Microsoft took to the offense this week against malware, specifically Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. This was their third malware disruption since November’s launch of the Microsoft Cybercrime Center. In their sights to try to shut down this malware was another U.S.-based company, No-IP, with parent company Vitalwerks Internet Solutions, LLC.
Microsoft made a case to a District Court in Nevada, No-IP’s home state, and was granted the request for Microsoft to assume the DNS authority for the free No-IP domains. Their claim is that No-IP is providing the infrastructure to enable this malware’s command-and-control. They then redirected the traffic to a DNS sinkhole so it could be analyzed to remedy infected computers.
Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains.
Cisco also has a technical blog article from February that pretty prominently points the finger at No-IP for being a Dynamic DNS infrastructure with the majority of its traffic being illegitimate. Microsoft believes No-IP has a responsibility to hamper this traffic and be more proactive in monitoring its infrastructure.
Here’s Microsoft’s explanation of the steps they took in response to this targeted malware.
On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware.
Organizations and individuals that were using No-IP’s services for legitimate purposes have been experiencing outages. What has followed since Microsoft took action has gotten into the he-said, she said. No-IP has their own response article and are currently directing people to five domains still under their control that have not been seized by Microsoft. They stick by their abuse policy and history of working with other companies to take down malicious activity. This will certainly harm No-IP’s reputation and ability to gain future business even if they drop their free dynamic DNS services completely.
This will be one for the courts to decide. In the meantime, another malware network being disrupted benefits the entire world.