Microsoft Sees Embarrassing Takedown Reversal

Photo credit: 360b/
Photo credit: 360b/

After it had touted its 10th botnet takedown as a strike for the consumer good, Microsoft had to back-peddle on its target, No-IP, last week when it came to light that a “technical error” had meant that legitimate users were being impacted. Now, all of the sinkholed domains have been returned to their owner.

“We would like to give you an update and announce that ALL of the 23 domains that were seized by Microsoft on June 30 are now back in our control,” No-IP noted in a blog post.

The company said that it could take up to 24 hours for the DNS to “fully propagate,” but everything should be fully functioning soon. It also said that one of the domains,, took longer to get back online than the others.

No-IP is a free Dynamic Domain Name Service (DNS), used for automatically updating listings in the internet’s address book. Microsoft DCU research revealed that there are 245 different types of malware currently exploiting No-IP domains. And, out of all Dynamic DNS providers, No-IP domains are used 93% of the time, particularly for serving the Jenxcus (NJw0rm) family of malware, and for Bladabindi-Jenxcus infections. Accordingly, Microsoft filed for an ex parte temporary restraining order (TRO) from the US District Court for Nevada against No-IP, which the court granted, making Microsoft the DNS authority for the company’s 23 free No-IP domains.

“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” said Richard Boscovich, assistant general counsel at Microsoft Digital Crimes Unit, at the time of the June 30 sinkholing. He added, “Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup.”

However, it turns out that No-IP is not the exclusive province of Dark Web criminals and fraudsters. So, Microsoft’s action caused significant collateral damage to legitimate users – a fact acknowledged by DCU associate general counsel David Finn.

“Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service,” he said. “We regret any inconvenience these customers experienced.”

Now, Microsoft is left with a failed takedown and much more scrutiny around its web-policing activities. For its part, No-IP is happy to have its business back, of course. “We are so sorry for the inconvenience that this takedown has caused our customers,” it said. “Thank you so much for the support and for sticking with us through the entire process.”

What’s hot on Infosecurity Magazine?