Bladabindi was written by Naser Al Mutairi, a Kuwaiti national, while Jenxcus is allegedly run by an Algerian man named as Mohamed Benabdellah. Microsoft claimed the two have sold over 500 copies of the malware to crooks, and actively advertise it while using No-IP to help cover their tracks. The software giant said it has detected over seven million infections by the two packages.
The court has now granted a temporary restraining order against No-IP – as Microsoft accused the DNS biz of acting negligently, and claimed some of the sub-domains contained “Microsoft’s protected marks.”
Redmond further alleged that the defendants in its lawsuit – Al Mutairi, Benabdellah, Vitalwerks and 500 John Does – “violated federal and state law by distributing malicious software through more than 18,000 sub-domains belonging to No-IP, causing the unlawful intrusion into, infection of, and further illegal conduct involving, the personal computers of innocent persons, thereby causing harm to those persons, Microsoft, and the public at large.”
It’s not exactly certain what is going to happen in this case, but I’m pretty sure everyone involved is working towards a less harsh solution. The official statement from No-IP can be found here: No-IP’s Formal Statement on Microsoft Takedown
It’s going to seriously disrupt their service though, I can’t imagine how many gaming servers are down right now! They have updated with a list of currently working domains though if you are using the service you can switch your host to:
- ddns.net
- webhop.me
- serveminecraft.net
- ddnsking.com
- onthewifi.com
Source: The Register