Microsoft’s Anti-Malware Action Cripples Dynamic DNS Service No-IP


So it looks like Microsoft has been a little heavy handed in this case, the case of dynamic DNS provider No-IP serving up malware. I would imagine most of us have utilised a dynamic DNS service at some point to map a dynamic IP address to a memorable domain.

It seems that malware folks have been using dynamic DNS services to mask their activities, it has been reported before by Cisco and No-IP appears to be one of the worst perpetrators (even though it’s through no real fault of their own).

Dynamic DNS Malware

This time though, Microsoft went straight into the legal system and took control of 23 domains owned by No-IP (Vitalwerks) – this has disrupted the services of approximately 4 million No-IP clients (according to them).

Microsoft has won a court order to gain control of 23 No-IP domains owned by dynamic DNS (DDNS) provider Vitalwerks Internet Solutions. The US software giant claimed the domains were being used by malware developed in the Middle East and Africa.

Vitalwerks operates its No-IP DDNS service from Nevada, and there is no suggestion it is in league with malware operators.

The service works by mapping users’ IP addresses, such as a home router’s public address, to a customized No-IP domain-name like myhouse.ddns.net. This allows you to connect to a system using a memorable sub-domain if you forget your IP address or your ISP changes it.

Microsoft’s security research team claimed it had identified two pieces of Windows malware, Bladabindi and Jenxcus, using No-IP sub-domains to communicate with their creators in 93 per cent of detected infections, and that 245 other pieces of malware also use No-IP.

“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” claimed Richard Boscovich, assistant general counsel of Microsoft Digital Crimes Unit.


The unfortunate part, is that the domains seized are pretty much all of the services popular domains, which I imagine renders the majority of their service down.

There’s an update from their CEO here – A Message From Our CEO – Dan Durrer

And an overwhelming support on Twitter – #FreeNoIP

Court papers filed in Nevada alleged that Bladabindi was written by Naser Al Mutairi, a Kuwaiti national, while Jenxcus is allegedly run by an Algerian man named as Mohamed Benabdellah. Microsoft claimed the two have sold over 500 copies of the malware to crooks, and actively advertise it while using No-IP to help cover their tracks. The software giant said it has detected over seven million infections by the two packages.

The court has now granted a temporary restraining order against No-IP – as Microsoft accused the DNS biz of acting negligently, and claimed some of the sub-domains contained “Microsoft’s protected marks.”

Redmond further alleged that the defendants in its lawsuit – Al Mutairi, Benabdellah, Vitalwerks and 500 John Does – “violated federal and state law by distributing malicious software through more than 18,000 sub-domains belonging to No-IP, causing the unlawful intrusion into, infection of, and further illegal conduct involving, the personal computers of innocent persons, thereby causing harm to those persons, Microsoft, and the public at large.”

It’s not exactly certain what is going to happen in this case, but I’m pretty sure everyone involved is working towards a less harsh solution. The official statement from No-IP can be found here: No-IP’s Formal Statement on Microsoft Takedown

It’s going to seriously disrupt their service though, I can’t imagine how many gaming servers are down right now! They have updated with a list of currently working domains though if you are using the service you can switch your host to:

  • ddns.net
  • webhop.me
  • serveminecraft.net
  • ddnsking.com
  • onthewifi.com

Source: The Register

Posted in: Malware, Networking Hacking


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


Comments are closed.