A “technical error” by Microsoft meant that millions of legitimate No-IP customers experienced outages this week after Redmond took control of 22 domains run by the DNS provider to strangle a botnet.
The computing giant’s Digital Crimes Unit (DCU) was granted an ex-parte court order allowing it to take over and redirect the No-IP domains, which it claimed were being abused by Jenxcus (NJw0rm) and Bladabindi malware to infect Windows users.
“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” said Richard Boscovich, assistant general counsel at the DCU, in a blog post at the time.
However, although Microsoft was meant to filter out the bad traffic and leave the good, it turned out its actions caused significant collateral damage to legitimate users – a fact acknowledged by DCU associate general counsel David Finn.
“Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service,” he said in a statement. “We regret any inconvenience these customers experienced.”
Although Microsoft claimed to have restored No-IP services to legitimate users by Tuesday, further reports indicated problems persisted for some time after - perhaps compounded by a subsquent DDoS attack on No-IP.
The sense that Microsoft mishandled the operation was compounded when it emerged that Redmond had not even contacted No-IP before obtaining the court order, which itself was done ex-parte to exclude the DNS firm.
“We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us, “ argued No-IP spokeswoman Natalie Goguen.
“Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.”
Brian Honan, head of Ireland’s CSIRT and special advisor to Europol, argued that Microsoft’s unilateral action risks setting a dangerous precedent.
“While we must look to develop proactive and effective means in dealing with online criminals we need to ensure that in doing so we do not cause collateral damage to the many legitimate users and businesses that leverage the internet,” he told Infosecurity.
“The Microsoft DCU’s motives may be in the right place but the way they executed this takedown raises a lot of issues that need to be addressed if we are to prevent the Internet falling into a wild-west scenario where people shoot first and ask questions later.”
He questioned how Microsoft arrived at the conclusion that No-IP was unresponsive to take-down requests, and warned that its actions this time in re-directing internet traffic may even have infringed the privacy of legitimate No-IP customers.
“The danger in the approach Microsoft DCU took may now set a precedent which Microsoft DCU, or other companies, could use to impact legitimate service providers who Microsoft feel are not living up to an undetermined standard for responding to abuse requests,” he added.
“By taking such unilateral action Microsoft DCU may also impact other security companies, or indeed law enforcement agencies, who may be monitoring those criminals abusing those services.”
It must be added that this was the tenth such botnet "takedown" by the DCU, with most thus far receiving widespread praise from the infosecurity community.
It was a bad news week all round for Microsoft.
Earlier it was forced to reverse a controversial decision to close its security update email service. The original decision was widely criticised as an overreaction to new Canadian anti-spam laws.
A spokesperson confirmed the notifications would resume with "our monthly Advanced Notification Service (ANS) on July 3.