Microsoft gets careless in its anti-malware efforts

Up to now we’ve been happy to report on the successes of Microsoft’s work on hindering or shutting down botnets and other malware networks and sites. But their most recent actions in this area were heavy-handed, resulting in millions of legitimate domains going offline.

From Microsoft’s official blog post:

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.

That all sounds fine, except for one thing: No-IP was also being used for millions of domains with perfectly legitimate purposes. Microsoft says they knew this, and took measures to protect non-malicious domains.

Backlash against Microsoft’s actions is ramping up. Microsoft’s PR people are now saying that this is all due to a technical error, but given their characterization of No-IP (see above), it seems more likely that this is just spin, and they really did mean to kill all domains using no-IPs services.

Brian Krebs has additional details, as does Ars Technica.

Update 2014Jul03: Microsoft has returned control of the No-IP domains to No-IP. There’s still some doubt as to whether Microsoft acted in good faith: No-IP claims they were never contacted by Microsoft prior to the domain seizure; Microsoft claims otherwise. Regardless, I imagine No-IP will quickly move to remove clients using No-IP for nefarious purposes.

Update 2014Jul13: The EFF has a useful followup of the debacle.

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

Leave a Reply

Your email address will not be published. Required fields are marked *