Was Microsoft Takedown 'Draconian?'

Malware Crackdown Disrupts 4 Million Legitimate Site Names
Was Microsoft Takedown 'Draconian?'

Microsoft on June 30 launched a botnet-focused takedown effort that didn't just temporarily block small-scale campaigns tied to two pieces of malware, but also resulted in an estimated 4 million legitimate site names being disrupted.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

Cue controversy, with Vatalwerks - a Reno, Nev.-based dynamic DNS provider that does business as No-IP, and which has 18 million customers - accusing Microsoft of taking "draconian actions" to combat "a few bad actors" which had resulted in millions of No-IP's customers losing access to their websites.

"Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the subdomains have been abused by creators of malware. We were very surprised by this," No-IP marketing manager Natalie Goguen says in a statement. The company's dynamic domain name system service is mostly used by consumers and small businesses to maintain Internet connections with home PCs or servers, even when service providers change their machines' IP addresses.

"We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us," Goguen adds. "Unfortunately, Microsoft never contacted us or asked us to block any subdomains." As a result, she says, billions of queries from millions of users failed "because of Microsoft's attempt to remediate hostnames associated with a few bad actors." As of July 1, the company says in a statement that an estimated 4 million of its customers' host names have been disrupted.

Microsoft's 10th Takedown

This is the 10th time Microsoft has disrupted malware or botnet operations. In this case, the effort is partially focused on Naser Al Mutairi (a.k.a. njq8, xnjq8x, njq8x, and njrat), who according to court documents is based in Kuwait City and the author of njRAT (a.k.a. Bladabindi), as well as Mohamed Benabdellah (a.k.a. Houdini, houdinisc, and houdini-fx), who lives in Algeria and is accused of being the author of H-worm (a.k.a. Jenxcus), which is similar to njRAT. The court documents also accuse 500 additional people whose identities are unknown - John Does - of partaking in related attacks.

But the court order also names No-IP, which Microsoft has accused of failing to block ongoing malware campaigns that use its service, and Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, offers no apologies.

"Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity," he says in a blog post.

Criticism of Microsoft

Some security professionals, however, wonder if Microsoft would be more forgiving if the shoe was on the other foot. "Microsoft is doing a bad job of stopping criminal use of Hotmail. Shouldn't hotmail.com be taken away from them?" says information security watcher Leif Nixon via Twitter.

Dublin-based independent security expert Brian Honan also questioned the free hand apparently granted to Microsoft by the court order. "Worrying to see a company like [Microsoft] be judge, jury & executioner on how effective another org manages its network."

Target: Webcam Spys

The court order first names Mutairi and Benabdellah, who have both been accused of maintaining and offering the remote access toolkits njRAT and H-worm. "Defendants use the malware for illicit purposes, including but not limited to, recruiting victims' computers for botnets," says Microsoft. Once PCs are infected, attackers can steal files, record keystrokes, take snapshots of people's desktops, as well as surreptitiously activate the microphone and webcam.

While the malware could be used for financial crime, Gary Warner, chief technologist at threat intelligence firm Malcovery, says users' aims don't appear to be monetary. "In most cases njRAT No-IP domains are being used by small-time botmasters to allow themselves to spy on a few dozen webcams."

Some njRAT botmasters even congregate on Facebook, and can be found "openly trading photographs of victims and offering to 'trade slaves' -- as they refer to the pretty girls whose webcams they control," Warner says. "We reported three such groups to Facebook Security, which took quick action to kill the groups which had a combined membership of more than 16,000 users"

Malware users often tap dynamic DNS services to maintain connections with victims' PCs while changing the DNS of their command-and-control server, thus making related attacks harder to detect or disrupt. "For the remote-access Trojan crowd that are typically attempting to spy on female victims and running servers from home, DDNS is a natural fit," says Cisco security researcher Levi Gundert in research cited by Microsoft in its court documents. "In fact, searching the web for tutorials on using freely available RATs like Black Shades, Dark Comet, or Poison Ivy returns results that all instruct RAT attackers to first create DDNS sub-domains in order to properly configure the RAT, specifically enabling a 'back connect' to the attacker."

Microsoft Sinkholes Connections

Microsoft acknowledges that dynamic DNS is a vital capability. "However, if not properly managed, a dynamic DNS service can be susceptible to abuse," it says.

With the recent court order, Microsoft's request to become the DNS authority for 22 No-IP domain names was granted, which allows it "to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats," while allowing good traffic through.

"However, this is not happening," says No-IP. "Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers." Cue disruption.

No-IP also argues that it handles abuse reports within 24 hours and notes that by the time of the June 30 takedown, only 2,000 of the 18,000 malicious No-IP third-level domains cited by Microsoft in its court documents -- which were filed June 19 -- were still active. In addition, the company says it proactively maintains filters to identify and automatically block many types of service abuse. "Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors," it says. "But this heavy-handed action by Microsoft benefits no one."

Verdict: Unclear

Did Microsoft go overboard? That's the opinion of some information security experts, including Trend Micro's head of research, Rik Ferguson, who says via Twitter: "Microsoft takedown = sledgehammer+nut."

But Warner argues there's no clear-cut right or wrong here. "I can't really take sides on this one," he says. "Do we need to do something more to help the victims of this kind of malware? Absolutely. Was it necessary to seize 22 domains at No-IP? I can't argue with Microsoft wanting to prevent infections to more than 7 million Windows victims, but I certainly can understand the great frustration experienced by the No-IP folks."

Update (July 2, 2014)

Microsoft says in a statement Monday that its takedown was only meant to target PCs that were infected with the njRAT or H-worm malware. "Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service," says David Finn, the company's executive director and associate general counsel for its Digital Crimes Unit. "As of 6 a.m. Pacific time [July 1], all service was restored. We regret any inconvenience these customers experienced."

But No-IP disputed Microsoft's account, saying the company had failed to restore service. "The solution we have available at the moment is for you to create a new hostname on a domain that has not been seized by Microsoft," No-IP says in a statement. "We apologize for this outage. At this point it is completely out of our hands, but please understand that we are fighting for you."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network