Microsoft Scores Another Malware Disruption

Photo credit: Ken Wolter/
Photo credit: Ken Wolter/

The Microsoft Digital Crimes Unit has logged its 10th malware disruption operation, and the third since the November unveiling of the Microsoft Cybercrime Center. The software-maker has taken legal action with a civil case filed on June 19, naming two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a US company, Vitalwerks Internet Solutions (doing business as, for “their roles in creating, controlling, and assisting in infecting millions of computers with malicious software.”

No-IP is a free Dynamic Domain Name Service (DNS), used for automatically updating listings in the internet’s address book. Microsoft DCU research revealed that there are 245 different types of malware currently exploiting No-IP domains. And, out of all Dynamic DNS providers, No-IP domains are used 93% of the time, particularly for serving the Jenxcus (NJw0rm) family of malware, and for Bladabindi-Jenxcus infections.

Microsoft said it has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. As such, Microsoft is taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals.

“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” said Richard Boscovich, assistant general counsel at Microsoft Digital Crimes Unit, in a blog. He added, “Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup.”

Accordingly, Microsoft filed for an ex parte temporary restraining order (TRO) from the US District Court for Nevada against No-IP, which the court granted, making Microsoft the DNS authority for the company’s 23 free No-IP domains. That has allowed the company to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to ISPs and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware.

“As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure,” Boscovich said. “If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online. Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions.”

What’s Hot on Infosecurity Magazine?