Gone fubar: Microsoft nukes No-IP, gets fallout

Microsoft hit hard at No-IP.com, a dynamic DNS service which was in active use by cybercriminals. However, the “collateral damage” toll appeared to be a little too high.

Microsoft has dealt a heavy blow to No-IP.com – a dynamic DNS provider for paid and free services, email, network monitoring and SSL certificates, that in Microsoft’s view is a haven of malice. Microsoft obtained the court order allowing it to seize 22 domains it said were being abused in malware-related crimes against Windows users. The problem is that due to Microsoft’s activities, all users of No-IP – almost 2 million – suffered outages. This time free service apparently comes with an uncozy neighbourhood attached – instead of a price tag.

 

Microsoft is on a “security crusade” for quite some time already, and is doing great job at busting botnets and other massive threats. It is Microsoft that effectively annihilated Rustock in 2011, for instance, and it is going after Zeus family for years, smashing its latest one – GameOver – earlier this year (Microsoft’s own report is dated June 2nd).

The situation with No-IP.com appeared to be yet another strike against cybercrime from Microsoft, and a heavy (-handed) one: citing the necessity to break down malware campaigns which went by the names Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm), Microsoft enforced a federal court order making the company the domain IP resolver for the No-IP domains, effectively overtaking them.

In a nutshell, it nuked No-IP fubar, adding up also a wrecking ball of a civil case against No-IP owners Vitalwerks Internet Solutions, LLC “for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.”

It’s necessary to say that the aforementioned malware has been used by multiple cybercriminal and activist groups to target users, including the notorious Syrian Electronic Army. A multitude of earlier reports pointed out No-IP domain abuse, but apparently No-IP did little about it. So Microsoft moved in hard.

The takedown seems to have other beneficial consequences: It looks like many other APT operations have been disrupted, which used NO-IP for their C&C infrastructure. These include (and not limited to): Flame/Miniflame, Turla/Snake/Uroburos, including Epic, Cycldek, etc.

“Based on our statistics, the shutdown has affected in some form at least 25% of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 204.95.99.59”, blogged Costin Raiu, Kaspersky Lab Expert, at Securelist.

Unfortunately, this “nuking” had exceeding collateral damage: targeting 20 thousands No-IP malicious hosts, Microsoft knocked out as many as 4 million legitimate web-sites, affecting over 1.8 million No-IP customers, paying ones included.

For those of our readers who play videogames, the abbreviation AOE must be quite familiar. For those who don’t, this stands for Area Of Effect, and usually refers to explosive weapons or spells that damage everything at the targeted areas: a mage character casts some “Arcane Explosion” and a bunch of petty monsters melt to the delight of the witnesses. Usually the caster is unaffected, however, in more hardcore games such “Ka-Boom!” would knock down the caster character himself and his friends, if they’re caught up in area of effect. And if it is a multiplayer game, the caster will hear a lot about his IQ, skills, and uncanny accuracy.800-2

 

Something like that happens now: for some unapparent reason legitimate users of No-IP.com were caught in the AOE of Microsoft’s nuking and did not exactly enjoy the consequences. And now the company faces a heavy fallout, thick with vitriol: not only did it make lights off for a bagillion of legitimate users, including the paying ones, so far it even failed to restore the services. At least Microsoft did acknowledged “a technical error” and essentially apologized for the inconvenience.

No-IP currently claims to be under a DDoS-attack.

Summing up, there is a problem with free dynamic DNS services: cybercriminals just love them. Easy and free to register, easy to update hostnames to control malware implants, not too easy to identify the user positively.

For legitimate entities short on budget such services are attractive either. But, just as said above, services with zero on a price tag are prone to have some other encumbrances, such as   a malware spawning pool or APT attackers sitting next hostname. And this story shows just how unreliable such services may appear – due to their owners negligence (which shows up quite often) or legal and technical troubles, like it is this time.

Tips