Playing offense against cybercriminals is what drives me and everyone here at the Microsoft Digital Crimes Unit. Today, Microsoft has upped the ante against global cybercrime, taking legal action to clean up malware and help ensure customers stay safer online. In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.
We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals. The social media-savvy cybercriminals have promoted their wares across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cybercrime is indeed a global epidemic.
Free Dynamic DNS is an easy target for cybercriminals
Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.
For a look at how cybercriminals leverage services like No-IP, and advice for customers to help ensure a safer online experience, please see the graphic below.
Microsoft legal and technical actions
On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Community Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware. The Microsoft Digital Crimes Unit worked closely with Microsoft’s Malware Protection Center to identify, reverse engineer and develop a remedy for the threat to clean infected computers. We also worked with A10 Networks, leveraging Microsoft Azure, to configure a sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus.
As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online. Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions.
This is the third malware disruption by Microsoft since the November unveiling of the Microsoft Cybercrime Center—a center of excellence for advancing the global fight against cybercrime. This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter. Microsoft provides free tools and information to help customers clean and regain control of their computers at www.microsoft.com/security