Microsoft Settles Malware Lawsuit

Botched Takedown Triggers Apology to No-IP
Microsoft Settles Malware Lawsuit

Microsoft has apologized to a company it accused of being complicit in a wide-ranging malware campaign that infected millions of PCs.

See Also: 12 Top Cloud Threats of 2016

The reversal came July 9, when Microsoft announced that it settled a civil lawsuit it filed June 19 in a U.S. federal court against dynamic DNS provider Vitalwerks Internet Solutions, which does business as No-IP. As a result of the lawsuit, a federal judge had granted Microsoft temporary custody of 23 No-IP domains, which Microsoft said were being used, in part, to control malware. But when Microsoft seized control of the domains June 30 and attempted to filter out the malicious traffic, it also disrupted access to millions of legitimate No-IP hostnames (see Was Microsoft Takedown 'Draconian?').

In addition to No-IP, Microsoft's suit also named two alleged developers - Naser Al Mutairi in Kuwait City and Mohamed Benabdellah in Algeria - behind the Bladabindi (a.k.a. NJrat) and Jenxcus (a.k.a. NJw0rm) malware that was the focus of the takedown. Microsoft also sued 500 unknown "John Doe" users of the malware, which is often used to spy on people via their webcams.

But in a joint statement announcing the settlement, released on July 9 by the two companies, Microsoft now says that after reviewing evidence provided by No-IP, it finds the company "was not knowingly involved with the subdomains used to support malware" and that "those spreading the malware abused Vitalwerks' services." Microsoft also admits that it failed to correctly reroute legitimate traffic from the seized domains and only block traffic related to the Bladabindi and Jenxcus malware. It also apologized to No-IP's customers for the resulting disruption.

Takedown Triggered Outages

No-IP says a technical mistake by Microsoft, after it seized control of the 23 domains and tried to filter out malicious traffic, led to 5 million legitimate hostnames going dark and 1.8 million No-IP customers' websites and devices becoming unreachable. "Microsoft promised the judge they would only block the hostnames alleged to be malicious and would forward all the remaining traffic for the non-abusive hostnames on to No-IP," Natalie Goguen, a No-IP spokeswoman, says in a statement. "This did not happen. The Microsoft DNS servers were misconfigured and failed to respond to our usual volume of billions of queries a day."

Furthermore, while Microsoft claimed to have resolved the problem on July 1, full service didn't resume until July 4, after Microsoft returned all seized domains and related DNS changes propagated globally, No-IP says.

As part of the settlement, No-IP and Microsoft say they have now "agreed to permanently disable Vitalwerks subdomains used to control the malware." Spokeswomen for Microsoft and No-IP say the full terms of the settlement are confidential.

No Abuse Reports

Microsoft's botched malware disruption is ironic, given that the company has long put its weight behind "responsible disclosure" - later renamed to the more neutral-sounding coordinated vulnerability disclosure - which refers to the practice of sharing information about flaws in products directly with vendors or service providers, instead of making them immediately public. After the vendor has had time to develop and test a patch, the security researcher and vendor then coordinate the public release of related information.

But Microsoft never attempted to contact No-IP or file any abuse reports, instead opting "to secretly sue us in civil court," No-IP's Goguen says.

Richard Domingues Boscovich, the assistant general counsel for Microsoft Digital Crimes Unit, had suggested the unusual - and controversial - decision to sue No-IP and seize its domains was sparked by the dynamic DNS provider not doing enough to blunt the malware attacks, despite previous warnings from the information security community. "We're taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware," Boscovich said on June 30. "Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity."

Microsoft's Evidence

The "reports" he referenced, however, hyperlinked to a single blog post from Feb. 11, 2014, written by Cisco security researchers Levi Gundert and Andrew Tsonchev, which detailed how attackers sometimes used about 50 different, otherwise legitimate, dynamic DNS providers - including No-IP - to launch and maintain malware attacks.

On Feb. 12, No-IP responded, issuing a formal statement saying that it works hard to combat any abuse of its services, and noting it hadn't received any abuse claims or related documentation directly from Cisco. "No-IP excels at handling abuse, verifying reported claims and taking swift action. We invite Cisco to give that a try," Goguen said at the time. "This approach would have been more proactive than posting a blog about the abuse and not reporting their findings directly to us."

Lessons Learned

Cisco, in response, promised to begin working with No-IP. "It's clear that the features of dynamic DNS, as described in our post, lend themselves to convenience that is welcome in abusive as well as legitimate circumstances, said Seth Hanford, manager of Cisco's threat research, analysis, and communications team, at the time. "This issue is not unique to No-IP, but as we demonstrated is a problem that occurs on a wide variety of DDNS providers."

Going forward, No-IP's Goguen has similarly invited Microsoft to begin working with the company to block abuse of its services. "We hope that Microsoft learned a lesson from this debacle and that in the future they will not seize other companies' domains and will use appropriate channels to report abuse," she says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network